Two developments in the past week will likely have a significant impact on businesses subject to the California Consumer Privacy Act (“CCPA”): the long-awaited CCPA regulations have been finalized and put into immediate effect with modifications, while at the same time it seems increasingly likely that the exemptions for employees’ and business-to-business contacts’ data will be extended beyond January 2021.

CCPA Regulations Approved With Modifications, Effective Immediately

On Friday, the California Office of Administrative Law formally approved the California Attorney General’s (“AG”) CCPA regulations.  The regulations go into effect immediately and appear largely similar to the version submitted by the AG in June after an extensive rulemaking process.  However, in addition to a number of minor grammatical and stylistic edits, there are a few noteworthy changes in the final regulations:

  • Deleted sections: Five provisions were deleted from the final text, although the AG has the ability to revise and resubmit these for approval in the future:
    • Section 999.305(a)(5) would have required businesses to obtain express consent from consumers before using previously collected information for a materially different purpose. Although that provision has been removed from the final regulations, Federal Trade Commission guidance still recommends that businesses obtain consent for material retroactive changes.
    • Section 999.306(b)(2) would have required businesses substantially interacting with consumers offline to provide notice of the right to opt-out via an offline method.
    • Section 999.315(c) stated that businesses needed methods for submitting opt-out requests that were “easy for consumers to execute and . . . require minimal steps to allow the consumer to opt-out”; it also prohibited businesses from utilizing any “method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.”
    • Section 999.326(c) would have permitted businesses to deny a request from an authorized agent if that agent did not “submit proof that they have been authorized by the consumer.” Although that provision has been struck, § 999.315(f) still states that: “A business may deny a request from an authorized agent if the agent cannot provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf.”  Emphasis added.
    • The entire final article on “Severability” was removed from the regulations. The addendum to the Final Statement of Reasons (“FSOR”) explains that the section was unnecessary.
  • Financial incentives: The rules relating to financial incentives have been a source of confusion and debate throughout the rulemaking process. There are two noteworthy changes in the final regulations:
    • In the definition of “financial incentive” in § 999.301(j), the word “retention” was changed back to “deletion,” which the addendum to the FSOR states is to “align with the express words of the statute.” This particular edit was contested during the rulemaking process:  the original draft regulations used the word “deletion,” which the AG replaced with “retention” in subsequent drafts, before now reverting back to deletion.
    • In the section describing notice of financial incentives, § 999.307(a)(1), the phrase “related to the collection, retention, or sale of personal information,” which previously modified “financial incentive or price or service difference” was deleted from the last sentence. It now reads: “A business that does not offer a financial incentive or price or service difference is not required to provide a notice of financial incentive.”
  • “Do Not Sell My Personal Information”: The regulations no longer permit businesses to comply with the opt-out requirement by including a link that states more informally: “Do Not Sell My Info.”

Status of Employee and Business-to-Business Exemptions

As the AG’s regulations go into effect, it appears increasingly likely that the existing time-limited exemptions in the CCPA may be further extended.  The statutory exemptions for employees and certain data collected in the context of business-to-business transactions and communications are currently set to expire on January 1, 2021.  However, the California Privacy Rights Act (“CPRA”)—which will appear on the California ballot in November and would significantly reshape the CCPA’s requirements—automatically extends those exemptions until January 1, 2023.  The purpose of the extension is to provide businesses and lawmakers with much-needed additional time to consider whether a separate law is required to address these types of personal information.  But while the ballot initiative’s fate remains undecided, the California legislature is moving an additional contingency plan along: AB 1281, which would extend the employee and business-to-business exemptions until January 1, 2022, in the event that the ballot initiative fails.  (If the ballot initiative passes, the CPRA’s longer extension until 2023 would supersede AB 1281.)

On Thursday, the Senate Judiciary Committee considered and approved AB 1281.  The bill is expected to be referred to appropriations for a final fiscal committee vote before going to the Senate floor.  Because the committee report identifies a long list of supporters for the bill and no opposition, it seems likely to pass before the legislative session ends on August 31.  Its passage would provide additional comfort for businesses while they await the outcome of the ballot initiative.

Print:
EmailTweetLikeLinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.

Photo of Yaron Dori Yaron Dori

Yaron Dori has over 20 years of experience in telecommunications, privacy, and consumer protection law, advising telecom, technology, life sciences, media and other types of companies on their most pressing business challenges. He is a former chair of the Communications and Media practice…

Yaron Dori has over 20 years of experience in telecommunications, privacy, and consumer protection law, advising telecom, technology, life sciences, media and other types of companies on their most pressing business challenges. He is a former chair of the Communications and Media practice group and currently serves as a member of the firm’s eight-person Management Committee.

Yaron’s practice focuses on strategic planning, policy development, transactions, investigations and enforcement, and regulatory compliance.

He represents clients before federal regulatory agencies—including the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC)—and the U.S. Congress in connection with a range of policy issues under the Communications Act, the Federal Trade Commission Act, and similar statutes. He also represents clients on state regulatory and enforcement matters, including those that pertain to telecommunications and data privacy regulation. His unique experience in telecommunications, privacy, and consumer protection enables him to advise clients on key business issues in which these areas intersect.

With respect to telecommunications matters, Yaron advises clients on a broad range of business, policy and consumer-facing issues, including:

  • Broadband deployment and regulation;
  • IP-enabled applications, services and content;
  • Equipment and device authorization procedures;
  • The Communications Assistance for Law Enforcement Act (CALEA);
  • Customer Proprietary Network Information (CPNI) requirements;
  • The Cable Privacy Act
  • Net Neutrality; and
  • Local competition, universal service, and intercarrier compensation.

Yaron also has extensive experience in structuring transactions and securing regulatory approvals at both the federal and state levels for mergers, asset acquisitions and similar transactions involving large and small FCC and state licensees.

With respect to privacy and consumer protection matters, Yaron advises clients on a range of business, strategic, policy and compliance issues, including those that pertain to:

  • The California Consumer Privacy Act (CCPA);
  • The Electronic Communications Privacy Act (ECPA);
  • Location-based services that use WiFi, beacons or similar technologies;
  • Online Behavioral Advertising;
  • Online advertising practices, including native advertising and endorsements and testimonials; and
  • The application of federal and state telemarketing, commercial fax, and other consumer protection laws, such as the Telephone Consumer Protection Act (TCPA), to voice, text, and video transmissions.

Yaron also has experience advising companies on FCC (Enforcement Bureau), FTC and state attorney general investigations into various consumer protection and communications matters, including those pertaining to social media influencers, digital disclosures, product discontinuance, and advertising claims.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.