Final Proposed CCPA Regulations Submitted to California’s Office of Administrative Law, But the California Privacy Landscape Remains Clear as Mud

04 June 2020 Privacy, Cybersecurity & Technology Law Perspectives Blog
Authors: Steven M. Millendorf

The California Attorney General Xavier Bacerra submitted the final proposed regulations (the “Regulations”) under the California Consumer Privacy Act of 2018 (“CCPA”) to the California Office of Administrative Law (“OAL”) on June 1, 2020. The Regulations were submitted on the last day that would normally be permitted under California law without reliance on other procedural measures that would have provided even less time for businesses subject to the CCPA to comply with the Regulations. Normally the OAL has 30 days to review any proposed regulations and, if approved, submit them to the California Secretary of State. However, Governor Newson’s Executive Order N-40-20 would extend this time as a result of the COVID-19 pandemic. For the Regulations to be adopted prior to the July 1, 2020 enforcement date (which Attorney General Bacerra has previously indicated will not be delayed), Attorney General Bacerra also requested that the OAL expedite and complete its review within 30 business days given CCPA’s statutory mandate for the regulations. Attorney General Bacerra also requested that the Regulations become effective immediately upon the filing of the approved Regulations with the Secretary of State so they will be immediately enforceable. 

The Regulations are identical to the second set of modifications to the regulations proposed on March 11 and still fall short of addressing some of the more burning questions facing businesses to comply with the CCPA, such as clearer guidance as to what disclosure of personal information will constitute a sale, and which disclosures are not “for monetary or other valuable consideration.” Without such clarification, businesses are faced with the choice of performing their own good-faith analysis or expending valuable resources in amending contracts with service providers to include contractual provisions that limit the service providers’ use of the personal information and exclude it from the broad definition of a sale under the CCPA. 

Businesses subject to the CCPA are also still faced with the looming expiration of two key exceptions to the CCPA. In particular, the so-called “employee information” and “business to business” exceptions are still set to expire on January 1, 2021, and no bill has been proposed to extend these dates. Businesses that rely on these exceptions may want to consider whether to begin drafting additional policies and procedures to comply with the requirements of CCPA for this type of information. 

The employee information exception excludes personal information collected from natural persons acting as job applicants to, employees of, owners of, directors of, officers of, medical staff members of, or contractors (collectively, “Employees”) of the business so long as the business uses the personal information collected within the context of that individual’s current or former role. It also excludes personal information about third parties collected from Employees that is emergency contact information or used to administer benefits for the Employee. Under the employee information exception, businesses are only required to provide Employees with a shortened privacy notice that discloses the categories of personal information collected and what it is collected for, and are not required to provide Employees with most of the other rights provided to consumers under the CCPA, such as the right to access their personal information, have their information deleted, and to opt-out of the sale of their personal information. The temporary exception only preserves the Employees’ private right of action in the event there is a data breach involving their personal information as a result of a failure to implement and maintain reasonable security procedures and practices. In the absence of any further legislation, businesses will need to prepare to provide a complete CCPA-compliant privacy notice to Employees as well as extend all the consumers’ rights under the CCPA to Employees. This may present the business with new challenges, such as complying with requests from employees to access raw performance review information, complaints, and other information that may be related to investigations to wrongdoing. 

Similarly, the business to business exception excludes personal information that reflects a written or verbal communication or transaction between the business and consumer acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit or government agency when the communication occurs within the context of the business conducting due diligence regarding, or providing or receiving a product or service from, the other organization. Under this exception, the business is only required to provide the consumer with an opt-out of the sale of their personal information, if business engages in any such activities. Without further legislation, businesses will be required to provide these business to business consumers with a complete CCPA-compliant privacy notice and extend to those consumers the rights to access and delete their personal information. For some businesses, this could significantly impact their CRM database.

Also looming over the heads of businesses is the proposed California Privacy Rights Act (“CPRA”). This ballot initiative was submitted to the California Secretary of State on May 4, 2020 with the claim that it had enough signatures to be included on the November 2020 ballot. While the ballot initiative has not yet been certified by the Secretary of State, if it passes it will significantly alter a business’s privacy obligations to consumers. Some of the changes proposed by the CPRA include: a new category of personal information defined as “sensitive personal information” along with a new consumer right to have the business stop using their sensitive personal information; a right to have consumers make corrections to any of their personal information that is inaccurate; increased liability for data breaches; enhanced privacy rights for children’s personal information along with enhanced liability for collecting or selling the personal information of minors under the age of 16 in violation of the CPRA; additional disclosure obligations related to the role of automated decision making; and a new regulator for enforcement called the “California Privacy Protection Agency.” It will also extend both the employee information and business to business exceptions until January 1, 2023, injecting more uncertainty as to what businesses should be preparing for. If the CPRA should fail in November, businesses will have a scant 2 months to put appropriate policies and procedures in place to comply with their obligations under the existing CCPA for this type of personal information if they have not already done so. On the other hand, businesses will have wasted resources if they begin to develop these policies and procedures now should the CPRA pass in November. 

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services