Final Proposed CCPA Regulations Submitted to California’s Office of Administrative Law, But the California Privacy Landscape Remains Clear as Mud
The California Attorney General Xavier Bacerra submitted the final proposed regulations (the “Regulations”) under the California Consumer Privacy Act of 2018 (“CCPA”) to the California Office of Administrative Law (“OAL”) on June 1, 2020. The Regulations were submitted on the last day that would normally be permitted under California law without reliance on other procedural measures that would have provided even less time for businesses subject to the CCPA to comply with the Regulations. Normally the OAL has 30 days to review any proposed regulations and, if approved, submit them to the California Secretary of State. However, Governor Newson’s Executive Order N-40-20 would extend this time as a result of the COVID-19 pandemic. For the Regulations to be adopted prior to the July 1, 2020 enforcement date (which Attorney General Bacerra has previously indicated will not be delayed), Attorney General Bacerra also requested that the OAL expedite and complete its review within 30 business days given CCPA’s statutory mandate for the regulations. Attorney General Bacerra also requested that the Regulations become effective immediately upon the filing of the approved Regulations with the Secretary of State so they will be immediately enforceable.
The Regulations are identical to the second set of modifications to the regulations proposed on March 11 and still fall short of addressing some of the more burning questions facing businesses to comply with the CCPA, such as clearer guidance as to what disclosure of personal information will constitute a sale, and which disclosures are not “for monetary or other valuable consideration.” Without such clarification, businesses are faced with the choice of performing their own good-faith analysis or expending valuable resources in amending contracts with service providers to include contractual provisions that limit the service providers’ use of the personal information and exclude it from the broad definition of a sale under the CCPA.
Businesses subject to the CCPA are also still faced with the looming expiration of two key exceptions to the CCPA. In particular, the so-called “employee information” and “business to business” exceptions are still set to expire on January 1, 2021, and no bill has been proposed to extend these dates. Businesses that rely on these exceptions may want to consider whether to begin drafting additional policies and procedures to comply with the requirements of CCPA for this type of information.
The employee information exception excludes personal information collected from natural persons acting as job applicants to, employees of, owners of, directors of, officers of, medical staff members of, or contractors (collectively, “Employees”) of the business so long as the business uses the personal information collected within the context of that individual’s current or former role. It also excludes personal information about third parties collected from Employees that is emergency contact information or used to administer benefits for the Employee. Under the employee information exception, businesses are only required to provide Employees with a shortened privacy notice that discloses the categories of personal information collected and what it is collected for, and are not required to provide Employees with most of the other rights provided to consumers under the CCPA, such as the right to access their personal information, have their information deleted, and to opt-out of the sale of their personal information. The temporary exception only preserves the Employees’ private right of action in the event there is a data breach involving their personal information as a result of a failure to implement and maintain reasonable security procedures and practices. In the absence of any further legislation, businesses will need to prepare to provide a complete CCPA-compliant privacy notice to Employees as well as extend all the consumers’ rights under the CCPA to Employees. This may present the business with new challenges, such as complying with requests from employees to access raw performance review information, complaints, and other information that may be related to investigations to wrongdoing.
Similarly, the business to business exception excludes personal information that reflects a written or verbal communication or transaction between the business and consumer acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit or government agency when the communication occurs within the context of the business conducting due diligence regarding, or providing or receiving a product or service from, the other organization. Under this exception, the business is only required to provide the consumer with an opt-out of the sale of their personal information, if business engages in any such activities. Without further legislation, businesses will be required to provide these business to business consumers with a complete CCPA-compliant privacy notice and extend to those consumers the rights to access and delete their personal information. For some businesses, this could significantly impact their CRM database.
Also looming over the heads of businesses is the proposed California Privacy Rights Act (“CPRA”). This ballot initiative was submitted to the California Secretary of State on May 4, 2020 with the claim that it had enough signatures to be included on the November 2020 ballot. While the ballot initiative has not yet been certified by the Secretary of State, if it passes it will significantly alter a business’s privacy obligations to consumers. Some of the changes proposed by the CPRA include: a new category of personal information defined as “sensitive personal information” along with a new consumer right to have the business stop using their sensitive personal information; a right to have consumers make corrections to any of their personal information that is inaccurate; increased liability for data breaches; enhanced privacy rights for children’s personal information along with enhanced liability for collecting or selling the personal information of minors under the age of 16 in violation of the CPRA; additional disclosure obligations related to the role of automated decision making; and a new regulator for enforcement called the “California Privacy Protection Agency.” It will also extend both the employee information and business to business exceptions until January 1, 2023, injecting more uncertainty as to what businesses should be preparing for. If the CPRA should fail in November, businesses will have a scant 2 months to put appropriate policies and procedures in place to comply with their obligations under the existing CCPA for this type of personal information if they have not already done so. On the other hand, businesses will have wasted resources if they begin to develop these policies and procedures now should the CPRA pass in November.