Proposed Regulations to the CCPA approved by the California Office of Administrative Law on August 14, 2020. The approved Final Regulations go into effect immediately.

The California Office of the Attorney General (“Attorney General”) submitted the final Proposed Regulations Package to the California Office of Administrative Law (“OAL”) on June 1, 2020. The OAL approved the Regulations as Final on August 14, 2020.

The first set of updates to the Proposed Regulations were released on February 7, 2020, and after a 15-day public comment period and the receipt of about 100 comments, the Attorney General released a second set of updates on March 11, 2020 . After another 15-day public comment period and the receipt of about another 100 comments, the Attorney General submitted the Final Proposed Regulations Package, which included the final text and updated statement of reasons for the Regulations.

The following is a highlight key provisions in the Final Regulations, which include the most notable additions to the CCPA:

Training: The CCPA requires that all individuals “responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance” with the CCPA are “informed of all requirements” and able “to direct consumers to exercise their rights.” Cal. Civ. Code § 1798.130(a)(6). The Final Regulations expands this meaning to require a business to “establish, document, and comply with a training policy” to maintain the requirements. Final Regulations § 999.317.

Recordkeeping: The CCPA requires businesses to address consumer requests, such as requests to delete or disclose information collected on the consumer. The CCPA makes no mention of recordkeeping in relation to these requests. The Final Regulations, however, require that a business “maintain records of consumer requests”, which includes “how [the business] responded to the requests” for a period of at least 24 months. In addition, the Final Regulations specify the ways in which these records may be kept, the security they must be kept under, and the situations under which sharing of records is permissible. See id § 999.317.

Required Metrics: A business performing specified activities on the personal information of ten million or more consumers must compile and share data on its consumer requests. See id. §  999.317(g). For each preceding calendar year, the business must compile metrics on the consumer requests that it has received, complied with, or denied, and additionally compute “the median or mean number of days within which the business substantively responded.” Id. This information must be shared in the business’s privacy policy. See id.

Household Information: The Final Regulations significantly expand the regulations related to “households” and associated information. The CCPA generally imposes restrictions on information linked to a “consumer or household” but fails to define “household” and associated requirements. See, e.g., Cal. Civ. Code § 1798.140(k). The Final Regulations, however, define “household” to mean one or more people residing at the same address, using a common device or provider, and are identified by the business as sharing the same unique identifier. See Final Regulations § 999.301(k). The Final Regulations further create a set of requirements to follow when evaluating whether to comply with requests to access or delete household information. See id. § 999.318. For example, all members of a household must jointly submit requests and individually be verified. See id. § 999.318. Additional requirements apply if a member of the household is a minor under the age of 13. See id.

Information on Customers under the Age of 16: The CCPA requires affirmative authorization to sell information on consumers under the age of 13, which must come from the consumer’s parent or guardian. See Cal. Civ. Code § 1798.120(c). The Final Regulations provides additional guidelines for business to employ reasonable methods for determining whether an affirmative authorization is provided by the consumer’s parent or guardian. See Final Regulations § 999.330. The same guidelines apply to requests to delete or requests to know as they concern consumers under the age of 13. See id. Finally, the Final Regulations place an additional requirement of informing a parent or guardian of the right and process for opting out after receiving an affirmative authorization. See id.

For consumers between the ages of 13 and 16, the Final Regulations require a business that has actual knowledge that it sells personal information of consumers in this age range to “establish, document, and comply with a reasonable process for allowing such minors to opt-in to the sale of their personal information.” Id. § 999.331(a). The Final Regulations additionally require that all processes specifically related to minors must be described in the business’s privacy policy. See id. § 999.332(a).

Non-Discrimination and Financial Incentives: Generally, the CCPA prohibits a business from discriminating against a consumer for exercising a right under the CCPA. See Cal. Civ. Code § 1798.125(a)(1). However, the CCPA allows a business to offer a “financial incentive” to consumers in exchange for the collection, sale, or deletion of their personal information. Such financial incentive, though, must be “directly related to the value provided to the consumer by the consumer’s data.” Id. § 1798.125(b). The Final Regulations list guidelines and requirements for disclosure of such financial incentives. See Final Regulations § 999.307. One guideline that has drawn attention is the requirement of providing a good faith estimate of the value of the consumer’s data which is used as the basis of any price differential and disclosing the method that the business used to calculate that value. See id. The business must be able to demonstrate that the financial incentive is “reasonably related to the value of the consumer’s data to the business” and must document its method for calculating such value. See id. §§ 999.336(d)(3); 999.307.

Browser plugins: The Final Regulations maintain the requirement of earlier Proposed Regulations drafts that businesses treat a consumer’s “browser plug-in or privacy setting, device setting, or other mechanism” as a request to opt out of the sale of personal information. See Final Regulations § 999.315(a).

The direction of the Final Regulations and the accompanying Attorney General’s statement of reasons illuminate enforcement priorities. For example, there are certain areas, such as some types of information required to be notified in a business’s privacy policy, where the Attorney General expects businesses to exercise reasonable discretion, hinting greater flexibility rather than rigid adherence.

Certain provisions of the Regulations submitted by the Attorney General were withdrawn by OAL. OAL may choose to resubmit these withdrawn sections after further review and revision.

The Final Regulations go into effect immediately and will be filed with the Secretary of State and become enforceable law. For additional information or support on your CCPA compliance initiatives, contact Cynthia Cole or Matthew Baker in the Baker Botts Privacy and Data Security team.

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.