California: AG submits final CCPA regulations for approval
The California Attorney General ('AG'), Xavier Becerra, announced, on 2 June 2020, that he had submitted the final regulations ('the Regulations') under the California Consumer Privacy Act of 2018 ('CCPA') to the California Office of Administrative Law ('OAL').
In particular, the Regulations implement the changes set out under the AG's second set of modified regulations, previously released for public comment in March 2020. In addition to the final Regulations, the AG issued a final statement of reasons which provides a summary of all modifications from the initial proposed text of the regulations. Furthermore, the AG's office highlighted that the Regulations are a result of a broad and inclusive preliminary rulemaking process, which included seven public forums and four public hearings throughout California, along with a 45-day comment period and two subsequent 15-day comment periods.
Applicability of CCPA
Elliot R. Golding, Partner at Squire Patton Boggs (US) LLP, told OneTrust DataGuidance, "There do not appear to be any material changes in the Regulations compared to the most recent March proposed draft. Along with the final Regulations submission, the AG published additional explanatory material and responses to public comments. Although such commentary may not carry the force of law, it does provide helpful guidance around how the AG could interpret ambiguous provisions."
The Regulations, which are required by the CCPA to be published on or before 1 July 2020, clarify and add to the definitions of the CCPA, and establish rules and procedures for a variety of topics. In relation to jurisdictional thresholds that would trigger the applicability of the CCPA and the Regulations, Golding noted, "The AG clarified some of the ambiguous thresholds for companies to qualify as a 'business' under the CCPA. For example, the $25 million trigger is not limited to California based revenue or revenue from California residents. By contrast, the trigger based on handling personal information about 50,000 consumers, devices, or households for commercial purposes must have a California nexus."
In addition, the Regulations establish rules regarding notices to consumers and business practices for handling consumer requests, including methods for submitting and responding to requests to know, delete and opt-out. In relation to the latter, Golding highlighted, "One of the more controversial parts of the Regulations require businesses to honour 'user-enabled privacy controls' to opt out of sale. Many have wondered if that language mandates honouring browser Do Not Track ('DNT') signals. The AG did not expressly resolve this ambiguity, but the guidance suggests honouring browser DNT signals in their current form might not be strictly required. For example, the AG stated businesses have 'discretion' whether to use DNT signals as a 'useful proxy for communicating a consumer's privacy choices to businesses and third parties.' The AG also stated that he Regulations are intended to be 'forward-looking' and that controls should be 'developed in accordance with these regulations,' which suggests existing technologies may not qualify."
Other key topics covered by the Regulations refer to verification of requests, including specific methods for password protected accounts, non-account holders and authorized agents, special rules regarding minors, such as processes on how to opt-in to sale of information depending on a minor's age, and non-discrimination principles, outlining practices that are considered prohibited when businesses treat consumers differently due to exercising rights conferred by the CCPA or the Regulations. Golding noted, "Another source of ambiguity is the scope of what constitutes a 'financial incentive.' Again, the AG did not expressly answer this question, but did provide some clues while rejecting many requests to narrow the scope. This suggests that the AG may be more likely to interpret the scope of the 'financial incentive' provisions broadly."
The OAL has 30 working days, plus an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic, to review the package for procedural compliance. However, the AG submitted a written justification for a request for an expedited review by the OAL to be completed within 30 business days and that the final Regulations become effective upon filing with the Secretary of State. Golding concluded, "The Regulations will go into effect once the OAL reviews and approves them. The AG has requested expedited review to meet the AG's stated goal of making the Regulations effective (and therefore enforceable) starting 1 July 2020."
Nikolaos Papageorgiou Lead Privacy Analyst
Comments provided by:
Elliot R. Golding Partner
Squire Patton Boggs (US) LLP