On June 1, 2020, California’s Office of the Attorney General (“AG”) moved one step closer to finalizing the California Consumer Privacy Act (“CCPA”) regulations when the AG submitted proposed final regulations for review and approval by California’s Office of Administrative Law (“OAL”). This submission signals the end of the AG’s CCPA regulation drafting process that began in early 2019. If the OAL approves the proposed final regulations, they will be finalized and enforceable by the AG, subject to any legal challenges.
The proposed final regulations under review are identical to those released on March 11, 2020. The OAL’s task is to review the proposed final regulations and evaluate whether they meet the following standards of review, based the rulemaking record (Cal. Gov’t Code § 11349 et seq.):
- Are they necessary to effect the purpose of the statute, based on facts, studies, and expert opinions;
- Does the CCPA provide authority for the proposed final regulations at issue;
- Are the proposed final regulations drafted with clarity so that they can be easily understood by those directly affected by them; and
- Are the proposed final regulations consistent with existing statutes (including the CCPA), court decisions, or other provisions of law, do they reference the CCPA, and are they nonduplicative of other state or federal statutes or regulations.
Currently, the OAL has 30 business days plus 60 additional calendar days, until September 13, 2020, to complete their review. If the proposed final regulations are approved as meeting these standards, the OAL will file them with the California Secretary of State. Should the OAL disapprove any regulation, the OAL will return it to the AG with an explanation of the reasons for disapproval. The AG then would have 120 days to revise and resubmit the regulation.
The AG has asked the OAL to conduct an expedited review of the proposed final regulations and aim for completion in just 30 working days, by July 15, 2020. Once approved, the AG has also requested that the proposed final regulations become effective immediately after the OAL files them with the Secretary of State. If these requests are not granted, the effective date of the regulations could be as late as January 1, 2021, according to the schedules in California’s Administrative Procedure Act. Cal. Gov’t. Code § 11343.4. As noted above, further delays will occur should the OAL disapprove any of the regulations.
Enforcement Can Begin July 1st, So Businesses Should Be Ready
The AG can begin enforcing the CCPA on July 1, 2020, even if the proposed regulations are not finalized. See Cal. Civ. Code § 1798.185(c) (AG enforcement to begin the earlier of July 1, 2020, or six months after final regulations are issued). Even without finalized regulations, the CCPA arguably sets forth statutory obligations that the AG could seek to enforce. For example, the statute puts businesses on notice regarding the basic types of rights they must provide to consumers (e.g., rights to know, access, delete, and to stop the sale of personal information), explains that those rights need to be disclosed in privacy policies, and defines important concepts including a CCPA “sale” and inclusion of cookies, mobile ad IDs as personal information within the meaning of the statute under some circumstances. The AG would likely argue that the regulations are not required to apprise businesses of most of their basic CCPA compliance obligations.
To mitigate risk, businesses subject to the CCPA should therefore aim to finalize compliance efforts in June 2020, using the proposed final regulations as a guide. These compliance steps might include the following:
- Finalize updates to privacy policies.
- Deploy point of collection notices that describe the personal information the business collects about its California employees and consumers, and the purposes for such collection.
- Integrate the CCPA into employee training programs, at least for consumer-facing employees.
- Ensure compliance with CCPA recordkeeping requirements, which apply to all covered businesses and not just those businesses that are required to include specified metrics in their privacy policies. These recordkeeping requirements, for instance, include retaining for at least two years records of data subject requests and responses.
- Businesses that handle the personal information of 10 million or more California residents in a calendar year should be finalizing systems that allow them to comply with the more extensive reporting requirements in the proposed final regulations regarding data subject requests and responses. 11 Cal. Code. Reg. 999.317(g).
Rulemaking Record Provides Guidance About Open Questions
In addition to proposed final regulations, the AG submitted the rulemaking record to the OAL. The record includes an abundance of supporting information to justify the proposed final regulations. It includes the Final Statement of Reasons, a detailed articulation of the AG’s interpretation of the CCPA and rationale for each of the proposed final regulations, and appendices that contain nearly 500 pages of responses to written comments received during the notice and comment period and to the regulatory impact assessment prepared by the AG in 2019. Both are useful interpretive guides.
Clarification of several issues regarding the AG’s interpretation of and approach to the CCPA can be gleaned from these supporting materials. Below are a few examples:
- The AG believes that the $25 million threshold of annual gross revenues used in the CCPA’s definition of a “business” is not limited to revenue generated from consumers in California – In response to a comment asking for clarification of this issue, the AG noted that no change to the regulations was necessary because the statute “does not limit the revenue threshold to revenue generated in California or from California residents.” (FSOR Appendix A, Response No. 5).
- The definition of “doing business in California” will not be further clarified – In response to several comments, the AG replied that the phrase should be given meaning “according to the plain language of the words and other California law.” (FSOR Appendix A, Response Nos. 7, 951). Accordingly, under applicable California law and judicial rulings, it would appear likely that companies that pay (or ought to pay) state “Franchise” taxes are “doing business” in California. So, if companies pay those taxes, they are likely subject to CCPA (if they meet the other thresholds); if companies conclude they are subject to CCPA, or will operate as though they are subject to CCPA regardless of their “doing business” status, but are not paying such taxes, they should consider consulting their tax advisers about their California tax status.
- The burden of establishing California residency may be on consumers, not businesses – The AG explains that businesses are not obligated to collect additional information to determine a consumer’s residency, but “if a consumer demonstrates they are a resident of California,” the business should comply with the request. (FSOR Appendix A, Response No. 16, emphasis added).
- The regulations neither prescribe reasonable security standards nor offer guidance on measures necessary to “cure” a violation of such standards – Citing the “wide range of factual circumstances” and need to allow for technological advancements, the AG declines to describe what would constitute reasonable security measures or provide a defined safe harbor. Instead, businesses are directed to consult with “counsel, industry standards, and technical experts.” (FSOR Appendix A, Response Nos. 737, 925). Similarly, the AG rejected requests to clarify what is necessary to cure a violation of reasonable security measures, noting it will vary based on circumstance. (FSOR Appendix A, Response No. 926) (Significantly, however, the AG did not challenge the understanding that a “cure” opportunity is required before private, or AG, data breach litigation may proceed.)
- The AG declined to eliminate businesses’ obligation to provide a good-faith estimate of the value of the consumer’s data and a description of the method used to calculate that value based on proprietary information or trade secret defense – The AG chose not to make a change to the proposed final regulations regarding trade secret concerns and explained that the comment did not “demonstrate that the method or the value of the consumer’s data is a trade secret pursuant to [California law],” which states that in order to be a “trade secret” such information must meet specified criteria including that it “[d]erives independent economic value … from not being generally known to the public” and “[i]s the subject of efforts that are reasonable under the circumstances to maintain its secrecy…,” or would result in competitive harm. The AG concluded that “any potential competitive harm is speculative, and in any case, the potential for harm is further mitigated because all similarly situated competitors in California will be bound by the same disclosure requirements” and “neither federal nor state law provide absolute protection for trade secrets.” (FSOR Appendix A, Response No. 247).
- The regulations do not include any exceptions for disclosure of trade secrets – The CCPA instructs the AG to adopt regulations regarding, among other things, “exceptions necessary to comply with state or federal law” relating to trade secrets and IP rights. Cal. Civ. Code § 1798.185(a)(3). The AG declined to do so, noting instead that allowing any “blanket exemption” from disclosure for any information a business deems to be a trade secret would be “overbroad” and defeat the Legislature’s consumer protection and privacy protective purposes. Instead, the AG appears to favor adjudication of trade secrets issues on a case-by-case basis, guided by federal and state case law holding that the interests of protecting trade secrets must be weighed against the need for disclosure. (FSOR Appendix A, Response No. 247).
In several other instances, the AG suggests the absence of regulations on a particular topic is likely a function of its efforts to prioritize drafting regulations that “operationalize and assist in the immediate implementation of the law,” and does not necessarily reflect a definitive decision that the topic is not suitable for regulation. Examples of such issues include whether to provide model notices and templates for compliance, additional examples of what may constitute a CCPA sale, implementation challenges unique to franchisees and franchisors, and issues associated with children’s online anonymity.
Next Steps – Finalizing Regulations and Looking Ahead to the California Privacy Rights Act
No one knows when the OAL will complete their review of CCPA regulations. The AG’s request that the OAL speed up its review may not be administratively realistic as the agency is already backlogged due to COVID-19. Indeed, recognizing the delays caused by the statewide shutdown, California Governor Gavin Newsom issued an Executive Order giving the OAL an additional 60 calendar days (from 30 working days plus 60 calendar days) to complete their review of all proposed final regulations. It appears more certain that the AG’s second request – that the OAL-approved regulations be finalized when submitted to the Secretary of State – could be granted, though. California’s Administrative Procedure Act gives the OAL authority to prescribe earlier effective dates of regulations upon a showing of good cause by the requesting agency, here the AG’s office. Cal. Gov’t. Code § 11343.4.
Before the proposed final regulations are approved, we will likely know the fate of the California Privacy Rights Act (“CPRA”), the Alastair Mactaggart-sponsored initiative to significantly amend CCPA. California counties are currently verifying signatures gathered to put the initiative on the ballot, but they must do so by June 25, 2020, the constitutionally-mandated deadline. Because signatures were submitted for verification nearly two weeks after the recommended date, it is possible the initiative will not be placed on this year’s ballot.
Whatever the fate of the proposed final regulations and the initiative it is clear that CCPA enforcement may begin July 1, 2020. Businesses should take these final weeks of June 2020 to review and complete their compliance efforts.