Enforcement of the California Consumer Privacy Act (“CCPA”) begins July 1, 2020, so businesses subject to the CCPA must quickly make efforts to compliance with the final CCPA regulations that were released on June 1, 2020. Those efforts are, of course, more difficult for businesses forced by Covid-19 to furlough or fire employees who have relevant knowledge and responsibility for CCPA compliance. Budget concerns regarding outside counsel and vendor spend are also impacting compliance efforts.
As of this writing, the California Attorney General (“AG”) has declined to extend the enforcement date in light of these challenges. In responding to requests to delay enforcement of the CCPA, the AG stated
“The OAG has considered and determined that delaying the implementation of the regulations is not more effective in carrying out the purpose and intent of the CCPA.”
The AG’s position conveniently ignores the fact that CCPA has been modified three times since its implementation in January 2020, creating a moving target for compliance.
Given that enforcement is moving forward in spite of Covid-19, businesses should ensure that they have achieved compliance, or can do so quickly and effectively, and in no case later than July 1. Businesses will need to implement a number of policies and procedures to comply with the CCPA, including updates to their online privacy policies to disclose the information required by Section 999.308 of the CCPA. Section 999.308 of the final regulations prescribes many items that must be disclosed, including a description of the rights provided by the CCPA, the categories of personal information collected about consumers in the preceding 12 months, the categories of sources from which the personal information was collected, and the business or commercial purposes for the collection.
It is important for businesses to understand that a GDPR-compliant program does not result in a CCPA-compliant program because of key differences between the GDPR and CCPA, especially in terms of how personal information is defined and the consumer’s right to opt-out of the sale of personal information (which is not required in the GDPR). That means that businesses that are subject to GDPR will need to take additional measures to comply with the CCPA.
In addition to having a CCPA-compliant privacy policy, businesses will need to implement notices at or before the collection of personal information that identify the personal information to be collected and the purposes for which it will be used. Simply having a privacy policy link on a website is not enough to satisfy the notice at collection requirement. However, just as with the privacy policy disclosures, the AG allows discretion on how to accomplish the requirement. For example, the provision does not require a cookie banner, but rather leaves it to businesses to determine the formats that will best achieve the result in particular environments.
Businesses that “sell” personal information will also need to provide a notice of right to opt out of sales. The statute defines “sale” in an extremely broad way, meaning the transfer of personal information for “monetary or other valuable consideration.” The phrase “valuable consideration” is currently open to interpretation and only time will tell how the AG will enforce this language.
Businesses also will need to provide methods for California residents to submit CCPA requests and implement verification procedures for requests to know and delete. Businesses must provide at least two methods for submitting those requests, including providing a toll-free telephone number for requests to know (unless the business operates exclusively online). Businesses that sell personal information must provide an online interactive form for submitting such requests and a link entitled “Do Not Sell My Personal Information” or “Do Not Sell My Info” on their website or mobile application.
Finally, businesses that transfer personal information to other entities will need to amend or implement data sharing agreements to the extent that they want the other entities to be considered service providers under the CCPA. Service providers can use personal information they collect for the purpose of providing the services, to detect data security incidents or protect against fraudulent or illegal activity, among other uses.
Businesses trying to drive compliance with the CCPA find themselves in a difficult situation, however careful planning now can avoid serious headaches later. Businesses should determine what they need to do to comply, and then make efforts to do so, quickly.
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.