Earlier this summer, the Attorney General of California issued draft regulations to clarify and expand certain parts of the California Consumer Privacy Act (CCPA). On August 14, the draft regulations took effect. This means that, two years after its tumultuous drafting and passage, the full CCPA and its associated regulations are in effect. In addition, the Attorney General now has a full set of rules to enforce regarding how companies collect, use, and store “personal information” of California residents.
As a reminder: the CCPA applies to many companies that do not have a physical presence in California, either because they provide services to companies that do business there, or because they collect information from Californians or their devices. The CCPA raised eyebrows in the legal world when it passed, because among other things it requires the following:
- Extremely detailed up-front consumer notices about information collecting practices;
- A process to respond to consumer access or deletion requests;
- A process to allow consumers to opt out of having their personal information sold to third parties;
- A written contract and detailed provisions regarding collection, use, and storage of personal information in order to qualify as a service provider (service providers do not have as many responsibilities under the CCPA, although they still can face liability for violations).
The CCPA allows consumers to sue companies directly in the wake of a data breach, establishes up front an amount of damages for such lawsuits (rather than requiring consumers to prove that they were harmed), and permits the Attorney General to investigate and fine companies just as most privacy laws do.
In addition, the CCPA defines very broadly the “personal information” that is protected by the Act. Because of this breadth, the law’s application to B2B companies as well as B2C companies, and the extensive liability that can result from its violation, every company with customers, suppliers, or a physical presence in California would benefit from confirming whether the law applies to it.
In addition, for those companies covered by the law: the newly effective regulations expand on the process for answering consumer information requests, clarify the requirements applicable to service providers, and more. Even if you updated your privacy practices before 1/1/2020, when the statute itself took effect, it is worth checking whether further updates are advisable in light of the new regulations.