If the CCPA has proved anything in 2020, it was the certainty of uncertainty. Businesses subject to the CCPA have been uncertain about how the CCPA would be interpreted ever since the statute was passed in 2019. After months of proposals and amendments to the CCPA’s regulations, California’s Attorney General Xavier Becerra submitted the final regulations of the CCPA to the Office of Administrative Law (OAL) on June 1, 2020. The OAL approved the regulations and Mr. Becerra announced on August 14, 2020 that they would take effect immediately.
The stance that AG Becerra has taken regarding a consumer’s data privacy rights and the importance of consumers having control of their data is no surprise and continues to remain firm.
As part of the announcement, Mr. Becerra stated: “With these rules finalized, California breaks ground and leads the nation to protect and advance data privacy. These rules guide consumers and businesses alike on how to implement the California Consumer Privacy Act. As we face a pandemic of historic proportions, it is particularly critical to be mindful of personal data security.”
OAL’s Modifications to the Final Regulations of the CCPA
Even though the final regulations have been slightly modified, the OAL performed a thorough review, which includes the following updates that add further clarification to the law. Dan Clarke, president of IntraEdge and Michael Hellbusch, partner at Rutan & Tucker, weigh in on these modifications from the changes that make the most significant impact.
Re-obtain consent – A significant modification to the final regulations is the deletion of the provision that a business must re-obtain consent from the consumer, in addition to notifying a consumer if the business seeks to use a consumer’s previously collected personal information for a purpose materially different than what was previously disclosed to the consumer in the notice at collection. The requirement to gather explicit consent for additional uses of personal information is not mentioned in the statute, and the proposed requirement in the regulation appeared to be created out of whole cloth by the Office of the Attorney General (OAG). It’s removal places the CCPA firmly back into the realm of a notice and consent privacy statute.
Deny Requests to Authorized Agents – The OAL removed the provision that would have allowed a business to deny a request from an authorized agent that did not submit proof that they have been authorized by the consumer to act on their behalf. According to the OAG, this provision may be revised and resubmitted in the future. This provision was problematic because it created confusion with respect to the methods for verifying agency authorization. Requiring “proof” of agency authorization goes beyond the reasonable verification requirements in the statute. In fact, the deleted provision actually made it more difficult for consumers to exercise their CCPA rights—something Mr. Becerra undoubtedly did not support.
Offline Businesses – The approved regulations deleted a provision which would have required businesses to provide offline notices to consumers about their CCPA right to opt-out of the sale of their personal information. This was another provision where the proposed regulations went further than what the statute specifically requires. The CCPA only requires notice of the right to opt-out in an online format.
Replace “Entity” with “Business” for 3rd Parties – The final regulations clarified that an entity collecting personal information on behalf of a business need not be another “business” under the CCPA to qualify as a service provider. The change, in § 999.314(b), was a minor and logical one, but closed a potentially large loophole that existed in the proposed regulations.
Further Clarifications – Grammatical errors and imprecise word choices were blatant in the final proposed regulations submitted to the OAL. Most of the OAL’s changes corrected such errors For example, the final regulations added omitted periods to the ends of sentences and deleted unnecessary commas. Another logical change was to clarify that the rights of individuals under the age of 16 applied to “consumers” and not to all “minors” (regardless of whether or not they were consumers).
Financial incentives Not Including Deletion – The OAL made updates which clarify that financial incentives don’t apply to the “retention” of data. The OAG’s proposed regulations defined a “financial incentive” to mean a benefit related to the collection, retention, or sale of personal information. The final regulations changed “retention” to “deletion”—defining more precisely the rights afforded to California residents, e., the right to request deletion, not the right to dictate retention periods.
Simple Opt-Out of Sale Mechanism – The final regulations removed a provision that prohibited the use of dark patterns and other design methods with the effect of “subverting or impairing” a consumer’s decision to opt-out. This provision, removed from § 999.315, may have been seen as too strong a restriction on commercial speech. It certainly went beyond the face of the statute.
Right to Know Verification – When drafting the proposed regulations, the OAG included the phrase “right to access” to describe the consumer’s right to know. The right to access personal information is obviously far broader than the right to know what personal information has been collected and how it is used. The final regulations corrected this error and properly described the consumer’s right as the “right to know.”
Finally, the OAL removed § 999.341, the severability provision, in its entirety as “unnecessary”. The severability provision stated that if any part of the CCPA regulations are held to be inoperative, the holding would not affect the validity of the remaining portions of the regulations. The legality of severability clauses in administrative regulations is doubtful, particularly when, as here, the underlying statute itself does not contain a severability clause. Perhaps the severability provision in the proposed regulations was “unnecessary” because the OAL did not believe it would survive any sort of scrutiny.
The final regulations of the CCPA are effective immediately, which is surprising it wasn’t expected to go into effect until October 2020. As the changes are arguably non-substantive, they put it on an emergency approval because the CCPA is already enforceable as of July 1, 2020.
Considering it is August and we still have a few months until November, what happens to the regulations once we have additional modifications potentially from CPRA? Only time will tell stay tuned for further updates.