Effective January 1, 2020, the new privacy law in California, the California Consumer Privacy Act (CCPA), will impact companies nationwide. The CCPA will apply to any for-profit business that collects the personal information of California residents (including individuals, households and devices) and meets at least one of the three following criteria:
Until recently, companies have struggled with compliance preparation for the CCPA, as the law has been a moving target. Companies now have some guidance on what the law will require, with the governor signing, on October 11, amendments providing, among other things, clarification that employees are excluded under the definition of "consumer" for the first year, and the California Attorney General publishing, on October 10, draft regulations interpreting the law.
The draft regulations, which are expected to be further revised to account for the recently adopted amendments to the CCPA, provide a detailed framework of obligations of companies subject to the CCPA, most notably in the below areas:
• The draft regulations clarify the content requirements and format of notices to consumers regarding a business's collection and use of personal information.
• At the time of collection, businesses must provide a notice informing consumers of the categories of personal information to be collected and, for each, the purpose(s) for which the personal information will be used.
• Privacy policies must include specific details set forth in the draft regulations, including the consumers' various rights under the CCPA, details of the business’s collection of personal information, the purpose for such collection, and the categories of third parties with whom the business may share, sell or disclose such information.
• Notices and privacy policies must be written and presented in an easy-to-read, understandable and ADA-accessible format.
• The draft regulations provide extensive standardized procedures for handling consumer requests, including requirements on methods of submitting requests, confirmation of receipt of requests, response formats and time frames, and minimum response content, depending on the nature of the request.
• Businesses must implement procedures for verifying the identity of consumers making requests.
• For businesses with consumer accounts, the existing authentication procedures are generally acceptable.
• For businesses that must verify requests from those who do not hold accounts, the regulations provide a framework for verification.
• For minors under the age of 13, businesses must obtain parental consent for opting in to the sale of personal information. The draft regulation establishes rules and methods for obtaining parental consent for minors under the age of 13, consistent with the Children's Online Privacy Protection Act.
• For minors ages 13 to 16, businesses must provide a process for such minors to opt in to the sale of their personal information.
These draft regulations are open for public comment until December 6. Final rules are expected no later than July 2020. While the CCPA remains an evolving law, the draft regulations provide some preliminary guidance for companies to at least begin implementing policies and procedures for compliance preparation. Day Pitney will continue to monitor and track the CCPA to help clients understand and comply with the regulations as they take final form.
As we await final regulations, we continue to encourage for-profit businesses that collect, buy, rent, receive, obtain, or otherwise gather or access any personal information of California residents, whether actively or passively, including by just observing individuals' behavior, to consider whether the CCPA will apply. We recommend that our clients contact us long before the January 1, 2020, implementation date to make sure they are prepared to meet their legal obligations.
 The exemption for employees will automatically sunset on January 1, 2021, by which date it is expected that the California Legislature will introduce a separate bill specifically addressing companies' obligations with respect to the personal information of California-resident employees.
On October 15, Jonathan Zelig served as a panelist on the topic, "Ransomware: Exposures and Opportunities," at the 2020 Massachusetts Insurance and Reinsurance Bar Association's Fall Symposium.
Day Pitney and the Association of Corporate Counsel (ACC) Northeast Chapter co-hosted a virtual roundtable, "Basic Tech and Cyber Competency for In-House Counsel," on September 23.
Day Pitney Counsel Steven Cash will serve as featured panelist for the webinar "Decisional Advantage and Intelligence."
Day Pitney Advisory
Kermit Wallace was quoted in Legaltech News article, "The Pandemic Has Turbocharged Legal Automation – With Room to Spare."
Kermit Wallace was quoted in the Legaltech News article, "Firms May Still Be Adopting Their Old Tools, Let Alone New Ones."
Chief Information Officer Kermit Wallace was quoted in the Legaltech News articles, "Security, Stress and Schedules: How Collaboration Tools Are Changing Legal's Culture," and, "4 Unintended Problems Created by Pandemic Tech Adoption."
Eliza Fromberg was quoted in the article, "Personal Messaging Channels Pose Compliance Cybersecurity Risks," published by FundFire.
Kermit Wallace, CIO of Day Pitney, was quoted in Legaltech News article, "Good Help Is (Still) Hard to Find in Legal IT and Cybersecurity."