Effective January 1, 2020, the new privacy law in California, the California Consumer Privacy Act (CCPA), will impact companies nationwide. The CCPA will apply to any for-profit business that collects the personal information of California residents (including individuals, households and devices) and meets at least one of the three following criteria:
Until recently, companies have struggled with compliance preparation for the CCPA, as the law has been a moving target. Companies now have some guidance on what the law will require, with the governor signing, on October 11, amendments providing, among other things, clarification that employees are excluded under the definition of "consumer" for the first year,[1] and the California Attorney General publishing, on October 10, draft regulations interpreting the law.
The draft regulations, which are expected to be further revised to account for the recently adopted amendments to the CCPA, provide a detailed framework of obligations of companies subject to the CCPA, most notably in the below areas:
• The draft regulations clarify the content requirements and format of notices to consumers regarding a business's collection and use of personal information.
• At the time of collection, businesses must provide a notice informing consumers of the categories of personal information to be collected and, for each, the purpose(s) for which the personal information will be used.
• Initial notice must include details of the consumers’ right to opt out of the sale of their personal information, including an opt-out link and a link to the business’s privacy policy.
• Privacy policies must include specific details set forth in the draft regulations, including the consumers' various rights under the CCPA, details of the business’s collection of personal information, the purpose for such collection, and the categories of third parties with whom the business may share, sell or disclose such information.
• Notices and privacy policies must be written and presented in an easy-to-read, understandable and ADA-accessible format.
• The draft regulations provide extensive standardized procedures for handling consumer requests, including requirements on methods of submitting requests, confirmation of receipt of requests, response formats and time frames, and minimum response content, depending on the nature of the request.
• Businesses must implement procedures for verifying the identity of consumers making requests.
• For businesses with consumer accounts, the existing authentication procedures are generally acceptable.
• For businesses that must verify requests from those who do not hold accounts, the regulations provide a framework for verification.
• For minors under the age of 13, businesses must obtain parental consent for opting in to the sale of personal information. The draft regulation establishes rules and methods for obtaining parental consent for minors under the age of 13, consistent with the Children's Online Privacy Protection Act.
• For minors ages 13 to 16, businesses must provide a process for such minors to opt in to the sale of their personal information.
These draft regulations are open for public comment until December 6. Final rules are expected no later than July 2020. While the CCPA remains an evolving law, the draft regulations provide some preliminary guidance for companies to at least begin implementing policies and procedures for compliance preparation. Day Pitney will continue to monitor and track the CCPA to help clients understand and comply with the regulations as they take final form.
As we await final regulations, we continue to encourage for-profit businesses that collect, buy, rent, receive, obtain, or otherwise gather or access any personal information of California residents, whether actively or passively, including by just observing individuals' behavior, to consider whether the CCPA will apply. We recommend that our clients contact us long before the January 1, 2020, implementation date to make sure they are prepared to meet their legal obligations.
[1] The exemption for employees will automatically sunset on January 1, 2021, by which date it is expected that the California Legislature will introduce a separate bill specifically addressing companies' obligations with respect to the personal information of California-resident employees.
Day Pitney Partner Kritika Bharadwaj has been named to the 2024 Lawdragon 100 Leading Global AI & Legal Tech Advisors list. This is the inaugural year for this list.
Day Pitney Healthcare, Life Sciences, and Technology Counsel Damian Privitera's arrival was featured in the Law360 article "Moses & Singer Healthcare Atty Joins Day Pitney in Hartford."
Day Pitney Alert
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – February 2024
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – February 2024
Day Pitney Data Privacy, Protection and Litigation co-chair William Roberts was featured on Vancord CyberSound podcast "Understanding the Data Privacy Patchwork: What You Need to Know."
Day Pitney Discovery Counsel Ashley Picker Dubin was featured in a Legaltech News Q&A on her new role as Discovery Counsel at the firm.
Day Pitney Artificial Intelligence Committee Chair Kritika Bharadwaj and Healthcare and Technology Associate Colton Kopcik authored the article "Generative AI in Health Care: Diagnosing the Legal Landscape for Dr. GenAI" for the New York Law Journal's Legal Technology Special Section.
Day Pitney Counsel Ashley Picker Dubin was featured in Legaltech News article "The ChatGPT Effect, Finding Deepfakes, and More" covering various panels at Legalweek.
Copyright © 2024 Day Pitney LLP, all rights reserved.