Effective January 1, 2020, the new privacy law in California, the California Consumer Privacy Act (CCPA), will impact companies nationwide. The CCPA will apply to any for-profit business that collects the personal information of California residents (including individuals, households and devices) and meets at least one of the three following criteria:
- Generates annual gross revenue in excess of $25 million;
- Receives, shares, buys or sells the personal information of more than 50,000 California residents annually (whether directly or through third parties); or
- Derives at least 50% of its annual revenue from selling the personal information of California residents.
Until recently, companies have struggled with compliance preparation for the CCPA, as the law has been a moving target. Companies now have some guidance on what the law will require, with the governor signing, on October 11, amendments providing, among other things, clarification that employees are excluded under the definition of "consumer" for the first year, and the California Attorney General publishing, on October 10, draft regulations interpreting the law.
The draft regulations, which are expected to be further revised to account for the recently adopted amendments to the CCPA, provide a detailed framework of obligations of companies subject to the CCPA, most notably in the below areas:
- Notices to Consumers
• The draft regulations clarify the content requirements and format of notices to consumers regarding a business's collection and use of personal information.
• At the time of collection, businesses must provide a notice informing consumers of the categories of personal information to be collected and, for each, the purpose(s) for which the personal information will be used.
• Privacy policies must include specific details set forth in the draft regulations, including the consumers' various rights under the CCPA, details of the business’s collection of personal information, the purpose for such collection, and the categories of third parties with whom the business may share, sell or disclose such information.
• Notices and privacy policies must be written and presented in an easy-to-read, understandable and ADA-accessible format.
- Responding to Consumer Requests
• The draft regulations provide extensive standardized procedures for handling consumer requests, including requirements on methods of submitting requests, confirmation of receipt of requests, response formats and time frames, and minimum response content, depending on the nature of the request.
- Identity Verification for Requests
• Businesses must implement procedures for verifying the identity of consumers making requests.
• For businesses with consumer accounts, the existing authentication procedures are generally acceptable.
• For businesses that must verify requests from those who do not hold accounts, the regulations provide a framework for verification.
- Rules Regarding Minors
• For minors under the age of 13, businesses must obtain parental consent for opting in to the sale of personal information. The draft regulation establishes rules and methods for obtaining parental consent for minors under the age of 13, consistent with the Children's Online Privacy Protection Act.
• For minors ages 13 to 16, businesses must provide a process for such minors to opt in to the sale of their personal information.
These draft regulations are open for public comment until December 6. Final rules are expected no later than July 2020. While the CCPA remains an evolving law, the draft regulations provide some preliminary guidance for companies to at least begin implementing policies and procedures for compliance preparation. Day Pitney will continue to monitor and track the CCPA to help clients understand and comply with the regulations as they take final form.
As we await final regulations, we continue to encourage for-profit businesses that collect, buy, rent, receive, obtain, or otherwise gather or access any personal information of California residents, whether actively or passively, including by just observing individuals' behavior, to consider whether the CCPA will apply. We recommend that our clients contact us long before the January 1, 2020, implementation date to make sure they are prepared to meet their legal obligations.
 The exemption for employees will automatically sunset on January 1, 2021, by which date it is expected that the California Legislature will introduce a separate bill specifically addressing companies' obligations with respect to the personal information of California-resident employees.