California Consumer Privacy Act Update: Attorney General Finalizes Regulations and Provides Interpretive Guidance
Client Alert | June 12, 2020
The Office of the California Attorney General (“OAG”) announced on June 1, 2020, that it submitted the final proposed regulations for the California Consumer Privacy Act (“CCPA”), and related documents, to the California Office of Administrative Law. The final text of the proposed regulations remains substantively unchanged from the March 11, 2020 version published by the OAG (please see our prior alerts regarding the substance of the previous versions here, here, and here). However, the package of documents submitted to the Office of Administrative Law contained a significant amount of information, including the final draft of the regulations,[1] a final statement of reasons supporting the changes from the original proposed draft of regulations promulgated on October 11, 2019,[2] the comments received by the OAG, the OAG’s responses to those comments,[3] and a historical log of the prior versions, notices, transcripts from public hearings, preliminary activities, and supporting documents. These documents are available on the Attorney General’s CCPA website: https://oag.ca.gov/privacy/ccpa.
Due to Executive Order N-40-20 related to the COVID-19 pandemic, the Office of Administrative Law has 30 working days and an additional 60 calendar days to approve the regulations, or until September 14, 2020, at which time the final regulations will be filed and become enforceable. However, the OAG included in its CCPA package to the Office of Administrative Law a request for expedited review, stating that “[w]hile the Attorney General is mindful of the challenges imposed by COVID-19 and Governor Newsom’s Executive Order N-40-20 granting additional time to finalize proposed regulations, the Attorney General respectfully requests that the Office of Administrative Law complete its review within 30 business days, given the statutory mandate for regulations [by July 1, 2020].” If the Office of Administrative Law takes the full time permitted by Executive Order N-40-20 to review the proposed regulations, the enforcement deadline for the regulations would be September 14, 2020. The Attorney General would still be permitted to enforce the statutory text of the CCPA, by its own provisions, starting July 1, 2020, but would not be permitted to enforce the regulations until they are approved. While it is possible the OAG will choose to wait until the regulations are in place, businesses should plan for CCPA enforcement to begin as stated in the statute—on July 1, 2020.
While much of the information in the package is not new, the Final Statement of Reasons (“FSOR”) provides justifications for the changes made to the original proposed regulations (the original proposed regulations were supported by the Initial Statement of Reasons, which is incorporated by reference into the FSOR). In addition, the OAG’s responses to all comments that were submitted (FSOR Appendices A, C, and E) provide valuable insight through text clarifications, and reasons for accepting or rejecting certain comments. The responses also postpone resolution of a few issues, stating that the OAG needed to prioritize those issues that were required for operationalizing the CCPA, and need to consider others further.[4] These documents are available on the OAG’s website, and total over 500 pages.
Below, we highlight a few notable highlights from each. If you are interested in hearing more about the most notable comments, and their application to your particular concerns, we are happy to share more complete information and discuss with you upon request.
Final Statement of Reasons
- Definitions. The OAG clarified that it revised the initial proposed definition of and sections relating to “price or service difference” as it related to financial incentives to confirm that differences in price or quality of the goods or services offered to the consumer must implicate consumers’ rights under the CCPA (i.e., are “related to the collection, retention, or sale of personal information”) to be of concern. Separately, with respect to questions about whether an entity “does business in California,” the OAG declined to issue any regulation, stating that “[i]n the absence of a specific definition [it] should be given meaning according to the plain language of the words and other California law.” As a result, businesses can consider whether they are “doing business” under California tax law, for example (see, e.g., https://www.ftb.ca.gov/file/business/doing-business-in-california.html, describing relevant thresholds of California sales, property or payroll pursuant to tax law). Of course, even if an entity does business in California, it must also meet the other threshold requirements to be subject to CCPA, including being a for-profit entity meeting certain size requirements.
- Notice at collection of personal information. The OAG imposes important additional notice requirements and explains that the notice at collection “shall be made readily available where consumers will encounter it at or before the point of collection of any personal information” (emphasis added). This change is considered necessary to “encompass a variety of contexts . . . such as notices delivered online regarding online collection or orally when information is collected by telephone, and physical proximity, such as notices delivered by signage in retail environments.” For example, the OAG specifies that a business collecting information offline should have flexibility regarding the manner in which businesses point to an online notice (e.g., the change to the regulations “responds to comments noting that the prior language was overly prescriptive and that the OAG should allow for a QR code or other ways to direct the consumer to the text of the notice”). In addition, the OAG confirms that for a business that does not collect personal information directly from a consumer, the OAG considered and rejected requiring such businesses to “post[] . . . an online privacy policy.” On the other hand, the OAG confirms that the regulations impose certain specific additional requirements for the notice, including that if any changes are made to the business’s practices that are materially different than what was disclosed previously, the regulations “require explicit consent [to] put the consumer in the same position they would have been had the material change been disclosed during the consumer’s first engagement with the business.” The OAG explains that “[s]imply updating an online privacy policy or providing notice without explicit consent” would be insufficient, but “[b]usinesses have discretion to determine the manner in which to notify the consumer and obtain consent within the framework of the CCPA and the regulations.” Additionally, a “just-in-time” notice is required for personal information collected from a mobile device that a consumer “would not reasonably expect.” The OAG justifies these additional requirements as consistent with the purpose of the CCPA to provide sufficient transparency, and that it is “[i]nherent in [its] authority . . . to adopt regulations that fill in details not specifically addressed by the CCPA, but fall within the scope of the CCPA.”
- Responding to requests to know and requests to delete. The OAG explained that it added Section 999.313(c)(3) (alleviating a business’s obligation to search for personal information under certain conditions) in order to decrease a business’s “burden or inability to search unstructured data for a consumer’s personal information” in response to a request to know, provided that the consumer is informed of the categories of records that may contain personal information that it did not search because it meets certain conditions. The OAG believes this balances the stakeholders’ interests, as it provides a consumer information that the “business may have other personal information about them but assures them that this information is only maintained by the business in an unsearchable or inaccessible format, solely for legal or compliance purposes, and is not being used for the business’s commercial benefit.” With respect to requests to delete, the OAG noted that it considered and rejected not requiring businesses to inform consumers whose requests to delete were denied of their right to opt-out of the sale of personal information, because doing so allows consumers to control the proliferation of their personal information in the marketplace. Additionally, the OAG explained that this regulation in fact lessens the burden on businesses because otherwise it might require businesses to treat these denials as requests to opt-out.
- Service providers. The OAG explains that the modifications to the regulations pertaining to service providers were designed to facilitate the engagement of service providers, on the one hand, and prevent businesses from using service providers to shirk their obligations under the CCPA to consumers, on the other. For instance, the OAG modified the definition of “service provider” under the regulations to clarify that businesses that are engaged as service providers for non-profits or public entities, which are not “businesses” under the CCPA and thus not subject to the related obligations, are still service providers. The OAG explained that non-profits and public entities might not otherwise employ service providers for fear of incurring unnecessary and burdensome costs related to CCPA compliance. Similarly, the OAG clarified that businesses that collect personal information directly from consumers (or about consumers) or that render services to a third party at the direction of another “second” business are still service providers, allowing businesses to be engaged as service providers for the initial collection of personal information without being considered “businesses” under the CCPA. On the other hand, certain modifications were designed to prevent businesses from evading their obligations under the CCPA by engaging service providers. For instance, the OAG modified the regulations to clarify that a service provider’s failure to provide services required by the CCPA pursuant to a written contract will constitute a violation of the CCPA that is enforceable by the OAG and not simply a breach of contract. The OAG noted that this modification was necessary to ensure that service providers comply with the restrictions set forth in their service-provider contracts even if the business does not enforce those restrictions. Lastly, the OAG specified that service providers must comply with requests to opt-out of the sale of personal information in order to prevent businesses from engaging service providers to avoid having to comply with such requests.
- Requests to opt-out. The OAG’s modifications to the regulations pertaining to the requests to opt-out require that businesses provide consumers with “easy” mechanisms that “require minimal steps” to opt-out of the sale of their personal information and treat user-enabled global privacy controls as valid requests to opt-out. In the first instance, the OAG explained that the modification was necessary to avoid the possibility that some businesses may create confusing or complex mechanisms for consumers to exercise their rights under the CCPA. In the second, the OAG explained that the modification is “forward-looking” and counterbalances the ease with which businesses collect personal information. Requiring businesses to treat user-enabled global privacy controls as valid requests to opt-out is forward-looking because it encourages the “development of technological solutions to facilitate and govern the submission of requests to opt-out.” Furthermore, the OAG explained that its experience as the enforcer of the California Online Privacy Protection Act (“CalOPPA”), whereby businesses must state how they treat “do-not-track” signals, discouraged it from making this provision discretionary. The majority of businesses, the OAG explained, disclose that they do not respond to “do-not-track” signals because compliance with such signals is discretionary. Moreover, the alternative methods for opting-out that were proposed, such as using a business’s designated methods for submitting requests to know or delete, were insufficient on a global scale and did not adequately “counterbalance the ease and frequency by which personal information is collected and sold in online contexts, such as when a consumer visits a website.”
Responses to Comments Submitted
- No extensions of enforcement. The OAG rebuffed repeated requests to delay CCPA enforcement and the rollout of the finalized regulations, particularly those that insisted that businesses must focus on the COVID-19 pandemic and might face special burdens with much of their workforce on “work from home.” The OAG explained that “[t]he proposed rules were released on October 11, 2019, with modifications made public on February 10, 2020 and March 11, 2020. Thus, businesses have been aware that these [related] requirements could be imposed as part of the OAG’s regulations.” However, the OAG also indicated that it would exercise “prosecutorial discretion if warranted, depending on the particular facts at issue. Prosecutorial discretion permits the OAG to choose which entities to prosecute, whether to prosecute, and when to prosecute.” This suggests that the OAG will take a more flexible tack toward enforcement, even if it will not budge on when the law will come into effect. Specifically as to COVID-19, the OAG also argued that “any delays in implementation of the regulation will have a detrimental effect on consumer privacy as more and more Californians are using online resources to shop, work, and go to school.”
- CCPA compliance is fact-specific and contextual. In response to many comments regarding applicability of the CCPA and whether certain scenarios are compliant, the OAG noted that there was no clear answer, and that a “fact-specific and contextual determination” in consultation “with an attorney who is aware of all pertinent facts and relevant compliance concerns” is required. While such answers were presumably not particularly satisfying for many commenters, the consistent reaction provides room for interpretation on various issues, and supports a no-one-size-fits-all, principled, risk-based approach by businesses.
- IP addresses and other information not necessarily maintained as “personal information.” In explaining the deletion of former Section 999.302, which had elaborated on the definition of “personal information” and created a safe harbor as to IP addresses not linked to particular consumers, the AG’s office indicated that “[t]he OAG [] deleted this provision to prioritize the implementation of regulations that operationalize and assist in the immediate implementation of the law..” However, the OAG also noted that “[f]urther analysis is required on this issue.” This suggests that similar guidance might ultimately return in some form. In the meantime, the OAG again stated that “[w]hether information is “personal information” is a “fact-specific and contextual determination,” requiring consultation “with an attorney who is aware of all pertinent facts and relevant compliance concerns.” While the OAG stated that “personal information” is defined broadly, and IP addresses are included in the definition, the CCPA also has provisions that “do not require a business to collect, retain, or otherwise reidentify or link information if the information is maintained in a manner that would not be considered personal information. See Civ. Code §§ 1798.100(e), 1798.110(d), 1798.145(k).”
- Definition of “sale” is still open for interpretation. In response to specific questions regarding the definition of “sale,” and whether it includes or excludes, for example, “real-time bidding in online advertising” and “the passing of information for targeted advertising”—an issue that has been widely debated—the OAG did not provide a clear response. Instead, the OAG stated that whether these particular situations constitute a sale requires a fact-specific determination, “including whether or not the parties involved are third parties or service providers.” Further, in discussing service providers’ ability to use information internally, and in the advertising context, the OAG stated that “[t]he CCPA allows a service provider to furnish advertising services to the business that collected personal information from the consumer, and such ads may be shown to the same consumer on behalf of the same business on any website. See Civ. Code § 1798.140(d)(5). Prohibiting a service provider from placing such ads is [] unnecessary because the CCPA would not prohibit the business’s own marketing department from placing the same ads itself.”
- Businesses should consider multiple notices. Although clear from the text that various disclosures are required, the OAG’s comments suggest that businesses should consider displaying additional notices where necessary (again, “ultimately a fact-specific determination”)—though having an omnibus privacy policy may be sufficient in certain circumstances. For instance, the OAG responded to many comments that “consumers [must] be given a notice at collection, notice of right to opt-out, and notice of financial incentive. These requirements are separate and apart from the CCPA’s requirements for the disclosures in a privacy policy.” While the OAG confirms that businesses do have the discretion to “have all the information contained in the different notices in one place through the privacy policy,” businesses must still “comply[] with its statutory requirements to separately provide” the other three notices. For example, the notice at collection can point to the appropriate section of the more detailed privacy policy, as could a notice of financial incentive point to the section of the policy related to the financial incentive when a consumer signs up for a loyalty program. Businesses should thus make a “fact-specific determination” as to whether separate just-in-time notices, specific references to the privacy policy, or other notifications are required to satisfy CCPA and regulation requirements.
- Notice need not be provided to consumers if personal information is not directly collected from them. The OAG clarified that a business does not need to provide a notice at collection to a consumer if it does not collect personal information directly from them and does not sell that consumer’s personal information. In particular, the OAG specified that this exemption applies to situations where personal information is included in user-generated content, a consumer uploads another consumer’s personal information, and employees provide information about their family members.
- CCPA retroactivity clarified. The OAG responded to comments relating to whether certain provisions are retroactive, giving some insight into what was required as of January 1, 2020. For example, the OAG clarified that the notice of collection does not need to contain information regarding personal information obtained prior to CCPA’s effective January 1, 2020 date (if it will not be collected going forward), and that disclosures in response to a request to know do need to include the preceding 12 months, regardless of whether that means disclosing personal information that was collected prior to the effective date. Most importantly, the OAG confirmed that it, “cannot bring enforcement actions based on conduct occurring before the effective date of the CCPA.” This last comment should provide some comfort to businesses concerned about security incidents that occurred prior to the enforcement date.
- Cookie banner not necessary. Some comments exhibited a concern that the notice at collection requirement imposed an obligation to have a pop-up or “European-style cookie banner” for cookie data collection. The OAG responded that “[t]he provision does not require a cookie banner, but rather leaves it to businesses to determine the formats that will best achieve the result in particular environments,” and that “businesses have discretion to determine how to provide notice in compliance with § 999.305, which requires that the notice be readily available where consumers will encounter it at or before the point of collection.”
- Imposition of burden on businesses has been carefully weighed. When confronted with the argument that a particular provision would impose undue burdens on businesses, the OAG repeatedly asserted that “[a]ny potential competitive harm is speculative, and in any case, the potential for harm is further mitigated because all similarly situated competitors in California will be bound by the same disclosure requirements.” This approach suggests a willingness to impose costs as long as they are broadly shared.
- Financial incentives and loyalty programs require calculating the value of the consumer’s data. Many comments opposed the regulation requiring businesses to calculate the value of consumer data when offering a financial incentive. These critics stated that it is burdensome, unclear, and would not provide critical insight to consumers. The OAG doubled-down on the requirement, stating that the regulations only require a good-faith estimate of the value, and such an estimate is necessary for providing consumers with the material terms of any financial incentive program, as required by the CCPA. Moreover, the OAG noted that “the disclosed value of a consumer’s data to a business could . . . be relevant to enforcement of the CCPA . . . because any financial incentive or price or service difference must be reasonably related to the value of the consumer’s data.” As a result, businesses offering any financial incentive, or price or service difference, in light of collection, retention, or sale of data (e.g., collection of email in exchange for coupons, loyalty programs) should consider requisite notice and calculation of the value of consumers’ data.
- Intellectual property rights may not be a valid reason not to provide information in a request to know. Several comments urged the OAG to promulgate a regulation allowing businesses to deny a request to know on the basis of preserving their intellectual property rights, such as a business’s trade secrets. In response, the OAG stated that while it has the authority to enact such an exception, “the comment[s] do[] not show that [it] is necessary to comply with state or federal law,” that “consumer personal information is itself a protected form of intellectual property,” or that “a consumer’s personal information collected by the business could be subject to the business’s copyright, trademark, or patent rights.” In addition, it states that there has not been a showing of harm in disclosing that information to the consumer directly. The OAG concludes that “any potential competitive harm is speculative,” that “potential for harm is further mitigated because all similarly situated competitors in California will be bound by the same disclosure requirement,” and that “a blanket exemption from disclosure for any information a business deems could be a trade secret or another form of intellectual property would be overbroad and defeat the Legislature’s purpose of providing consumers with the right to know information businesses collect from them.”
* * *
We stand ready and available to guide companies through the issues raised in the regulations and statute, and any inquiries or concerns left unanswered. Please do not hesitate to contact anyone in the list below with your questions.
__________________________
[1] The Office of the Attorney General, Final Text of Proposed Regulations (June 1, 2020), available at: https://oag.ca.gov/privacy/ccpa.
[2] The Office of the Attorney General, Final Statement of Reasons (June 1, 2020), available at https://oag.ca.gov/privacy/ccpa.
[3] The Office of the Attorney General, Appendix A. Summary and Response to Comments Submitted during 45-Day Period (June 1, 2020), available at available at https://oag.ca.gov/privacy/ccpa; The Office of the Attorney General, Appendix C. Summary and Response to Comments Submitted during 1st 15-Day Period (June 1, 2020), available at https://oag.ca.gov/privacy/ccpa; The Officer of the Attorney General, Appendix E. Summary and Response to Comments Submitted during 2nd 15-Day Period (June 1, 2020), available at https://oag.ca.gov/privacy/ccpa.
[4] Indeed, the comments frequently provided responses that deferred making any decisions, referred businesses to an attorney, determined comments were beyond the scope of the regulations, or stated that comments were not more likely to result in effectuating the CCPA’s purpose. For example, the following phrases occurred dozens of times in the responses: “The comment raises specific legal questions that may require a fact-specific determination. The commenter should consult with an attorney who is aware of all pertinent facts and relevant compliance concerns. The regulations provide general guidance for CCPA compliance;” “To meet the July 1, 2020 deadline set forth by the CCPA, the OAG has prioritized the drafting of regulations that operationalize and assist in the immediate implementation of the law. Further analysis is required to determine whether a regulation is necessary on this issue.”
The following Gibson Dunn lawyers assisted in the preparation of this client update: Alexander Southwell, Mark Lyon, Ryan Bergsieker, Cassandra Gaedt-Sheckter, Daniel Rauch, Lisa Zivkovic and Tony Bedel.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, or any member of the firm’s California Consumer Privacy Act Task Force or its Privacy, Cybersecurity and Consumer Protection practice group:
California Consumer Privacy Act Task Force:
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Alexander H. Southwell – New York (+1 212-351-3981, [email protected])
Deborah L. Stein (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Please also feel free to contact any member of the Privacy, Cybersecurity and Consumer Protection practice group:
United States
Alexander H. Southwell – Co-Chair, PCCP Practice, New York (+1 212-351-3981, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Deborah L. Stein (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Europe
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0)20 7071 4250, [email protected])
Patrick Doris – London (+44 (0)20 7071 4276, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0)20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0)1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0)20 7071 4203, [email protected])
Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])
© 2020 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.