12 minute read | February.13.2020
The California attorney general last week released modifications to the proposed regulations announced last October (covered by a Special Alert) implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (also covered by a Special Alert) and amended several times—became effective Jan. 1.
A summary of key modifications to the proposed regulations follows:
Required Notices. The modifications stipulate when businesses are required to provide privacy policies, notices at collection, and opt-out notices, as well as notices of financial incentives. The modifications further provide the following guidance with respect to the various notices:
Privacy Policy. The modifications streamlined the privacy policy requirements to remove some of the duplicative disclosure requirements related to the sale and disclosure of personal information. Specifically, the modifications state that a privacy policy’s “right to know” section should meaningfully disclose, among other things:
“Right to Know” Exceptions: The modifications struck the exception prohibiting a business from providing specific pieces of personal information “if the disclosure creates a substantial, articulable, and unreasonable risk to the security of the personal information, the consumer’s account with the business, or the security of the business’s systems or networks.” Now a business will not need to search for personal information in response to a request if the business (i) does not maintain the personal information in a searchable or reasonably accessible format; (ii) maintains it only for legal and compliance purposes; (iii) does not sell the information or use it for any commercial purpose; and (iv) describes in its response to the consumer the categories of records that it did not search but which may contain the information. The modifications further state that a business may deny a consumer’s verified request for specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or based an exception to the CCPA, but must inform the requestor and explain the basis for the denial, unless prohibited from doing so by law.
According to a press release issued by the AG, the proposed modifications are subject to another public comment period ending Feb. 25, and no enforcement actions under the CCPA will be issued before July 1.
If you have any questions regarding the CCPA or other related issues, please visit our Cyber, Privacy & Data Innovation practice page or contact an Orrick attorney with whom you have worked in the past.