CCPA Regulations Are Final, the Employment/B2B Exemption is Extended, and the Saga Continues
On August 14th, the California Office of Administrative Law approved the final regulations implementing the California Consumer Protection Act (CCPA) which were submitted by the California Attorney General (AG) on June 1st. This approval made the implementing regulations immediately effective, ending the weird legal limbo that started when the CCPA became enforceable on July 1, 2020, but credit unions still did not have details on how to comply with many of its requirements.
The process of finalizing implementing regulations has been lengthy with multiple revisions. The final version is cleaner than previous iterations. Below is a summary of the regulation and some updates on the saga of California privacy law.
What Is In the Final Reg
The regulations are found in sections 999.300 through 999.337 in Title 11, Chapter 20 of California’s Code of Regulations. The regulation contains six articles.
Definitions and scope are in Article 1, however nothing in these provisions addresses the scope of covered entities or consumers. Credit unions still must consult the CCPA statute to determine whether they are covered.
The notice requirements of the CCPA were confusing and vague and directed the California AG to issue implementing regulations. Article 2 contains these requirements for notices, providing details on the notices' content and provision of the notice at collection, notice of right to opt-out of sale, and others. Section 999.308 contains the requirements for a privacy policy under the CCPA.
Similarly, the CCPA did not contain much detail regarding consumer requests for deletion or information, leaving it to the AG to fill in the specifics. Article 3 contains specific business practices for handling these requests. Section 999.312 contains requirements for establishing channels for receiving these requests, the ability to require a confirmation, and responding to defective requests. Section 999.313 details timeframes, confirmation, verification, and content requirements for responding to requests. The requirements for establishing channels, using browser and device settings, timeframes, and other details on responding to opt-out requests are in section 999.315. Article 3 also contains details on training, record keeping, and service providers.
Article 4 provides details on verifying the identity of a consumer making a request. Specifically, it allows a credit union to establish a reasonable method for verifying the requestors identity as long as it involves matching provided information with information already on hand and limits the collection of additional information in some specific ways.
Article 5 contains specific rules for minors under the age of 16 and Article 6 contains nondiscrimination provisions, including provisions that address offering a financial incentive based on the value of data provided by the consumer.
What Is Not In the Final Reg
Four provisions were withdrawn by the California AG and did not make it into the final regulation. This includes a prohibition against using a consumer’s personal information for a “materially different purpose” than what was disclosed without their explicit consent and a requirement to provide the notice of right to opt-out through an offline method. The California AG did not provide any detail on the removal of these requirements; its Final Statement of Reasons merely indicated that they were being removed for “additional consideration.”
CB2B and Employee Exemption Extended into 2021 and What’s Next in California
Prior to going into recess on Monday, the California legislature passed AB 1281 extending the CCPA exemption for employment and business-to-business information by another year. There are other amendments to the CCPA pending in the California state legislature. Of note, AB 1416 adds exceptions for business use in connection with legal rights and obligations, among others. The legislature will not reconvene until January 4, 2021.
Meanwhile, in June, the California Privacy Rights Act (CPRA) received enough signatures to be added as a ballot referendum for California voters to consider in November. The CPRA was proposed by Californians for Consumer Privacy and has been referred to as “CCPA 2.0” by many. The CPRA would create a California Privacy Protection Agency, expand the existing breach liability, and incorporate many additional rights and limitations found in the European Union’s General Data Protection Regulation. These would include requiring risk assessments on “high-risk” processing, specifically addressing limitations on the use and sharing of sensitive data, restricting automated decision-making and profiling, creating a right to data correction, minimizing the collection of data, and establishing new obligations for service providers and third parties.
Reportedly, the passage of the CPRA by California voters is likely, but we will not know until this November. Stay tuned.