Client Alert: The California Consumer Privacy Act: Post-Amendment & Draft Implementing Regulations
- Determine if your company’s operations in California subject you to the CCPA.
- If they do, begin taking steps to comply now.
- If you have already started your compliance plan, consider whether any updates are necessary to address new guidance.
What Is The CCPA?
As you may already know, the California Consumer Privacy Act (“CCPA”), going into effect January 1, 2020, represents the most comprehensive privacy legislation enacted in the United States to date. The CCPA regulates the collection, disclosure, and sale of personal information of California residents, and very broadly interprets “sale” to include transfer or disclosure of personal information to third parties (including related entities) for monetary or other valuable consideration.
The CCPA will apply to many for-profit entities that do business in California. Among other things, businesses subject to the CCPA will need to enact measures to comply with newly-created rights for California residents to be informed about the collection, use, and sale of their personal information and to opt-out of sales of their personal information.
The CCPA Is In Flux
Although the CCPA goes into effect in just a few months, the law and its interpretation continue to change. Just in October, the California Governor signed five CCPA amendments into law. These amendments substantively changed the scope of the CCPA, including by temporarily excluding categories of data from limited CCPA requirements, altering the definition of personal information, and changing the required methods of communication with California consumers seeking to exercise their CCPA rights.
The CCPA also requires the California Attorney General, who will be enforcing the CCPA, to issue implementing regulations governing certain aspects of the law, including including the requirements for consumer notices and the methods of receiving and responding to consumer requests. The first draft of those regulations was issued early October, and as proposed they will require subject businesses to change the content of their privacy policies and to enact specific verification procedures for consumer requests, which vary depending on the type of information requested. To make compliance more difficult, the regulations are subject to public comment and will not be finalized until the Spring of 2020 – after the CCPA is in effect.
We Can Help You
We are up-to-date on the latest CCPA news, and have prepared materials to help your business understand and comply with the CCPA’s requirements. Our Cybersecurity, Privacy & Technology Group Chair Karyn Doerfler and associate Abigail Hoverman lead our efforts in this area. Please contact us if you think you may be affected by the CCPA, and if you would like assistance in evaluating the steps your organization should be taking with respect to compliance.
This Client Alert is for general information purposes, and is not intended to be and should not be taken as legal advice.