The California Consumer Privacy Act of 2018 (“CCPA”), passed last summer to avoid a controversial privacy ballot initiative, creates new compliance obligations and operational challenges for companies doing business in California. Effective January 1, 2020, businesses must comply with key requirements:
- Businesses must disclose data collection and sharing practices to consumers;
- Consumers have a right to request their data be deleted;
- Consumers have a right to opt out of the sale or sharing of their personal information; and
- Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent.
The CCPA is considered the most stringent privacy law in the country. The California state legislature already has amended the CCPA once since its passage and further changes through amendment or the regulatory process are possible.
The California Attorney General’s Office is set to draft implementing regulations for the new law on or before July 1, 2020. As a part of that process, the California Department of Justice is holding public forums on the following issues related to the CCPA’s implementation:
- Clarifying key definitions, including updates to the CCPA’s categories of personal information and definition of unique identifiers;
- Exceptions necessary to comply with state or federal law;
- Rules and procedures to facilitate and govern the submission of a request by a consumer to opt-out of the sale of personal information and compliance with a consumer’s opt-out request;
- Rules and procedures for the development and use of a recognizable and uniform opt-out logo or button for businesses to use to promote consumer awareness of the ability to opt out of the sale of personal information;
- Adjusting the monetary threshold for businesses to be covered by the CCPA;
- Consumer accessibility to notices, including the establishment of rules, procedures and any exception necessary to ensure that notices are provided in a manner easily understood by the average consumer, are accessible to consumers with disabilities and are available in the language primarily used to interact with consumers, including establishing rules and guidelines regarding financial incentive offerings.
At the public forums held so far, participants have addressed enforcement issues, seeking an affirmative defense for businesses that experience a data breach and that have a compliance program consistent with requirements set forth in the European Union’s General Data Protection Regulation. Other participants have requested that the California Attorney General clarify the non-discrimination provision in the CCPA, including how the provision applies to specific industries, such as hospitality or financial services loyalty programs.
Upcoming Public Forums
The California Department of Justice will hold five more public forums in January, February and March. Information regarding the time and location for each of the upcoming forums can be found on the California Attorney General’s website, and anyone who would like to speak can register here.
The remaining forums will be held on the following dates and at the following locations:
- Los Angeles, Friday, January 25, 2019
- Sacramento, Tuesday, February 5, 2019
- Fresno, Wednesday, February 13, 2019
- Stanford, Tuesday, March 5, 2019
Interested parties may also submit written comments to [email protected] or by mail at California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013.
Once the California Attorney General has drafted and promulgated the implementing regulations, the California Department of Justice will likely hold another round of public hearings and permit further opportunity for public comment.