Morris Manning & Martin, LLP

The Countdown to CCPA Enforcement: Is Your Business Prepared?


On June 1, 2020, California’s Attorney General Xavier Becerra submitted the final version of the California Consumer Privacy Act (CCPA or the Act) Regulations to the state’s Office of Administrative Law (OAL) for approval and requested an expedited review to meet the Act’s enforcement date. The OAL has 30 days, plus an additional 60 days, to determine if the regulations satisfy the procedural requirements of the Administrative Procedure Act. Once approved, the regulations will be filed with the Secretary of State and become enforceable by law. With the final regulations sent to the OAL a month prior to the official enforcement date of the CCPA, companies should finalize the CCPA compliance efforts prior to July 1, 2020.

Although the final regulations do not include substantive changes from the text of the proposed modifications issued in March of this year, the regulations still leave open questions for covered businesses, such as what constitutes a “sale” under the CCPA and how to design the “Do Not Sell My Information” button for the business website. Despite the ambiguities that remain in the regulations and a push for enforcement to begin in 2021, Attorney General Becerra has indicated that enforcement will begin on July 1, 2020.  

As the enforcement date nears, covered businesses should consider the following steps, in addition to consulting with legal counsel, to address the CCPA requirements.

Website Home Page
The privacy policy may serve as a first defense if the business is subjected to scrutiny by the Attorney General’s Office. The privacy policy must be prominently displayed on the company’s home page and include the categories of personal information to be collected as defined by the CCPA, as well as the business purpose for the information collected, a list of California consumer rights, and address the company’s data collection practices. A company’s mobile application must also provide a just-in-time notice by providing a link to the company’s privacy policy. Further, if the company sells personal information, then it must provide a “Do Not Sell My Personal Information” link on its website. [1]

Employment-Related Notice
Companies must provide a just-in-time notice when it collects employment-related information from employees, applicants, and contractors. As companies implement additional safeguards for COVID-19, companies should ensure that its notice addresses additional information collected.

Consumer Rights Request
Companies must provide two methods for consumers to submit consumer rights requests. Upon receipt of a request, a company must confirm receipt within 10 business days and comply with the request within 45 calendar days. Companies must have a reasonable degree of certainty when responding to a right-to-know request and a reasonably high degree of certainty when responding to a request to delete.

Companies that sell personal information of minors under the age of 13 must obtain affirmative authorization from parents. If the consumer is between the age of 13 and 16, companies must obtain consent through a two-step process whereby the consumer shall clearly request to opt-in and then separately confirm their choice to opt-in.

Service Provider Agreements
The final regulations provide guidance on service providers’ practices under the CCPA. Companies should amend agreements with service providers to specify how service providers may use company personal information and to further comply with the CCPA.

Data Mapping
Tracking the flow of personal information through data mapping is important to determine a company’s data collection process. Further, if the Attorney General clarifies what constitutes a sale under the CCPA, data mapping will permit a company to easily make the determination.

Loyalty Programs and Nondiscrimination
Companies that provide a loyalty or rewards program must ensure that they do not run afoul of the Act’s nondiscrimination provisions. The final regulations provide guidance and examples on how companies can provide a financial incentive or service without discriminating against those consumers who exercise their rights under the CCPA. Further, if a company offers an incentive to a consumer, the company must show that the financial incentive is reasonably related to the value of the consumer’s data.

Training Policies
The CCPA requires companies to train individuals responsible for handling consumer inquiries and how to respond to consumer rights requests.

Update Data Retention Policies
Companies should update their data retention policies to ensure that all records of consumer requests and of the company’s response are maintained for at least 24 months.

Maintain Appropriate Security Measures
Companies must maintain reasonable security procedures and practices. A security vulnerability could result in a security breach and the CCPA allows for private rights of action due to security breaches.

For assistance with the CCPA or other cybersecurity policies, please reach out to Bess Hinson.

[1] See 11 Cal. Code Regs. § 999.306(b)(1).