On August 14, 2020, California Attorney General Xavier Becerra (AG) issued the final set of regulations regarding the California Consumer Privacy Act (CCPA).1 On August 31, 2020, a bill was also passed to extend from the end of 2020 to the end of 2021 partial CCPA exemptions for business-to-business and personnel (i.e., job applicants, employees, directors, officers, owners, medical staff members, contractors) records.
The CCPA is considered by many to be the most stringent state privacy law in the country. The law, which applies to businesses located in and outside of California, went into effect on January 1, 2020, and enforcement began on July 1, 2020, when the CCPA originally required promulgation of AG regulations. The much-anticipated regulations provide guidance on how the AG intends to interpret and enforce the CCPA. Violations of the regulations are deemed violations of the CCPA and can result in regulatory penalties as articulated in Section 1798.155(a) of the CCPA.2
Businesses can face a regulatory fine of up to $2,500 per violation or $7,500 for each “intentional” violation of the regulations, in addition to potential liability in civil actions.3 Accordingly, understanding the AG’s approach to enforcement is an important consideration when developing a compliance program. When developing or refining a CCPA compliance program, businesses should consult not only the CCPA, but also the regulations, which may impose distinct and additional requirements.
In some instances, the regulations view CCPA requirements generally as a ceiling rather than a floor. This is no more evident than in the changes that were made to an earlier draft of the regulations, which required businesses to obtain “explicit consent” to use a consumer’s personal information for a purpose that is materially different from that disclosed at collection. This would have expanded the CCPA, which only requires businesses to provide the consumer with prior notice for any “additional purpose” of their personal information.4 Moreover, the AG deleted the “Do Not Sell My Info” title option for the opt-out link, meaning that a business’s link can only read, “Do Not Sell My Personal Information.”5 This change appears to have been made to be consistent with the text of Section 1798.135(a) of the CCPA, which requires businesses to provide “a clear and conspicuous” link titled, “Do Not Sell My Personal Information.”
The regulations6 further provide, among other things, the following clarifications of CCPA provisions:
The CCPA broadly protects California “consumer” data, including business contact information and employee or job applicant information. A temporary reprieve from some CCPA requirements is in effect for certain business-to-business and personnel records through 2020. On August 31, 2020, the California Legislature passed Assembly Bill 1281 that extends that exemption to the end of 2021.9 Accordingly, personal information contained in business communications or reflecting transactions between businesses (i.e., personal information of business representatives obtained in the course of completing sales, providing or receiving products or services, conducting due diligence, entering into contracts or providing support to an entity) is exempt from certain CCPA requirements, such as requests for access or deletion of data, as well as information-sharing disclosures. Note that the exemption does not extend to the use of personal information for marketing communications, such as cold calling or deploying robocalls. There is also no exemption for “Do Not Sell” obligations.
Similarly, personal information collected from employees and job applicants (including emergency contact information) is temporarily excluded from the scope of the CCPA, so long as the information is collected and used only for employment or job application purposes. Personal information collected and used in connection with applications for or receiving benefits is also excluded. In other words, businesses need not comply with requests for access or deletion of data, nor information-sharing disclosures. Notwithstanding these exemptions, however, businesses must still provide the required notices at or before the collection of personal information, and impacted individuals retain their right to sue in the event of a data breach.
Based on the foregoing, it is important for businesses to review their privacy policies and business practices to ensure compliance with not only the CCPA, but the regulations as well. Such review should be done in consultation with knowledgeable legal counsel in relevant business areas.
Additional Assistance
For more information on this topic, please contact a member of the Data Security & Privacy Practice Team or the Phillips Lytle attorney with whom you have a relationship.
Receive firm communications, legal news and industry alerts delivered to your inbox.
Subscribe Now