Even if enforcement begins July 1^st, companies must contend with another glaring obstacle: the AG has not yet issued final regulations. The AG has a narrow window to complete its final regulations, leaving companies with less than three months advance notice to implement highly technical final regulations. If the AG fails to meet its statutory deadlines, the AG’s enforcement of the CCPA would begin before final regulations are issued.

In March, the AG released a third draft of CCPA regulations, with comments due on March 27^th. Now, the AG can either issue another round of proposed regulations or finalize the regulations. The third draft had far fewer changes than previous drafts, indicating the AG may be ready to finalize the regulations, although the AG has remained largely silent in explaining the reasoning behind any changes to its various drafts.

Once the AG is ready to issue final regulations, the AG will send the regulations to the Office of Administrative Law, which generally has up to 30 working days to review regulations, although an executive order linked to the COVID-19 crisis extends the Office’s deadline by 60 calendar days.

Once reviewed, the Office transmits the final rule to the Secretary of State for adoption. The effective date of the final CCPA regulations depends on the date that the Office files the regulations with the Secretary of State. For example:

• If filed March 1 – May 31: the effective date is July 1.
• If filed June 1 – August 31: the effective date is October 1.
• Another effective date may be possible if the AG demonstrates good cause.

Given this timeframe, companies seeking to comply with the new CCPA regulations should not wait for final regulations to stand up compliance processes. With enforcement slated to arrive either at the same time as or before the effective date of new regulations, covered businesses should work with privacy counsel to prepare for CCPA as soon as possible.

We will continue to follow new developments that may impact the timeframes for implementation of the CCPA regulations. If you have questions on how the regulations may impact your business, please contact Alysa Hutnik or Alex Schneider at Kelley Drye.

While expressing “strong support” for the CCPA’s intent, and noting the online ad industry’s longstanding consumer privacy efforts like the DAA’s YourAdChoices Program, the group proposed the following three clarifications relating to CCPA provisions that, unless modified, the group believes could reduce consumer choice and privacy:

• Notice relating to a sale of consumer data: A company’s written assurance of CCPA compliance should satisfy the requirement to provide a consumer with “explicit notice” (under 1798.115(d)) when a company sells a consumer’s personal data that the company did not receive directly from such consumer;
• Partial opt-out from the sale of consumer data: When responding to a consumer’s request to opt out of the sale of personal data, companies can present consumers with choices on the types of “sales” from which to opt-out, the types of data to be deleted, or whether to opt out completely, rather than simply offering an all or nothing opt-out.
• No individualized privacy policies: Businesses should not be required to create individualized privacy policies for each consumer to satisfy the requirement that a privacy policy disclose to consumers the specific pieces of personal data the business has collected about them.

The comments coincide with a series of public forums that the California AG is hosting to provide interested parties with an initial opportunity to comment on CCPA requirements and the corresponding regulations that the Attorney General must adopt on or before July 1, 2020.

The CCPA was passed in June of this year, and gives California residents specific privacy rights related to their online activities. Starting January 1, 2020, businesses will be required to comply with a number of provisions including requirements to disclose data collection and sharing practices to consumers, grant consumers a right to request deletion of their data, grant consumers a right to opt out of the sale of their personal information, and a prohibition on selling personal information of consumers under the age of 16 without explicit consent.

The CCPA requires the Attorney General to “solicit broad public participation” and adopt regulations regarding issues such as the definition of personal information, considering changes in technology and data collection practices, procedures for how a consumer can submit a request to opt out of the sale of his or her personal information, and procedures for businesses to determine whether a consumer’s request for information is verifiable.

The Attorney General’s announcement is particularly important because CCPA enforcement will not begin until six months after the promulgation of these regulations, or July 1, 2020, whichever is sooner. These public forums indicate that Attorney General Becerra’s office is taking steps to adopt these rules, meaning CCPA enforcement may come sooner rather than later.

These hearings will serve as the first public forum in which businesses and members of the public can voice their thoughts or concerns about the required regulations. Members of the public who would like to speak at the forums can, but are not required to, register online. Comments may also be submitted via mail or email. A full schedule of the forums can be found here.

Kelley Drye is happy to assist if your business is considering whether to submit comments concerning the CCPA regulations or enforcement. These forums present a critical opportunity for any stakeholder interested in California privacy law and enforcement to have their voices heard. For more information on the CCPA and how it may affect your business, please visit our past blog posts here and here.

Under the terms of the agreement, Comcast will pay a $25 million civil penalty and approximately $8.4 million in restitution, including $100 each to the 74,774 affected customers, $432,000 for home security and/or safety-related services for 216 customers with specific safety concerns related to the disclosure, and $517,714 in refunds for non-published fees collected. For injunctive relief, Comcast has agreed to enhance its practices with respect to non-published phone numbers, including by (1) auditing vendors with access to customer directory listing information; (2) implementing detailed processes to handle customer inquiries and complaints; and (3) providing customers with a simplified explanation of the XFINITY Voice non-published feature to resolve concerns that customers do not fully understand the feature’s scope. In addition, the company must provide compliance reports to the CPUC for the next three years.

This settlement serves as another reminder to companies of the costs associated with failing to reasonably ensure that marketing representations, including those about customer privacy, are accurate and supported.

The report provides several recommendations for businesses directed towards improving security and notification measures, including the following three non-sector-specific recommendations: (1) conduct risk assessments at least annually and update privacy and security practices based on the findings; (2) use strong encryption to protect personal information in transit; and (3) improve the readability of breach notices. Additionally, the report recommends that the healthcare industry consistently use strong encryption to protect medical information on laptops and other portable devices, and consider it for desktop computers. Importantly, the report also includes the following six recommendations specific to the retail industry, suggesting that the Attorney General considers the security measures and breach response actions of the retail industry, to date, inadequate:

1. Update point-of-sale terminals so that they are chip-enabled and install the software necessary to operate this technology.
2. Implement appropriate encryption solutions to devalue payment card data, including encrypting data from the point of capture until the completion of transaction authorization.
3. Implement appropriate tokenization solutions to devalue payment card data, including in online and mobile transactions.
4. Respond promptly to data breaches and notify affected individuals in the most expedient time possible and without unreasonable delay.
5. Improve substitute notice, such as by placing a prominent and conspicuous link to the notice on the website homepage, leaving the link and notice up for at least 30 days, publishing the notice in the most expedient time possible and updating it as the business learns more, and telling consumers what they can do to protect themselves.
6. Work with financial institutions to protect debit card holders in breaches of unencrypted payment card data.