California Approves Final CCPA Regulations, and Bill Extending Key Exemptions Moves Forward at the Legislature

August 20, 2020

Click for PDF

CCPA Regulations Are Now Effective

On Friday, August 14, 2020, California Attorney General Xavier Becerra announced that the state’s Office of Administrative Law (“OAL”) approved the final California Consumer Privacy Act (“CCPA”) regulations. As detailed in our alert on June 12, 2020, the Attorney General submitted final proposed regulations to the OAL on June 1, 2020, and OAL approval was required before the regulations could take effect. The approved regulations—which took effect immediately on August 14, 2020—largely track the final regulations proposed by the Attorney General. The OAL withdrew four provisions,[1] however, and the Attorney General made a number of non-substantive changes for accuracy, consistency, and clarity (the non-substantive changes are detailed by the Office of the Attorney General here). The OAL withdrew the following provisions, though certain of the revisions do not indicate any substantive reversal, as noted below:

• Explicit Consent for Use of Personal Information for Different Purpose (formerly § 999.305(a)(5)): The OAG removed the requirement that notice and explicit consent is required to use a consumer’s personal information for a materially different purpose from the purpose disclosed at or before the collection of personal information. This provision was heavily debated during the public comment period, and while it would remove a significant burden on businesses seeking to make such a change with respect to explicit consent, the statute (Cal. Civ. Code § 1798.100(b)) still dictates that a “business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with” the CCPA.
• Offline Notice of Opt-Out (formerly § 999.306(b)(2)): The OAL removed the requirement that businesses substantially interacting with consumers offline must provide an offline notice of a consumer’s ability to opt out of the sale of personal information, such as by providing a consumer with notice on a printed form or posting signage directing consumers to a notice.
• Ease of Requesting to Opt-Out (formerly § 999.315(c)): The OAL removed the language requiring that the methods businesses use for submitting requests to opt-out “be easy for consumers to execute,” and “require minimal steps to allow the consumer to opt-out.” The withdrawn provision had also clarified that a “business shall not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out.” Although this particular provision was removed, another provision, § 999.315(b), still encourages businesses to consider the “ease of use by the consumer when determining which methods consumers may use to submit requests to opt-out.”
• Denying Requests by Unauthorized Agents (formerly § 999.326(c)): Although this subsection allowing businesses to deny a request from an agent that failed to submit proof of authorization to act on the consumer’s behalf was removed, a different provision, § 999.315(f), provides that “[a] business may deny a request from an authorized agent if the agent cannot provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf.”

At least the first two provisions above were particularly scrutinized during the public comment period, and their exclusion from the final regulations makes requirements for businesses less onerous (for example, businesses required to provide an opt-out-of-sale mechanism may have struggled with a practical offline procedure for opting out of the sale of data). The OAL has offered little insight into its reasoning for withdrawing these provisions, however, and the Attorney General may resubmit these sections after further review and potential revision.

Regardless of the withdrawal of these particular provisions, in light of the official approval of the remainder of the regulations, and the Attorney General’s authorization to enforce them starting immediately, businesses would be well advised to familiarize themselves with the approved regulations. We remain available to advise accordingly.

Bill Extending Key CCPA Exemptions Moves Forward at the Legislature

Separately, on August 13, 2020, the California Senate Judiciary Committee agreed—with a unanimous 9-0 vote—to extend until January 2022 exemptions from certain CCPA requirements for personal information arising from business-to-business (“B2B”) transactions and employment, which are currently set to expire January 1, 2021.[2] The relevant bill, AB 1281, was significantly revamped from a prior bill on June 25, 2020, and now its sole proposal is to extend the foregoing exemptions until January 2022, unless the California Privacy Rights Act (“CPRA”) passes. The CPRA is an initiative that is set for a vote on the November 3, 2020 state ballot, as we discuss in more detail here, and would extend the same exemptions until January 1, 2023. AB 1281 now sits with the Senate Appropriations Committee and was scheduled for a vote on August 19, 2020, but the legislature adjourned its session without a vote on the bill. The next session is scheduled for Monday, August 24. As of now, it appears likely to pass, which means the CCPA would not start applying to employment and B2B-related personal information when the current exemption expires on January 1, 2021.

_____________________

[1] Cal. Code Regs. Tit. 11, Div. 1, Chap. 20 §§ 999.305 (a)(5); 999.306(b)(2); 999.315(c);999.326(c).

[2] See California Senate Committee Roll Calls, available at https://sjud.senate.ca.gov/sites/sjud.senate.ca.gov/files/roll_call_reports_all_bills.pdf.

The following Gibson Dunn lawyers assisted in the preparation of this client update: Alexander Southwell, Benjamin Wagner, Ryan Bergsieker, Cassandra Gaedt-Sheckter, Abbey Barrera, Julie Hamilton, and Tony Bedel.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments.  Please contact the Gibson Dunn lawyer with whom you usually work, or any member of the firm’s California Consumer Privacy Act Task Force or its Privacy, Cybersecurity and Consumer Protection practice group:

California Consumer Privacy Act Task Force:
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, cgaedt-sheckter@gibsondunn.com)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Alexander H. Southwell – New York (+1 212-351-3981, asouthwell@gibsondunn.com)
Deborah L. Stein (+1 213-229-7164, dstein@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com)

Please also feel free to contact any member of the Privacy, Cybersecurity and Consumer Protection practice group:

United States
Alexander H. Southwell – Co-Chair, PCCP Practice, New York (+1 212-351-3981, asouthwell@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, dwongyang@gibsondunn.com)
Matthew Benjamin – New York (+1 212-351-4079, mbenjamin@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, rbergsieker@gibsondunn.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, hhogan@gibsondunn.com)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, jjessen@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, klinsley@gibsondunn.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, mlyon@gibsondunn.com)
Karl G. Nelson – Dallas (+1 214-698-3203, knelson@gibsondunn.com)
Deborah L. Stein (+1 213-229-7164, dstein@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, evandevelde@gibsondunn.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, bwagner@gibsondunn.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, mwong@gibsondunn.com)

Europe
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, abaladi@gibsondunn.com)
James A. Cox – London (+44 (0)20 7071 4250, jacox@gibsondunn.com)
Patrick Doris – London (+44 (0)20 7071 4276, pdoris@gibsondunn.com)
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, bgrinspan@gibsondunn.com)
Penny Madden – London (+44 (0)20 7071 4226, pmadden@gibsondunn.com)
Michael Walther – Munich (+49 89 189 33-180, mwalther@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Alejandro Guerrero – Brussels (+32 2 554 7218, aguerrero@gibsondunn.com)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, vlukic@gibsondunn.com)
Sarah Wazen – London (+44 (0)20 7071 4203, swazen@gibsondunn.com)

Asia
Kelly Austin – Hong Kong (+852 2214 3788, kaustin@gibsondunn.com)
Jai S. Pathak – Singapore (+65 6507 3683, jpathak@gibsondunn.com)

© 2020 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.