June 10, 2020: On June 1, 2020, the Final Text of Regulations (Regulations) relating to the California Consumer Privacy Act (CCPA) was filed by the California Attorney General (AG) with the California Office of Administrative Law.
The AG submitted a request for an expedited review and approval of the submitted Regulations in order to meet the CCPA statutory deadline to adopt Regulations by July 1, 2020. This means the Regulations could become effective and enforceable on July 1, 2020, which is the same enforcement date for the statutory requirements of the CCPA. Otherwise, the Office of Administrative Law has 30 days to review the AG’s documents to ensure compliance with the California Administrative Procedure Act, which could be extended an additional 60 days pursuant to Executive Order N-40-20 issued by Governor Newsom on March 30, 2020.
The Regulations are identical to the Second Modified Regulations issued by the AG on March 11, 2020. Any changes would have required an additional notice and comment period.
The AG’s website includes a large amount of information relating to the rulemaking process, including:
- the reasons for each modification made since the original proposed Regulations;
- its responses to comments submitted, with cross references to the specific parties that submitted the comments; and
- transcripts from the four public hearings.
Some of the concerns raised by RMAI were addressed in the first and second modifications to the proposed Regulations:
- Regarding notices to consumers, RMAI requested clarification as to the appropriate accessibility standards for consumers with disabilities.
- The AG clarified that “[f]or notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference.”
- Regarding the notice at collection, RMAI noted that “some businesses may collect information directly from the consumer over the telephone prior to the consumer visiting a website with a link to the notice at collection or prior to receiving a paper version in the mail.”
- The AG added guidance that “[w]hen a business collects personal information over the telephone or in person, it may provide the notice orally.”
- RMAI noted that mandating businesses to provide a webform for submission of consumer requests to know or delete was not reasonable, and explained that 20% of RMAI members “operate websites that are not designed to collect information from or otherwise interact with consumers.”
- The AG removed the webform requirement.
- The original proposed rules would have required a business to comply with a request to know or delete if “all consumers of the household jointly” made the request. The definition of “household” was simply “a person or group of people occupying a single dwelling.” RMAI urged the use of “residing” due to the transitory nature of “occupying.”
- The AG modified the definition of “household” to mean “a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.”
- The First Modified Proposed Regulations removed the provision that provided a “business that does not collect information directly from consumers does not need to provide a notice at collection to the consumer . . .” RMAI identified this as a probable drafting error.
- The AG reinserted the language.
Violations of the CCPA, or Regulations once final, can result in civil penalties up to $2,500 for each violation and up to $7,500 for each intentional violation.
This alert is intended for members of the Receivables Management Association International and is for informational purposes only and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.