California Privacy Act – What Businesses Need To Do, Now.

After much anticipation, the California Attorney General (AG) announced in early June 2020 that the final California Consumer Protection Act (CCPA) regulations were being submitted to the Office of Administrative Law (OAL) for review. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law.

Because enforcement of the CCPA began on July 1, 2020, now is the time for covered businesses and service providers to size-up their compliance efforts. Although there are many issues that remain unclear, the regulations may provide a road map to the AG’s enforcement priorities. Among the issues addressed by the final regulations—as well as the AG’s “Final Statement of Reasons” which accompanied those regulations— are the following:

  • Privacy Policy: A business’ privacy policy must inform consumers of their rights under the CCPA and how they can submit requests to know or delete personal information. In addition, the privacy policy should disclose the categories of personal information collected, the categories of personal information disclosed for a business purpose or sold to a third party and provide on a per category basis the categories of third parties to whom the information was disclosed or sold.
  • Required Notices: The final regulations detail the information that should be included in the various notices. They also require business to use “plain, straightforward language” and a format that draws the consumer’s attention to the notice. In addition, the AG clarified that the regulations do “not require a cookie banner, but rather leave it to businesses to determine the formats that will best achieve the result in particular environments. In other words, it appears that the use and nature of tracking technologies can be disclosed in the privacy policy assuming that policy is readily available to the public.
  • Service Providers: The regulations require that service providers use the personal information they receive from businesses “to process or maintain personal information on behalf of the business … and in compliance with the written contract for services required by the CCPA,” except in certain narrowly-defined circumstances, such as building or improving the quality of their services. If an entity qualifies as a service provider, the transfer of information from a business to them is not deemed a sale. Moreover, the Final Statement of Reasons clarifies that service providers do not lose their status as service providers merely because they collect consumers’ personal information directly, if that collection is performed at the business’s direction and on behalf of that business.
  • Subcontractors: The regulations provide that service providers may hire subcontractors, as long as the subcontractors meet all the requirements for a “service provider” set forth in the CCPA and the regulations.
  • User-Enabled Privacy Controls: Businesses must honor privacy controls that clearly communicate or signal that the consumer intends to opt out of the sale of personal information.
  • Training and Recordkeeping: The regulations require training for all individuals responsible for handling consumer inquiries. Businesses must also retain records of consumer requests and how the business responded to such request for 24 months.
  • No Discrimination: A business cannot discriminate against a consumer for exercising his or her rights under the CCPA.

CCPA Regulations Update

NOTICE OF MODIFICATIONS TO TEXT OF PROPOSED REGULATIONS AND ADDITION OF DOCUMENTS AND INFORMATION TO RULEMAKING FILE

Update to Proposed Text

Pursuant to the requirements of Government Code section 11346.8, subdivision (c), and section 44 of Title 1 of the California Code of Regulations, the California Department of Justice (Department) is providing notice of changes made to the proposed regulations regarding the California Consumer Privacy Act, which were published and noticed for public comment on October 11, 2019.  These changes are in response to comments received regarding the proposed regulations and/or to clarify and conform the proposed regulations to existing law.  The originally proposed regulations, this Notice, the text of the proposed regulations as modified, and a comparison of the text as originally proposed with the modifications, are available at www.oag.ca.gov/privacy/ccpa.

Update to Documents and Other Information Relied Upon

Pursuant to the requirements of Government Code sections 11346.8, subdivision (d), 11346.9, subdivision (a)(1), and 11347.1, the Department is also providing notice that documents and other information which the Department has relied upon in adopting the proposed regulations have been added to the rulemaking file and are available for public inspection and comment.

The documents and information added to the rulemaking file are as follows:

Accenture Interactive, See people, not patterns. (2019). Available at https://www.accenture.com/_acnmedia/PDF-110/Accenture-See-People-Not-Patterns.pdf.

Cranor, et al., Design and Evaluation of a Usable Icon and Tagline to Signal an Opt-Out of the Sale of Personal Information as Required by CCPA (February 4, 2020).

Douglis, et al., How the CCPA impacts civil litigation (January 28, 2020).  Available at https://iapp.org/news/a/how-the-ccpa-impacts-civil-litigation/#.

Duffy, et al., Retail Loyalty Programs Will Survive Calif. Privacy Law (September 26, 2019), Law360.  Available at https://www.law360.com/articles/1202393/print?section=california.

Paternoster, Leon, Getting round GDPR with dark patters. A case study: Techradar (August 12, 2018).  Available at https://www.leonpaternoster.com/posts/techradar-gdpr/.

Simon, et al., Summary of Key Findings from California Privacy Survey (October 16, 2019), Goodwin Simon Strategic Research.  Available at https://www.caprivacy.org/post/icymi-summary-of-key-findings-from-california-privacy-survey.

World Wide Web Consortium, Web Content Accessibility Guidelines, version 2.1 (June 5, 2018).  Available at https://www.w3.org/TR/2018/REC-WCAG21-20180605/.

The Department is also providing notice that it will not be including the following study in the rulemaking file.

Javelin Strategy & Research, 2019 Identity Fraud Study: Fraudsters Seek New Targets and Victims Bear the Brunt (March 6, 2019).

The entire rulemaking file, which includes the documents referenced above, is available for inspection and copying throughout the rulemaking process during business hours at the location listed below.  In addition, some of the documents are available at www.oag.ca.gov/privacy/ccpa.

The Department will accept written comments regarding the proposed changes or materials added to the rulemaking file between Friday, February 7, 2020 and Monday, February 24, 2020. All written comments must be submitted to the Department no later than 5:00 p.m. on February 24, 2020 by email to PrivacyRegulations@doj.ca.gov, or by mail at the address listed below.

Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013
Email: PrivacyRegulations@doj.ca.gov

All timely comments received that pertain to the changes to the proposed regulations or the new materials added will be reviewed and responded to by the Department’s staff as part of the compilation of the rulemaking file.  Please limit written comments to those items.

NSA Releases Guidance on Mitigating Cloud Vulnerabilities

Original release date: January 24, 2020

The National Security Agency (NSA) has released an information sheet with guidance on mitigating cloud vulnerabilities. NSA identifies cloud security components and discusses threat actors, cloud vulnerabilities, and potential mitigation measures.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators and users to review NSA’s guidance on Mitigating Cloud Vulnerabilities and CISA’s page on APTs Targeting IT Service Provider Customers and Analysis Report on Microsoft Office 365 and other Cloud Security Observations for information on implementing a defense-in-depth strategy to protect infrastructure assets.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.