The California Consumer Privacy Act is Effective January 1, 2020, but Compliance is Challenging Pending Adoption of the Associated Regulations

The California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100-1798.199, “the Act”) becomes effective January 1, 2020. Pursuant to the Act, companies doing business in California, and meeting other factors, must be responsive to verified consumer requests to do the following:

• Disclose to the consumer the categories of personal information it collects for that consumer, including the sources from which it collected the information, the business or commercial purpose for which the information was collected or sold, the categories of third parties with whom the business shares personal information, and the specific pieces of personal information that the business collected about that consumer;
• Disclose to the consumer whether the business sells to a third party, or discloses for a business purpose, the consumer’s personal information, and the categories of personal information sold or disclosed; and
• Deletion of the consumer’s personal information.

Businesses covered by the Act must also provide a link titled “Do Not Sell My Personal Information” for consumers to opt-out of the sale of their personal information.

For purposes of the Act, “consumer” is a California resident. “Business” is a legal entity operated for profit or financial benefit, doing business in California, and meeting one of the following: (1) having annual gross revenue in excess of $25,000,000, subject to CPI adjustments; (2) annually buys, sells, receives or shares for commercial purposes the personal information of 50,000 consumers, households, or devices; or (3) derives at least 50% of its annual revenues from selling consumers’ personal information.

The Act requires that businesses inform consumers of their California-specific privacy rights, including mandatory annual updates to the privacy policies to reflect the Act’s requirements, and notice “at or before the point of collection” of the categories of personal information it collects and the purposes for which that information is used. Businesses must provide multiple options for making personal information requests under the Act. Businesses are also provided deadlines to respond to verified consumer requests, but do not have to respond to more than two requests from a consumer in a twelve month period.

While the law becomes effective January 1, 2020, many details are pending while the California Attorney General conducts its rulemaking for adoption of regulations under the Act. Regulations must be adopted by July 1, 2020. (The Act also prohibits the Attorney General from bringing enforcement actions under the Act until July 1, 2020.) This potential six-month lag between the Act’s effective date and adoption of pivotal regulatory language is leaving many businesses in a quandary over whether and how to comply with the Act in the interim. For example, a business’ ability to respond to a consumer request under the Act may be dependent on the Attorney General settling what it means to “reasonably verify” a request. To date, the Attorney General has not given guidance on whether businesses are expected to respond to any or all consumer requests while the features of a verifiable consumer request are outstanding. This and other unsettled details are creating uncertainly over whether businesses are adequately complying with the Act at the start of 2020.

As of the date of this post, the Attorney General has issued “45-day language” and taken comments on these proposed regulations. The Attorney General has not issued a schedule for the remainder of the rulemaking, and there is no indication of when the next round of draft regulations will be issued.

If you have any questions regarding the California Consumer Privacy Act or would like assistance participating in the Attorney General’s associated rulemaking, please contact ESHD attorneys Brian Biering or Chase Maxwell at 916-447-2166.