CCPA Amendments
The California Governor has signed the five amendments to the California Consumer Privacy Act (“CCPA”) that are applicable to financial institutions. A summary of the amendments can be found here.
CCPA Proposed Regulations
The California Attorney General has released proposed regulations titled “California Consumer Privacy Act Regulations,” as outlined below. These regulations:
- Specify new definitions in addition to the definitions in the CCPA.
- Establish rules and procedures regarding the notice to be provided at collection of the personal information, the notice of right to opt-out of sale of personal information, the notice of financial incentive, and the privacy policy notice to ensure these notices are provided in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer.
- Establish rules and procedures regarding the opt-out of the sale of personal information to facilitate the submission of a consumer request to opt-out of the sale of their personal information, including the potential development of an opt-out button or logo to be used in addition to the posting of the required notice.
- Establish rules and procedures regarding the methods for submitting and responding to requests to know and requests to delete a consumer’s personal information, as well as how these requests are to be verified by a business.
- Establish rules and procedures regarding minors and consumers that use an authorized agent.
- Clarify the contents of a business’s Privacy Policy.
- Specify internal training procedures and record keeping mechanisms that must be in place in a business, such as businesses must maintain records of requests and how they responded for 24 months to demonstrate their compliance and the format of the maintained records.
The proposed regulations can be found here.
Under the CCPA, the Attorney General may adopt rules and regulations as necessary to further the CCPA’s purposes. Public comment to the proposed regulations will be accepted until December 6, 2019. At which time, the Attorney General may revise the regulations in response to the comments and any revision will be subject to an additional 15-day public comment period. Following the public comment period, the final text of the regulations will be submitted for approval by the Office of Administrative Law. If approved, the regulations will go into effect. The Attorney General may not bring enforcement action under the CCPA until the earlier of six months after the final regulations have been published or July 1, 2020.
Ballot Initiative
A ballot initiative was introduced titled “California Privacy Rights and Enforcement Act of 2020” that would further expand the CCPA’s protections for consumers and businesses’ responsibilities to consumers’ personal information. This initiative, among others, would:
- Allow a consumer to request a business to correct inaccurate personal information that it maintains.
- Add a new category of personal information, “sensitive personal information,” which includes information such as a consumer’s social security number, driver’s license number, account log-in, financial account, precise geolocation, personal information revealing a consumer’s racial or ethnic origin or religion, contents of a consumer’s private communications, among others.
- Require a business to disclose, at or before the point of collection, if the business collects sensitive personal information, the categories of sensitive personal information to be collected, and the specific purpose for which the categories of sensitive personal information are collected, used, or sold.
- Require a business to disclose, at or before the point of collection, the length of time the business intends to retain each category of personal information and sensitive personal information.
- Enable a consumer to have the right to opt-out of the use of disclosure of the consumer’s sensitive personal information for advertising or marketing and provide a link on the business’s website in order for the consumer to do so.
- Require opt-in consent by a consumer in order for a business to sell their sensitive personal information.
- Require businesses to notify consumers when a security breach has occurred and their sensitive information has been compromised.
- Implement an independent watchdog whose mission is to protect consumer privacy by ensuring that businesses and consumers are well-informed of their rights and obligations and to enforce the law against businesses that violate consumers’ privacy rights.
The ballot initiative can be found here.
This initiative has been sent to the Attorney General for official title and summary. If the initiative does not otherwise fail or become withdrawn, it will be circulated to collect signatures from registered voters and voted on in the 2020 election. If approved, the Act’s operative date would be January 1, 2021 and would only apply to personal information collected by a business on or after January 1, 2020.