Starting Jan. 8, 2019 and continuing through Feb. 13, 2019 the California Department of Justice will hold six state wide public forums on the California Consumer Protection Act (CCPA) during which interested parties may comment on the law ahead of a formal rulemaking conducted by the California Attorney General (AG). Written comments may be submitted in lieu of attending the forums. The proceedings offer a vital opportunity to influence the regulations that will ultimately be enforced and help clarify ambiguities in the statute.
The CCPA was hastily enacted in June in an effort to keep a more onerous proposition off the November 2018 ballot. (View the Goodwin alert on the CCPA here.) Starting Jan. 1, 2020 companies will be required to (i) provide greater transparency about data collection, use and sharing practices in easily accessible privacy policies; (ii) offer an opt-out of the sale (including disclosure) of their personal information; (iii) offer and comply with new data subject rights; and obtain explicit consent to sell the personal information of children under the age of 16.
Due to the circumstances of enactment, the law contains a number of ambiguities. For example, it is unclear whether the CCPA applies to employee data. There is also widespread concern about its potential impact on technology innovation.
The statute includes a mechanism which should help to address these issues: The CCPA requires the AG to “solicit broad public participation” and promulgate regulations to: (1) update the categories of personal information covered by the CCPA; (2) establish any exceptions necessary to comply with state and federal law; and (3) establish rules and procedures for sending and responding to requests to opt-out of the sale of personal information, promulgate privacy notices that are accessible to consumers, and facilitate consumers’ access to personal information held and/or disclosed by businesses. The AG may also “adopt additional regulations as necessary to further the purposes of the [CCPA].”
Although the CCPA goes into effect Jan. 1, 2020, a recent amendment prohibits the AG from enforcing it “until six months after the publication of final regulations … or July 1, 2020, whichever is sooner.”
Takeaways for Data Driven Businesses:
The public forums and comment process offers businesses an important opportunity to shape the CCPA before it is enforced. Companies are encouraged to assess how they may be impacted by CCPA, taking particular note of their business models and data practices to ensure their concerns become part of the public record.
Interested parties can submit written comments by email at privacyregulations@doj.ca.gov or by mail to:
California Department of Justice
Attn: Privacy Regulations Coordinator
300 S. Spring Street, Los Angeles, CA 90013
The schedule for the public forums is as follows:
- San Francisco – Tuesday, Jan. 8, 10 a.m. – 1 p.m. – Milton Marks Conference Center, 455 Golden Gate Ave., San Francisco, CA 94102
- San Diego – Monday, Jan. 14, 10 a.m. – 1 p.m. – California State University, San Marcos, 333 S. Twin Oaks Valley Rd., San Marcos, CA 92096
- Inland Empire/Riverside – Thursday, Jan. 24, 10 a.m. – 1 p.m. – Cesar Chavez Community Center, 2060 University Ave., Riverside, CA 92507
- Los Angeles – Friday, Jan. 25, 10 a.m. – 1 p.m. – Ronald Reagan Building, 300 S. Spring St., Los Angeles, CA 90013
- Sacramento – Tuesday, Feb. 5, 10 a.m. – 1 p.m. – California State Building, 1500 Capitol Ave., Sacramento, CA 95814
- Fresno – Wednesday, Feb. 13, 10 a.m. – 1 p.m. – California State Building, 2550 Mariposa Mall, Room 1036, Fresno, CA 93721
We are available to answer your questions about the CCPA or speak with you if you are considering participating in one of the public forums or submitting comments.
Goodwin’s Data, Privacy and Cybersecurity practice is one of the longest-standing privacy practices of any global 50 firm and has been ranked among leading law firms for privacy and cybersecurity, including by Legal 500 and Chambers. It fully integrates and leverages the firm's core strengths, with the group's lawyers coming from the technology, financial industry, licensing, litigation and regulatory practices. The team has handled hundreds of data breach investigations, litigated landmark privacy cases, and defended clients in investigations and enforcement actions brought by state attorneys general and federal data protection regulators. Goodwin provides clients practical advice on all aspects of information-related management, including the establishment of comprehensive privacy programs, audits, transactional due diligence and compliance with domestic and international privacy laws.