On June 1, California’s Office of the Attorney General submitted the final proposed regulations package for the California Consumer Privacy Act to the Office of Administrative Law for review. Included in this package is the Final Statement of Reasons, explaining the modifications from the initially proposed text of the regulations, as well as a summary of all the comments received during the rulemaking process and the OAG’s responses, attached as appendices A, C, and E to the FSOR.
For businesses or practitioners dealing with compliance issues, the OAG commentary is an important resource to consider.
The OAG’s responses address why certain modifications were made (or not) to the proposed regulations, confirm and clarify how it is interpreting certain CCPA provisions, and flag topics the OAG is still considering. They also appear to provide some insight regarding the OAG’s enforcement focus. There is substantial granularity, as the comments and responses are organized by the specific sections and subsections of each regulation. Together, Appendices A, C, and E total almost 500 pages. Reviewing a few of the regulatory provisions illustrates how this commentary may help inform compliance decisions.
The importance of notices, privacy policies and the “do not sell” link
Not surprisingly, the need to comply with the CCPA’s notice obligations are a focus of the OAG’s comments. The OAG repeatedly emphasizes the distinction between a business’ statutory obligation to provide different notices to consumers and simply having a privacy policy. For example, in Response 105/Appendix A, the OAG stated “[n]othing in (the CCPA) Section 1798.130 indicates that the online privacy policy constitutes notice at collection.” While a business may, at its discretion, include information regarding the notices in its privacy policy, “this does not absolve the business from complying with its statutory requirements to separately provide a notice at collection, notice of right to opt-out, and notice of financial incentive.”
The responses similarly stress the requirements regarding the right to opt-out. Response 267/Appendix A reiterates the CCPA requires a business selling consumers’ personal information to provide notice of the right to opt-out and “a clear and conspicuous link” titled “Do Not Sell My Personal Information” on its homepage, separate obligations from what must be disclosed in a privacy policy. Making sure businesses are providing the required “do not sell” link is expected to be a focus for the attorney general’s office based upon its July 1 news release and the comments by Supervising Deputy Attorney General Stacey Schesser of California’s Department of Justice during an IAPP Keynote session regarding CCPA enforcement.
The OAG rejected the suggestion of certain circumstances, such as an applicable exemption, that might limit a business’ obligation to provide information to consumers. In Response 264/Appendix A, the OAG emphasized the CCPA “requires a business to disclose certain information in the required notices and privacy policy.” It strongly stated, “CCPA-mandated disclosures are required even if the business is not required to comply with the consumers’ exercise of their rights.” In Response 311/Appendix A, the OAG disagreed with comments taking the position a business that does not sell personal information does not need to include an explanation of the right to opt out in its privacy policy. It noted the CCPA requires that “the privacy policy include a description of consumers’ rights, even when a business does not have to comply with the consumer’s request.”
No blanket exemption for trade secrets and intellectual property
Several of the comments raise the issue of the CCPA potentially requiring disclosure of proprietary and/or trade secret information. While CCPA Section 1798.185(a)(3) discusses the attorney general adopting regulations regarding “any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights …,” there is no such exemption in the final proposed regulations.
For businesses concerned about this issue, the OAG’s responses to these comments are instructive.
Responses 323 and 901 in Appendix A address comments seeking an exemption from the CCPA for proprietary information, intellectual property or trade secrets. In a lengthy commentary, the OAG rejected these requests. It determined “the comments fail to show how an exemption for protection of intellectual property rights is necessary” as they “fail to explain how a consumer’s personal information collected by the business could be subject to the business’s copyright, trademark, or patent rights, or how a business could possibly patent, trademark or copyright a consumer’s personal information” (Response 901/Appendix A).
The OAG’s responses also noted that even if a consumer’s personal information could potentially be considered a trade secret, “neither federal nor state law provides absolute protection for trade secrets.” Importantly, the OAG concluded, “a blanket exemption from disclosure for any information a business deems could be a trade secret or another form of intellectual property would be overbroad and defeat the Legislature’s purpose of providing consumers with the right to know information businesses collect from them.”
There also were comments specifically challenging…
Privacy Isn’t Dead. Far From It.
Welcome! The fact that you’re reading this means that you probably care deeply about…