CCPA Update: California Attorney General Releases Proposed Regulations
On October 11, 2019, the California Attorney General released its long-anticipated Notice of Proposed Rulemaking Action and the text of its proposed regulations for the California Consumer Privacy Act (CCPA), along with an Initial Statement of Reasons for the proposed regulations. The documents are not a short read, with the proposed regulations covering 24 pages, the Notice 16 pages, and the Statement of Reasons another 47 pages.
With that much content to dissect, we’ll be writing a series of blog posts about the intricacies of the regulation over the coming weeks.
Today we’ll start with the nuts and bolts of the rulemaking process. The proposed regulations are just that: proposals. Over the next month and a half, the Attorney General will be accepting comments from interested parties. And in early December, there will be a series of public forums across California for the public to comment on the regulations. After the comment period, we expect the Attorney General to issue revised and final regulations.
On the regulations themselves, we’ll start with what they do not discuss:
- Regulated Businesses: Missing from the regulations is a definition of “does business in the State of California,” which dictates the scope of the CCPA. That ambiguous phrase leaves companies guessing as to whether they must comply with the CCPA.
- Exception Applicability: The CCPA includes a number of exemptions for “businesses”—such as, for complying with laws and investigations, cooperating with law enforcement, exercising legal claims, or collecting “deidentified” data. But strangely enough, those exemptions do not apply to “service providers,” which are also subject to fines for violating the statute. The proposed regulations do not fix that oddity.
- Responsibilities of Third Parties: Under the CCPA, companies that receive personal information from others are called “third parties.” But the CCPA says little about their obligations. The proposed regulations do clarify that third parties do not have to provide notice to consumers. Besides that, however, the proposal provides little guidance for companies that do not have direct contact with consumers.
- “Curing” CCPA Violations: The CCPA provides a 30-day grace period for companies that do not comply with the statute (and then face a lawsuit because of it) to “cure” the violation. Left unanswered by the regulations is what counts as a “cure.”
- Statutory Damages: The statute allows consumers to recover between $100 and $750 “per incident,” which includes “unauthorized access” or “disclosure” of someone’s information. The proposed regulations do not define what “per incident” means. For example, if the same hacker gains access to a company’s network multiple times, it’s unclear whether that qualifies as multiple “incidents.” Likewise, consumers can only bring actions when the unauthorized disclosure or theft of their information was a “result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Despite the statute’s reference to “reasonable security measures” or “reasonable data security controls,” the proposed regulations do not define what “reasonable” means.
Still, the proposed regulations do offer some important guidance. For example, Section 999.314 clarifies the CCPA’s applicability to service providers, and section 999.305 clarifies the notice obligations for passive recipients of personal information.
We will explore those provisions, among others, in the upcoming weeks.