California: CCPA Final Regulations Pending

On July 1, 2020, the California Attorney General began enforcing the California Consumer Privacy Act (CCPA) which requires businesses to comply with certain privacy protections for consumers and employees who reside in California. However, California is still lacking guidance on compliance with the CCPA. On June 1, 2020, the California Attorney General released the final proposed regulations for the CCPA to the California Office of Administrative Law (OAL). OAL has up to 30 working days, plus an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic, to review the package for procedural compliance with the Administrative Procedure Act. Once approved by the OAL, the final regulation text will become enforceable.

Although not law yet, employers should be looking to the proposed final regulations for guidance on the CCPA. Specifically, they describe when and how employee notices must be provided, including for subsequent collections and additional purposes not previously disclosed.

There are also numerous requirements that businesses must follow for collecting, selling, and using personal information of consumers, such has having a privacy policy, right-to-opt-out notices, financial incentive notices, steps for responding to consumer requests, and relationships with service providers who have access to personal information.

Employers who are not currently in compliance with the CCPA are strongly urged to implement policies, procedures, and notices required by the CCPA as soon as possible. Individuals may sue employers for a data breach under the CCPA, and may recover between $100 and $750 per consumer per breach or actual damages, whichever is greater. The California Attorney General may also bring enforcement action against employers, including civil penalties of $2,500 per violation and $7,500 for “intentional” violations.

Action Items