The California Attorney General has announced that the state’s Office of Administrative Law (OAL) granted its approval of final regulations under the California Consumer Privacy Act (CCPA). They are effective immediately.

The AG stated: “With these rules finalized, California breaks ground and leads the nation to protect and advance data privacy. These rules guide consumers

Commentors on the final California Consumer Privacy Act regulation queried: “Are session cookies a “unique personal identifier?”

The California Attorney General replied: Maybe, depending on the context.

  • A “unique personal identifier” is a persistent identifier that can be used to recognize a consumer.
  • If a session cookie cannot be used to recognize a consumer, family

Commenters to the final California Consumer Privacy Act (CCPA) regulations asked if it is possible to provide information about, and access to the “Do not Sell” link and/or opt out opportunity in the privacy notice?

The California Attorney General’s answer: No.

  • The notice of right to opt out is a separate obligation from the CCPA’s

Commenters on the final California Consumer Privacy Act (CCPA) regulations asked if a company gives you a product without charge but in consideration for your information,  could that still be deemed a financial incentive requiring the company to calculate and disclose the value of the consumer’s data?

The California Attorney General’s answer: Yes.

  • If you

Comments to the final California Consumer Privacy Act regulations asked how franchisor/franchisee compliance with CCPA works?

  • Does CCPA apply to the franchisee for collecting data on behalf of the franchisor?
  • How is the franchisor supposed to calculate its revenues for the purpose of the $25 million applicability threshold?
The California Attorney General Responded:
  •  The regulation

Compliance takeaways from the International Association of Privacy Professionals (IAPP) California Consumer Privacy Act (CCPA) Enforcement Keynote Session:

  • It is important for businesses to understand the law. It is complex and has many nuances.
  • Your customers are looking, your competitors, your employees are looking, and the CA AG is looking at the private class actions

Comments on the final California Consumer Privacy Act (CCPA) regulations asked if data brokers should be required to identify the factors they use in algorithmic decision making practices that affect the consumer, such as consumer scores?

The California Attorney General responded:
  • Inferences derived from personal information to create a profile about a consumer are personal

Comments to the California Consumer Privacy Act (CCPA) final regulations asked: “If you get an access request and you know that the underlying motive for it is to conduct discovery for the purpose of contemplated litigation, do you have to comply with the access request?”

The California Attorney General’s Response: Yes. There is no exception

Under the California Consumer Privacy Act (CCPA), a data breach resulting from a lack of “reasonable security procedures and practices” gives rise to a private right of action (e.g. for a class action lawsuit).

Comments to the final CCPA Regulations asked the California Attorney General for more explicit guidance as to what constitutes such measures.