Comments to the final California Consumer Privacy Act regulations asked how franchisor/franchisee compliance with CCPA works?

  • Does CCPA apply to the franchisee for collecting data on behalf of the franchisor?
  • How is the franchisor supposed to calculate its revenues for the purpose of the $25 million applicability threshold?
The California Attorney General Responded:
  •  The regulation

Compliance takeaways from the International Association of Privacy Professionals (IAPP) California Consumer Privacy Act (CCPA) Enforcement Keynote Session:

  • It is important for businesses to understand the law. It is complex and has many nuances.
  • Your customers are looking, your competitors, your employees are looking, and the CA AG is looking at the private class actions

Comments on the final California Consumer Privacy Act (CCPA) regulations asked if data brokers should be required to identify the factors they use in algorithmic decision making practices that affect the consumer, such as consumer scores?

The California Attorney General responded:
  • Inferences derived from personal information to create a profile about a consumer are personal

Comments to the California Consumer Privacy Act (CCPA) final regulations asked: “If you get an access request and you know that the underlying motive for it is to conduct discovery for the purpose of contemplated litigation, do you have to comply with the access request?”

The California Attorney General’s Response: Yes. There is no exception

Under the California Consumer Privacy Act (CCPA), a data breach resulting from a lack of “reasonable security procedures and practices” gives rise to a private right of action (e.g. for a class action lawsuit).

Comments to the final CCPA Regulations asked the California Attorney General for more explicit guidance as to what constitutes such measures.

A comment requested that the California Attorney General clarify the specific requirements for making privacy notices “easy to read and understandable to the average consumer” under the California Consumer Privacy Act regulations.

The Attorney General responded:
  • The provisions of Section 999.305(a)(2) are sufficient to make this clear.
  • Also, notices cannot be misleading.
Contrast:
  •  European Union: 

A comment asks the California Attorney General if directing a consumer to an online form could constitute a valid notice at collection under the recently finalized California Consumer Privacy Act regulations.

The Attorney General says it can’t confirm or deny.

The AG says nothing prevents a business from directing a consumer to a place where