Trending publication

05.26.2020 | Legal Advisory

In the middle of a pandemic that has upended the food and beverage industry – causing surging demand for some products and devastating others – the last thing anyone wants to deal with is a new regulatory regime. However, the California Attorney General declined to delay the scheduled July 1, 2020 start of enforcement of the California Consumer Privacy Act of 2018 (“CCPA”), the most comprehensive privacy law in the United States. The CCPA grants California residents new privacy rights and regulates businesses – including food and beverage companies – that obtain or process the personal data of California residents. It also gives consumers a private right of action to sue a business for data breaches and grants new enforcement power to the California Attorney General. We previously summarized key provisions in the CCPA in our advisory Preparing for the Inevitable: It’s Time to Begin Planning for the CCPA. For many brands operating on a national scale, including via e-commerce, the CCPA’s reach is terrifyingly broad. 

Food and beverage companies – even those not based in California – should take immediate steps to assess their privacy policies, marketing, e-commerce, and social media efforts. The CCPA will impact how companies market to and interact with consumers, and how companies use personal information for commercial transactions and marketing efforts, including loyalty programs.

Enforcement to Commence on July 1

In January, the CCPA went into effect but enforcement was delayed until California’s Attorney General Xavier Becerra finalized the underlying regulations, or July 1, 2020, whichever came first. With about a month to go, the regulations are still not final. Nevertheless, CA Attorney General Becerra has announced that his office will move forward with enforcement of the CCPA starting on July 1. Though some businesses had argued that a delay in enforcement would be appropriate because of the coronavirus pandemic, the Attorney General rejected that idea. Instead, in a recent press release, he asserted that the impact of the pandemic has made it more important than ever to focus on privacy rights given consumers increased “dependency on online connectivity.”

The reality is that COVID-19 is forcing families to adjust to a new way of living and connecting remotely. Whether it’s our children’s schooling, socializing with family and friends, or working remotely – we are turning to mobile phones and computers as a lifeline. With such dependency on online connectivity, it is more important than ever for Californians to know their privacy rights.

What You Need to Do to Comply With the CCPA

Since it became effective at the beginning of the year, private litigants from across the country have already started asserting claims under the act. At least one private litigant has argued that the CCPA creates a new standard of law. All of this underscores the need to regularly monitor and assess the impact of the CCPA on your business’s privacy practices, even if you are not located in California. 

The steps necessary to comply with the CCPA is very much a function of how a particular business operates and communicates with its customers. If the CCPA applies to you (which is probably does if you regularly interact with California consumers online), the proposed regulations mandate in detail how and when businesses should prepare consumer notices, the content required in privacy policies, and the methods companies should use in responding to and verifying consumer requests. The proposed regulations also provide guidance on the obligations of service providers, use of authorized agents, training of individuals handling personal information, and recordkeeping.

Key issues addressed in the proposed regulations include:

• Consumer Notices. The regulations describe in detail where, when, and how notices should be presented and designed, and describe the content they must include. These requirements differ depending on the specific business and data collection practices. For example, an online company that collects information has different obligations than a business that collects information only offline. In addition, there are different requirements for notice based on the reasonable expectations of consumers. Thus, a more prominent and “just-in-time” notification might be required if a business is collecting information in a way that might surprise the consumer, such as unexpectedly collecting geolocation information while a consumer interacts with a brand or its loyalty program.  

• Privacy Policies. The proposed regulations will impact content and design of privacy policies. The various versions of the regulations have gone back and forth on the specific requirements for privacy policies. Though the exact regulatory details are still to be resolved, the CCPA clearly requires revising privacy policies to specifically describe what and how information is collected and for what business or commercial purpose it is used. Also, privacy policies will need to describe California consumers’ CCPA rights: the right in most instances to know about, delete, and opt-out of the sale of their personal information. A privacy policy must also describe the process by which a company handles and verifies such consumer requests.

• Responding to Consumer Requests. The proposed regulations provide a framework describing how companies are supposed to respond to consumer requests to exercise their CCPA rights to know, delete, or opt-out of the sale of personal information, including what methods a business should provide for consumers to make requests, what steps a business needs to take in identifying personal information, and how a business should verify the consumer who makes the request has the right to access the relevant personal information.
• Maintaining Metrics. The proposed regulations also require certain recordkeeping, including statistics regarding compliance with the CCPA. These requirements differ according to the size of the company. For example, companies that buy, receive, sell, or share personal information of 10 million or more consumers in a calendar year must compile metrics that they are required to disclose by July 1 of every calendar year.
• Justifying Financial Incentives. The proposed regulations also provide clarity on the use of financial incentives to consumers to encourage them to allow for the use and sale of their personal data. Specifically, the CCPA requires that there needs to be a good-faith estimate of the value of the consumer’s data in determining the propriety of such a program. As an example, the proposed regulations mention a grocery store whose loyalty program requires a consumer to provide their phone number in order to receive discounts and coupons, must allow the consumer to opt-out of the sale of their personal information without removing them from the loyalty programs unless the grocery store can demonstrate that the value of the discounts and coupons are reasonably related to the value of the consumer’s data to the business. 

What’s Next?

Though there remain many open questions about the CCPA and how exactly it will be enforced, food and beverage brands need to take immediate steps to comply now. Nutter will continue to monitor CCPA developments and is ready to assist clients with their compliance obligations.

This advisory was prepared by Seth Berman in Nutter’s Privacy and Data Security practice group. For more information, please contact Seth or your Nutter attorney at 617.439.2000.

This advisory is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.