Summer 2019 Defense Comment 7 Continued on page 8 including parental consent for those under 13. WHAT STEPS MUST BUSINESSES TAKE TO PROPERLY DISCLOSE UNDER THE CCPA? The required steps include all the following: 1. “Make available to consumers two or more designated methods for submitting requests for information required to be disclosed ... including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Website, a Website address.” 2. “Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request.” The 45 days may be extended for another 45 days “when reasonably necessary,” if the consumer is given notice within the initial 45-day period. “The disclosure shall cover the 12-month period preceding the business’s receipt of the verifiable request.” A business is not required to provide disclosures “to the same consumer more than twice in a 12-month period.” 3. Disclose in its online privacy policy or policies, or if the business has none, then on the business’s Internet Website, and in any California-specific description of consumers’ privacy rights: (A) “A description of a consumer’s rights ... and one or more designated methods for submitting requests.” (B) A “list of the categories of personal information it has collected about consumers in the preceding 12 months” or categories in subdivision (c) that most closely describe the personal information collected. (C) A business that sells personal information must disclose two separate lists: (i) “A list of the categories of personal information it has sold about consumers in the preceding 12 months.” (ii)“A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months.” The statute also requires the lists to be updated once every 12 months 4. “Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements” related to disclosures under the CCPA “and how to direct consumers to exercise their rights under those sections.” PRIVATE CIVIL ACTIONS A consumer may file a civil action, including a class action, if the consumer’s personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result” of the failure of the business’s security efforts. In such a case, consumers may recover from the business the greater of: (1) $100-$750 per incident or (2) actual damages. The civil action does not proceed in quite the same way as other civil actions. (1) The consumer must provide 30 days’ notice and opportunity to cure prior to initiating an action for statutory damages. This requirement does not apply to an action solely for actual pecuniary damages. (2) The consumer must “notify the Attorney General within 30 days that the action has been filed.” (3) TheAttorneyGeneralhas30daysafter such notice to do one of the following: (A) Notify the consumer of the Attorney General’s intent to prosecute an action against the alleged violator. “If the Attorney General does not prosecute within six months, the consumer may proceed with the action.” (B) “Refrain from acting within the 30 days, allowing the consumer bringing the action to proceed.” (C) “Notify the consumer bringing the action that the consumer shall not proceed with the action.” The statute is silent as to the grounds on which the Attorney General may direct that “the consumer shall not proceed with the action.” CCPA – continued from page 6