CALIFORNIA RELEASES NEW CONSUMER DATA PRIVACY REGULATIONS
November 15, 2019
The California Consumer Privacy Act (CCPA) is a landmark law governing consumer privacy rights in personal data for California consumers. On October 11, 2019, several finalizing amendments were signed by California Governor Gavin Newsom, and on October 10, 2019, California Attorney General Xavier Becerra released draft regulations that will govern compliance. The public is invited to comment on these draft regulations through December 6, 2019. The regulations will go into effect six months after a final version is published, or on July 1, 2020, whichever comes first.
Once the regulations go into effect in 2020, businesses will have new compliance responsibilities:
- Notice. The proposed rules detail the kinds of notice that must be given at the time a business collects personal information from a California resident or consumer, including a consumer’s right to “opt out” of having their information sold. Airlines and other consumer-facing businesses will need to update their websites and purchase processes to ensure appropriate notice and opt out opportunities are provided.
- Handling Consumer Requests to “Opt Out.” If a consumer does exercise their right to opt out, the business concerned must notify all third-parties who received the consumer’s information and that information must be deleted. This rule will require businesses to build compliance procedures to map the flows of data in and out of their organization so that requests can be effectively followed up.
- Privacy Policies. The proposed rules require businesses to publish a privacy policy that includes a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information. Additionally, the proposed rules require businesses to state affirmatively whether they have sold personal information to third parties in the preceding 12 months and disclose categories of third parties with whom they have shared.
- Training and Record-Keeping. The proposed regulations require that all individuals responsible for handling consumer inquiries receive training about CCPA requirements. Businesses must maintain records of consumer requests made pursuant to the CCPA for at least 24 months. As with tracking opt-outs and communicating them forward to any data partners, these requirements will entail businesses building CCPA compliance controls.
If you have any questions, please contact Evelyn Sahr (esahr@eckertseamans.com or 202-659-6622); Drew Derco (dderco@eckertseamans.com or 202-659-6665), or Alexander Matthews (amatthews@eckertseamans.com or 202-659-6633).
Share This Post
Authors
