California AG Issues Proposed CCPA Regulations, Establishes Comment Period

Click here to download a PDF copy

On October 10, 2019, the California Attorney General’s Office released 24 pages of proposed regulations the California Consumer Privacy Act (“CCPA”).  The purpose of the regulations is to clarify how companies should go about complying with the state’s groundbreaking privacy law.

By and large, the proposed regulations focus on the details of the Act’s notification, verification, and anti-discrimination mandates. The regulations do not appear to alter key definitions and applicability thresholds set forth in the statute itself.

Of particular note, the draft regulations provide guidance on:

  • Format and Timing of Notice to Consumers: Notice must be provided to consumers, at or before the time of collection, of the types of personal information collected and the purposes for the collection. Among other things, the notice must be “easy to read and understandable to an average consumer,” must be conspicuous, and must be accessible to consumers with disabilities. The regulations also dictate how notices will be required to alert consumers of the right to opt-out of the sale of their information, distinguishing companies that operate online versus offline, and companies that offer a financial incentive for the sale of consumer information.

  • Content and Availability of Privacy Policy: Privacy policies must be understandable and conspicuously available to consumers, and be placed on mobile applications or websites. Policies must include the types and sources of personal information collected, an explanation of consumer rights, instructions on how to exercise those rights (including the designation of an agent), and include the process used to verify consumer requests. Businesses will also need to include a statement on whether or not they have disclosed or sold personal information to third parties in the preceding 12 months.

  • Business Practices for Handling Consumer Requests: Businesses must provide at least two designated methods, including a toll-free telephone number, for submission of consumer requests. Online businesses must also provide an interactive webform, in addition to a “Do Not Sell” link. Businesses must treat user-enabled browser settings as valid requests to opt-out of the sale of their information. Depending on a business’ primary method of interaction with consumers, the business may be required to offer additional methods for request submission. Businesses will have 10 days from the date of receiving a request to 1) confirm that the request was received, and 2) explain the verification process and anticipated response time. Businesses must respond to a request within 15 to 90 days from the date it is received, depending on the nature of the request, necessity for a delay, and communication with consumers. The regulations also outline categories of information not to be disclosed and how to “delete” information, in addition to what businesses must do if requests are deficient or if they are unable to verify a consumer’s identity.

  • Verification Procedures: Businesses must establish methods that will verify a requester’s identity using, where possible, information already maintained by the business. If new information is needed, it must be promptly deleted, except as legally required for record keeping. Businesses must verify identity to either a “reasonable degree” or “reasonably high degree” of certainty before complying with the request, depending on the nature of the request and the sensitivity of the information. Accordingly, the regulations suggest either a two- or three- point data match and a signed declaration under penalty of perjury.

  • Training and Record-Keeping: All individuals responsible for handling consumer requests must be trained on the mandates of the CCPA. Businesses must maintain, at a minimum, records of consumer requests and disposition for at least two years. Businesses commercially exchanging personal information for more than four million consumers must satisfy more detailed record-keeping and training requirements.

  • Minors: Businesses must state in the privacy policy whether or not they collect minors’ information without affirmative authorization if the minor is under 16 years of age, must include notice of the right to opt-in to the sale of such information, as well as the right to opt-out of it later.  Businesses must establish mechanisms to receive and verify parental consent for minors under the age of 13 seeking to affirmatively opt-in to the sale of their information.

  • Anti-Discrimination: Businesses may offer a financial incentive or price difference to consumers if the incentive or price difference is reasonably related to the value of the consumers’ data.  The regulations offer several methods to calculate the value of the data to the business.

The public comment period on the regulations is open until December 6, 2019, with several public hearings scheduled in early December. The CCPA goes into effect January 1, 2020, with AG enforcement to begin after implementation of the final regulations, or July 1, 2020, whichever comes first.  The full text of the proposed regulations can be viewed here:  Proposed CCPA Regulations Oct. 10, 2019

This Data Security & Privacy Alert is intended to keep readers current on developments in the law, and is not intended to be legal advice.  If you have any questions, please contact co-authors: Sandy B. Garfinkel, Chair of Eckert Seamans’ Data Security & Privacy Group at 412-566-6868 or sgarfinkel@eckertseamans.com; or Stephenie G. Anderson Scialabba at 412-566-1925 or sscialabba@eckertseamans.com.

Share This Post

Authors

Sandy Brian Garfinkel

Member - Pittsburgh