California AG Issues Proposed CCPA Regulations, Establishes Comment Period
October 14, 2019
On October 10, 2019, the California Attorney General’s Office released 24 pages of proposed regulations the California Consumer Privacy Act (“CCPA”). The purpose of the regulations is to clarify how companies should go about complying with the state’s groundbreaking privacy law.
By and large, the proposed regulations focus on the details of the Act’s notification, verification, and anti-discrimination mandates. The regulations do not appear to alter key definitions and applicability thresholds set forth in the statute itself.
Of particular note, the draft regulations provide guidance on:
Format and Timing of Notice to Consumers: Notice must be provided to consumers, at or before the time of collection, of the types of personal information collected and the purposes for the collection. Among other things, the notice must be “easy to read and understandable to an average consumer,” must be conspicuous, and must be accessible to consumers with disabilities. The regulations also dictate how notices will be required to alert consumers of the right to opt-out of the sale of their information, distinguishing companies that operate online versus offline, and companies that offer a financial incentive for the sale of consumer information.
Business Practices for Handling Consumer Requests: Businesses must provide at least two designated methods, including a toll-free telephone number, for submission of consumer requests. Online businesses must also provide an interactive webform, in addition to a “Do Not Sell” link. Businesses must treat user-enabled browser settings as valid requests to opt-out of the sale of their information. Depending on a business’ primary method of interaction with consumers, the business may be required to offer additional methods for request submission. Businesses will have 10 days from the date of receiving a request to 1) confirm that the request was received, and 2) explain the verification process and anticipated response time. Businesses must respond to a request within 15 to 90 days from the date it is received, depending on the nature of the request, necessity for a delay, and communication with consumers. The regulations also outline categories of information not to be disclosed and how to “delete” information, in addition to what businesses must do if requests are deficient or if they are unable to verify a consumer’s identity.
Verification Procedures: Businesses must establish methods that will verify a requester’s identity using, where possible, information already maintained by the business. If new information is needed, it must be promptly deleted, except as legally required for record keeping. Businesses must verify identity to either a “reasonable degree” or “reasonably high degree” of certainty before complying with the request, depending on the nature of the request and the sensitivity of the information. Accordingly, the regulations suggest either a two- or three- point data match and a signed declaration under penalty of perjury.
Training and Record-Keeping: All individuals responsible for handling consumer requests must be trained on the mandates of the CCPA. Businesses must maintain, at a minimum, records of consumer requests and disposition for at least two years. Businesses commercially exchanging personal information for more than four million consumers must satisfy more detailed record-keeping and training requirements.
Anti-Discrimination: Businesses may offer a financial incentive or price difference to consumers if the incentive or price difference is reasonably related to the value of the consumers’ data. The regulations offer several methods to calculate the value of the data to the business.
The public comment period on the regulations is open until December 6, 2019, with several public hearings scheduled in early December. The CCPA goes into effect January 1, 2020, with AG enforcement to begin after implementation of the final regulations, or July 1, 2020, whichever comes first.
This Data Security & Privacy Alert is intended to keep readers current on developments in the law, and is not intended to be legal advice. If you have any questions, please contact Matt Meade at 412-566-1925 or firstname.lastname@example.org.