The California Consumer Privacy Act (CCPA) is coming on January 1, 2020 and last week, a major milestone was reached when regulators issued draft regulations that contain the finer details of the law’s implementation.

At a press conference announcing the draft regulations, California Attorney General Xavier Becerra stated, “Americans should not have to give up their digital privacy to live and thrive in this digital age” and based on the draft rules (PDF) his office has proposed, it looks like he’s serious about creating an environment in which consumers have far greater protection when it comes to their data and privacy.

Here are highlights from the draft regulations that businesses should know about:

  • Businesses will be required to provide two or more methods for individuals to submit requests for the information they have about them (“requests to know”) or to delete their data (“requests to delete”). While the proposed rules offer a number of acceptable methods, including web form, email and postal mail, they also state that “A business shall consider the methods by which it interacts with consumers when determining which methods to provide for submitting requests to know and requests to delete. At least one method offered shall reflect the manner in which the business primarily interacts with the consumer, even if it requires a business to offer three methods for submitting requests to know.” • When offering individuals the ability to submit a request to delete, the option to delete all information must be featured “more prominently” than options to delete partial data.
  • When individuals submit requests to know or delete, companies must confirm receipt of the requests within 10 days and describe how the requests will be processed. Requests must be responded to within 45 days, although an additional 45 days is permitted “provided that [a] business provides the consumer with notice and an explanation of the reason that the business will take more than 45 days to respond to the request.”
  • Businesses must offer individuals at least two methods for submitting requests to opt out of sharing of their personal information. One method must be an online form that is accessible via a “clear and conspicuous” website link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info”.
  • Companies will have up to 15 days to act on requests to opt out of personal information sharing. They will have 90 days to notify third parties who they have already sold an individual’s data to, and must notify the individual when the opt out process is completed.
  • Businesses that collect personal information from consumers online will be required to treat user-enabled privacy controls, such as browser privacy settings and plugins, as valid signals for opting out of the sale of their personal information when those controls are associated with a browser or device that is known to belong to the consumer. In other words, if an individual is logged in to a company’s website and her browser privacy controls signal opt-out, the company must treat that as a valid opt-out request.
  • Requests to know and delete must be verified as belonging to the individual in question or an authorized representative of that individual. The proposed regulations describe specific requirements for businesses that maintain password-protected accounts for individuals versus those that don’t. The verification guidelines appear designed to address concerns that have been raised about ways the GDPR can be abused to steal information about individuals.
  • Companies will not be able to offer financial incentives or price services differently based on an individual exercising her rights under the CCPA, but they can offer a price or service difference if the difference is reasonably related to the value of an individual’s data. The rules lay out guidelines for establishing and documenting the value of data.

Next steps

According to the attorney general’s office, implementation of the CCPA rules will cost companies an estimated $467m to $16.5bn between 2020 and 2030. Some observers note that the rules proposed by the attorney general appear to go beyond what the CCPA seemed to call for.

For example, Christine Lyon, a partner at law firm Morrison & Foerster, says that requiring companies to obtain “a consumer’s explicit consent to use personal information for a purpose that wasn’t specified in the notice given to the consumer at the time of collection…is not found in CCPA itself and, if adopted, would create an even stricter regime than laws like the EU’s GDPR.”

Lisa Sotto, a partner at the law firm Hunton Andrews Kurt, agreed. “The draft regulations clarify certain aspects of the law, but in some cases they go well beyond the scope of the statute,” she told Compliance Week.

Such rules will likely be the subject of focus as the attorney general solicits public comments and holds public hearings through December 6. In the meantime, companies are wise to acknowledge the California attorney general’s aggressive stance and prepare for a CCPA implementation that rivals the GDPR in terms of scope and burden.

For more information about Econsultancy’s reseach, training and best practice solutions contact us on americas@econsultancy.com