California AG Releases Draft California Privacy Act Regulations
Saturday, October 12, 2019

California Attorney General Xavier Bacerra has released the text of draft proposed regulations to implement the California Consumer Privacy Act, along with a Notice of Proposed Rulemaking.  The CCPA is intended to provide California residents with greater transparency and control over how businesses collect and use their personal information.

The CCPA applies to a for-profit business that collects a California resident’s personal information, does business in California and meets at least one of the following criteria: (i) has annual gross revenues in excess of $25 million; (ii) receives or discloses the personal information of 50,000 or more consumers, households or devices per year; or (iii) derives 50% or more of their annual revenues from selling the personal information of California residents.  There are limited exceptions to the scope of the CCPA, including for information that is governed by the HIPAA or the Gramm-Leach-Bliley Act.

The proposed regulations focus on five key areas: notices, the process for handling various types of requests, how to verify identities, rules regarding minors, and considerations related to the calculation of the value of consumer data.

Notice Requirements

  • Conspicuous and clear notice at/before data collection

  • Right to opt-out of sale

  • Provision of good-faith estimate of value of consumer’s data

  • Provide categories of sources from which information collected, the business or commercial purpose(s) for which the information is collected, and the categories of third parties with whom the business shares personal information

  • Comprehensive privacy policies, consumer rights, how to exercise rights and affirmative statement about sale/disclosure of personal information to third parties in preceding 12 months

  • Accessible to those with disabilities

Process for Handling Consumer Requests to Know and Delete

  • Two or more methods to submit requests

  • Send receipt of request within 10 days

  • Respond to request within 45 days from date of receipt

  • Comply with request to opt-out no later than 15 days from receipt

  • Notify third party purchasers of opt-out request

  • Treat user-enabled privacy controls like browser plugins or privacy settings as opt-out request

  • Reasonable security measures

  • Must explain circumstances for denying request

  • Information regarding what to do if unable to verify identity

  • When a company can ask a person to opt back into the sale

  • Information regarding households and dealing with authorized agents

Verifying Identities

  • Establish “reasonable” method to verify – “to reasonable degree of certainty” - that  consumer making request is the individual about whom the business has collected information, including satisfaction of minimum number of verification points

  • Level of verification may depend upon sensitivity of data

  • Consider risk of harm if a fraudulent request is submitted

  • Implement reasonable security measures to detect fraudulent activity

  • Prevent unauthorized access to or deletion of personal information

  • Additional verification requirements if consumers designate authorized agent to exercise rights on their behalf

Minors and Households

  • Minors under 13 years of age must affirmatively opt-in to the sale of personal information

  • Establish reasonable method for verifying the identity of a parent or guardian that would be exercising opt-in on behalf of child

  • Examples of methods reasonably calculated to ensure person providing consent is child’s parent or guardian

  • Special requirements for notices to minors under 16 years of age

Financial Incentives

  • Calculation of the value of consumer data to design financial incentive

  • Must disclose value and how the amount was calculated

  • Methods to calculate “value of the consumer’s data,” which includes any “practical and reliable method of calculation used in good-faith”

The proposed regulations also impose reporting, recordkeeping and other requirements.  For example, individuals responsible for handling consumer inquiries must be training about CCPA requirements.  Procedures must be established to ensure, without limitation, that records are maintained of consumer requests for at least 24 months.

The AG also issued an Initial Statement of Reasons explaining the purposes of the proposed regulations.

According to the AG, “The proposed regulations would establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.”  As confirmed by the AG, the draft of the proposed regulations and Initial Statement of Reasons are excellent resources explaining the CCPA’s expected implementation.

As expected, the CCPA is receiving significant pushback from industry spokespeople and trade groups that continue to pursue federal data privacy legislation.  While FTC lawyers continue to  review the provisions of the Children’s Online Privacy Protection Act in order to determine whether COPPA’s warrant improvement, numerous federal privacy bills  have been introduced in Congress, many of which provide for a right of access, a right to correct inaccurate information, a right to delete personal data, opt-in consent and corporate data breach obligations.  The extent to which a federal law would preempt state laws remains a controversial topic.

The draft regulations are subject to change.  The AG is calling on all interested parties to submit comments by December 6, 2019. 

The CCPA takes effect January 1, 2020.  The AG has stated that July 1, 2020 is the expected date of final regulations and enforcement. 

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins