California Attorney General Issues Proposed CCPA Regulations
On October 10, California Attorney General Xavier Becerra published long-awaited proposed regulations to the California Consumer Privacy Act (CCPA), along with a Notice of Proposed Rulemaking Action and Initial Statement of Reasons. The CCPA, which takes effect on January 1, 2020, provides new rights for California residents and imposes new obligations on businesses. The proposed regulations provide guidance to businesses for complying with the CCPA. The Attorney General is soliciting written comments regarding the regulations until December 6, 2019.
Notices to Consumers
Point of Collection: The CCPA requires point of collection notices to inform consumers at or before the time of collection of the categories of personal information ("PI") collected and purposes for collecting it. The proposed regulations require businesses to make such notices easy to read and understand for an average consumer and accessible to consumers with disabilities. The regulations describe how to make point of collection notices accessible when collecting PI online and offline and identify the information that must be conveyed.
Right to Opt-Out of "Sale" of PI: California residents have a right to opt-out of the "sale" of their PI. The term "sale" is broadly defined in the CCPA as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's [PI] to another business or a third party for monetary or other valuable consideration." A transfer of information to a service provider does not constitute a sale, if the service provider adheres to certain restrictions. The proposed regulations describe how businesses should provide notice of this right to consumers, including through a "Do Not Sell" link, and the content of such notices. The regulations do not provide more specific guidance on what constitutes a "sale" of PI.
Financial Incentives: Businesses must provide notice of any financial incentive or price or service difference that is offered in exchange for the retention or sale of PI. The proposed regulations describe how a notice of financial incentives must be provided and what information must be conveyed.
Handling Consumer Requests
California residents have a right to request that businesses disclose what PI has been collected about them, request deletion of their PI in certain circumstances, and request to opt-out of the "sale" of their PI. The proposed regulations instruct businesses on how to handle consumer requests made pursuant to the CCPA and address methods for enabling consumers to submit requests, rules for authorized agents, the timeframe for responding to requests, verification of consumers, and how businesses can demonstrate compliance with the CCPA.
Consent From Children
The CCPA prohibits the "sale" of PI pertaining to consumers under age 16 unless the consumer (if between 13 and 16) or the consumer's parent or guardian (if under age 13) consents. The proposed regulations describe how businesses must obtain consent and how businesses can verify that the person authorizing consent for a child under age 13 is the parent or guardian. The draft regulations require a two-step consent process for minors 13 - 15.
Businesses cannot discriminate against consumers who exercise their rights under the CCPA. The proposed regulations explain what kinds of business practices constitute discrimination under the CCPA and how to determine the value of a consumer's data for purposes of offering a financial incentive or price or service difference.
Costs of Compliance
The Attorney General estimates that the initial costs of complying with the CCPA are $25,000 for a small business, with ongoing annual costs of $1,500. For larger businesses, initial costs are estimated at $75,000, with ongoing costs of $2,500 annually. Certainly input on expected costs could be quite helpful.
A series of public hearings will be held across California on December 2-5, 2019. Comments may be submitted at the hearing, by mail, or by email until December 6, 2019. Affected businesses should review the proposed regulations carefully and provide feedback on any concerns or recommended changes.