November 15, 2019

November 15, 2019

Subscribe to Latest Legal News and Analysis

November 14, 2019

Subscribe to Latest Legal News and Analysis

November 13, 2019

Subscribe to Latest Legal News and Analysis

California Attorney General Issues Proposed CCPA Regulations

On October 10, California Attorney General Xavier Becerra published long-awaited proposed regulations to the California Consumer Privacy Act (CCPA), along with a Notice of Proposed Rulemaking Action and Initial Statement of Reasons. The CCPA, which takes effect on January 1, 2020, provides new rights for California residents and imposes new obligations on businesses. The proposed regulations provide guidance to businesses for complying with the CCPA. The Attorney General is soliciting written comments regarding the regulations until December 6, 2019.

Notices to Consumers

Point of Collection: The CCPA requires point of collection notices to inform consumers at or before the time of collection of the categories of personal information ("PI") collected and purposes for collecting it. The proposed regulations require businesses to make such notices easy to read and understand for an average consumer and accessible to consumers with disabilities. The regulations describe how to make point of collection notices accessible when collecting PI online and offline and identify the information that must be conveyed.

Right to Opt-Out of "Sale" of PI: California residents have a right to opt-out of the "sale" of their PI. The term "sale" is broadly defined in the CCPA as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's [PI] to another business or a third party for monetary or other valuable consideration." A transfer of information to a service provider does not constitute a sale, if the service provider adheres to certain restrictions. The proposed regulations describe how businesses should provide notice of this right to consumers, including through a "Do Not Sell" link, and the content of such notices. The regulations do not provide more specific guidance on what constitutes a "sale" of PI.

Financial Incentives: Businesses must provide notice of any financial incentive or price or service difference that is offered in exchange for the retention or sale of PI. The proposed regulations describe how a notice of financial incentives must be provided and what information must be conveyed.

Privacy Policy: The proposed regulations provide guidelines for privacy policies, including designing and presenting them in a way that is easy to read and understandable to an average consumer. Privacy policies must communicate consumers' rights under the CCPA.

Handling Consumer Requests

California residents have a right to request that businesses disclose what PI has been collected about them, request deletion of their PI in certain circumstances, and request to opt-out of the "sale" of their PI. The proposed regulations instruct businesses on how to handle consumer requests made pursuant to the CCPA and address methods for enabling consumers to submit requests, rules for authorized agents, the timeframe for responding to requests, verification of consumers, and how businesses can demonstrate compliance with the CCPA.

Consent From Children

The CCPA prohibits the "sale" of PI pertaining to consumers under age 16 unless the consumer (if between 13 and 16) or the consumer's parent or guardian (if under age 13) consents. The proposed regulations describe how businesses must obtain consent and how businesses can verify that the person authorizing consent for a child under age 13 is the parent or guardian. The draft regulations require a two-step consent process for minors 13 - 15.

Non-Discrimination

Businesses cannot discriminate against consumers who exercise their rights under the CCPA. The proposed regulations explain what kinds of business practices constitute discrimination under the CCPA and how to determine the value of a consumer's data for purposes of offering a financial incentive or price or service difference.

Recordkeeping

The proposed regulations require businesses to maintain records of consumer requests for at least 24 months, and describe how such records must be maintained. A business that buys, collects, sells, or shares for commercial purposes PI of 4,000,000 or more consumers must compile annually: the number of "requests to know" received, processed, and denied; the number of "requests to delete" received, processed, and denied; the number of "requests to opt-out" received, processed, and denied; and the median number of days within which the business responded to such requests. Any business required to compile this information must publish the information on its website or in its privacy policy.

Costs of Compliance

The Attorney General estimates that the initial costs of complying with the CCPA are $25,000 for a small business, with ongoing annual costs of $1,500. For larger businesses, initial costs are estimated at $75,000, with ongoing costs of $2,500 annually. Certainly input on expected costs could be quite helpful.

What's Next

A series of public hearings will be held across California on December 2-5, 2019. Comments may be submitted at the hearing, by mail, or by email until December 6, 2019. Affected businesses should review the proposed regulations carefully and provide feedback on any concerns or recommended changes.

© 2019 Keller and Heckman LLP

TRENDING LEGAL ANALYSIS


About this Author

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer
Partner

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and...

202-434-4234
Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney
Partner

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies, data security and access procedures, manage trans-border data flows, respond to data breaches and create training programs. She assists clients on digital media issues, helping them develop social media, blogging and user-generated content policies, and to understand advertising technology and online behavioral advertising issues.  Ms. Millar also works with clients to navigate the array of federal and state requirements governing contests and sweepstakes, and advises on gift cards, coupons and rebates.  She represents clients on advertising and privacy matters before the Federal Trade Commission (FTC), the Children’s Advertising Review Unit (CARU), the National Advertising Division (NAD), as well as in connection with investigations by state regulatory bodies and Attorneys General.

202-434-4646