News & Insights  |  Articles

California AG Releases Proposed CCPA Implementing Regulations

October 10, 2019

Today, California Attorney General (AG) Xavier Becerra released the long-awaited draft regulations for the California Consumer Privacy Act (CCPA). These rules, once finalized, will govern compliance with the CCPA.

Today’s release sets into motion a series of events and deadlines in the formal rulemaking process, through which interested stakeholders will have multiple opportunities to engage. Specifically, the Attorney General plans to hold four public hearings, where interested parties can present oral or written testimony. Those hearings are scheduled for December 2-5.

Dec. 2- Sacramento
Dec. 3- Los Angeles
Dec. 4- San Francisco
Dec. 5- Fresno

Additionally, the Attorney General will accept written comments until December 6.

The proposed regulations—24 pages in length—establish procedures and provide guidance for businesses covered under the CCPA. Below is an illustrative list of some of what the proposed rules cover:

  • Notice. The proposed regulations detail what notice must be provided at the time of data collection—distinguishing between online and offline (in person) collection. They also outline the notice that must be provided to consumers about how to exercise an opt-out request. For those businesses offering financial incentives or price of service differences, a description of the specific notice that must be provided about those offerings is also detailed in the draft.
  • Privacy Policy. The proposal details the information that the CCPA requires to be included in the privacy policy of a business, including specific information about consumer rights, and how the consumer can exercise those rights, designate an authorized agent to exercise those rights, or contact the business for more information. Additionally, the proposed regulations include a requirement that would require a business to include in its privacy policy an affirmative statement about whether or not the business has disclosed or sold personal information to third parties in the preceding 12 months.
  • Business Practices for Handling Consumer Requests. The proposal details the procedures businesses should have in place to process consumer requests to exercise their rights under the statute. The proposed regulations outline a two-step process for the exercise of certain consumer rights, including deletion and opt-out. They require businesses to confirm receipt of such requests within 10 days, in addition to responding to the request within 45 days from the date of receipt. The proposed regulations also require that businesses treat user-enabled privacy controls, such as browser plugins or privacy settings, as a valid request to opt-out.
  • Verification Procedures. Businesses are required by the proposed regulations to establish a “reasonable” method to verify—“to a reasonable degree of certainty”—that the consumer making a request is the individual about whom the business has collected information, including that the business satisfy a minimum number of verification points depending on the type of information involved. The proposed regulations tie the level of verification required to the sensitivity of the data. The proposed regulations contemplate that consumers could designate an authorized agent to exercise rights on their behalf and propose additional verification requirements for such entities.
  • Training and Record-Keeping. The proposed regulations require that all individuals responsible for handling consumer inquiries receive training about CCPA requirements. Businesses, under the proposed regulations, must establish procedures for record-keeping and would be required to maintain records of consumer requests made pursuant to the CCPA for at least 24 months.
  • Special Rules Regarding Minors. The CCPA requires that minors under 13 years of age must affirmatively opt-in to the sale of their personal information. The proposed regulations require that businesses establish a reasonable method for verifying the identity of a parent or guardian of a child who would be exercising the opt-in on behalf of their child. The regulations list examples of several methods that are reasonably calculated to ensure that the person providing consent is the child’s parent or guardian. The regulations also set out special requirements for notices to minors under 16 years of age.

The CCPA will take effect January 1, 2020, and enforcement by the Attorney General will begin six months after the final implementing regulations are published, or on July 1, 2020, whichever comes first. The CCPA applies to a for-profit business that collects a California resident’s personal information, does business in California, and meets at least one of the following criteria: (1) has annual gross revenues in excess of $25 million; (2) receives or discloses the personal information of 50,000 or more consumers, households or devices per year; or (3) derives 50% or more of their annual revenues from selling the personal information of California residents. There are limited exceptions to the scope of the law, including for information that is governed by the HIPAA or the Gramm-Leach-Bliley Act.

If your organization would like to participate in the upcoming hearings or submit written comments, or for more information, please contact, Megan BrownMatt Gardner, Duane Pozza, Antonio Reynolds, Joan Stewart, or Kat Scott.