California AG Releases Draft California Consumer Privacy Act (CCPA) Regulations

0 2,761

On October 10, 2019, Xavier Becerra, the Attorney General (AG) of California, published a Notice of Proposed Rulemaking Action on draft regulations implementing the California Consumer Privacy Act (CCPA), a law intended to give consumers greater control over how companies collect and manage their personal data. The draft regulations are the first peek into how the Attorney General expects to interpret the law, which is expected to go into effect on January 1, 2020.

Then, on October 11, 2019, California Governor Gavin Newsom signed seven legislative proposals to amend the CCPA.

The CCPA, as written, is the strictest data privacy protection in the country and allows for consumers to request that their data be deleted in addition to giving them the opportunity to opt out of having their information sold to a third party. The draft regulations offer California businesses a guideline for what they need to do to become compliant with the law, though changes are still possible.

Changes Signed into Law By Governor Newsom

AB 1355 exempts deidentified or aggregate consumer information from the personal information definition. It also creates a one-year exemption for certain business to business communications and Boadens the existing exemption for compliance with the federal Fair Credit Reporting Act (FCRA).

AB 1564 requires businesses to provide at least two methods for consumers to submit requests for information, including a toll-free telephone number. It does make an exception, however, for a business operating exclusively online and who has a direct relationship with the consumer, as such a provider is only required to provide an email address for submitting CCPA requests.

AB 1202 requires data brokers to register with the California AG office. AB 25 made it so the law no longer covers collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors for one year.

AB 1146 exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair. AB 874 streamlines the “publicly available” definition to including information that is lawfully made available from federal, state, or local government records. It also clarifies that the definition of “personal information” does not include deidentified or aggregate consumer information (similar to AB 1355).

Lastly, AB 1130 revises the personal information definition in the context of data breaches. The definition is expanded to add specified unique barometric data, tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document.

AG Proposed Regulations

The draft regulations cover seven general areas: notices to consumers; handling consumer requests; verification of requests; service providers; mini-data broker requirements; rules regarding minors; and non-discrimination.

When it comes to notices to consumers, the draft regulations clarify the format and content of notices business provide to consumers, including (but not limited to): notices must be designed and presented in an easy-to-read, understandable way, and be ADA accessible; for notices provided offline, the notice must be provided prior to data collection, such as via a hard copy of the notice or prominent, in-store signage with a link to the notice; and opt-out notices must contain certain content, including a description of the proof required when a consumer is using an authorized agent to help them exercise their opt-out right.

The draft regulations also propose an extensive set of rules on how to operationalize how to handle consumer requests. Some proposed requirements include: a requirement that businesses confirm the receipt of consumer requests within 10 days, re-confirm requests to delete personal information, and maintain records on handling of consumer requests for at least two years; a requirement that if a consumer submits a request through a non-designated method, or a deficient request (unrelated to verification), the business must either treat such request as submitted correctly or provide instructions to the consumer on how to remedy the deficiencies; and if a consumer has opted out of the sale of personal information, the business must obtain a double opt-in thereafter. The proposed requirements are extensive and it is recommended that all businesses working to implement the CCPA review this section in its entirety.

The draft regulations also establish rules on obtaining consent to sell personal information obtained from/about minors. To obtain parental consent to sell the personal information of minors, a business must obtain consent in addition to any verifiable parental consent obtained under the federal Children’s Online Privacy Protection Act (COPPA).

The amendments signed into law by Governor Newsom will replace or augment the statutory text of the CCPA, while the draft regulations outline how the AG’s office expects companies to comply with the law.

An economic impact assessment found that the law could cost companies up to $55 billion, just in initial compliance costs.

Public Hearings and Comment Period – Ends December 6, 2019

The California AG will hold four public hearings to allow any interested parties the chance to present statements or comments. The hearings take place at various cities around the state, including Sacramento (December 2), Los Angeles (December 3), San Francisco (December 4), and Fresno (December 5).

The draft is open to public comments until December 6, 2019, at 5pm PST. Written comments may be submitted at one of the above-mentioned hearings, by mail, or by email. Mailed comments can be sent to Privacy Regulations Coordinator, California Office of the Attorney General, 300 South Spring Street, First Floor, Los Angeles, CA, 90013. Emailed comments can be sent to PrivacyRegulations@doj.ca.gov.

The AG office can begin enforcement six months after the final regulations are in place, or by July 1, 2020, at the latest.

 

Leave A Reply

Your email address will not be published.