Cyber Law Blog
November 26, 2019

A Look at California’s Draft Regulations Under the CCPA

BY: Jason Taylor

The California Consumer Privacy Act (“CCPA”) was enacted in 2018 and takes effect on January 1, 2020. This landmark piece of legislation secures new privacy rights for California consumers. Among other things, the CCPA creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. It also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes. On October 10, 2019, California Attorney General Xavier Becerra released draft regulations under the CCPA for public comment. The proposed regulations would establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance and clarity to businesses for how to comply.

In general, the CCPA applies to a “business” that does business in the State of California, collects personal information (or on behalf of which such information is collected), alone or jointly with others determines the purposes or means of processing of that data, and satisfies one or more of the following thresholds: (i) annual gross revenue in excess of $25 million; (ii) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information. According to estimates, the CCPA will protect over $12 billion worth of personal information that is used for advertising in California each year. Preliminary estimates suggest a total of $467 million to $1.6 billion in costs to comply with the draft regulations, if finalized, during the period 2020-2030.

The proposed regulations are intended to operationalize the CCPA and provide clarity and specificity to assist in the implementation of the law. The draft regulations specifically address Notices to Consumers, Business Practices for Handling Consumer Requests, Verification of Requests, Special Rules Regarding Minors, and Non-Discrimination. Below is a summary highlighting some of the more significant aspects of the proposed regulations.

Notices at Collection of Personal Information

The CCPA requires that businesses give “notice at collection” to a consumer at or before the time a business collects personal information from the consumer. The purpose of the notice at collection is to inform consumers of the categories of personal information to be collected from them and the purposes for which the categories of personal information will be used. The notice at collection must be designed and presented to the consumer in a way that is easy to read and understandable to an average consumer, including those with disabilities, use plain, straightforward language, and avoid technical or legal jargon. Importantly, the notice at collection must be visible or accessible where consumers will see it before any personal information is collected.

The proposed regulations provide that a business must include the following in its notice at collection:

A business that does not collect information directly from consumers does not need to provide a notice at collection to the consumer. If, however, the business later decides to sell a consumer’s personal information, it must either (a) contact the consumer directly to notify him or her that the business sells personal information about the consumer and provide the consumer with a notice of right to opt-out, or (b) contact the source of the personal information to confirm that the source provided a notice at collection to the consumer and obtain signed attestations from the source describing how it gave the notice at collection, with an example of the notice. Attestations must be retained by the business for at least two years and made available to the consumer upon request.

Notice of Right to Opt-Out of Sale of Personal Information

The notice of right to opt-out of sale of personal information informs consumers of their right to direct a business that sells (or may in the future sell) their personal information to stop and refrain from doing so in the future. As with other notices, the notice of right to opt-out must be designed and presented in a way that is easy to read and understandable to an average consumer.

A business that sells personal information must provide a notice of right to opt-out to the consumer by posting the notice of right to opt-out on the webpage where the consumer is directed after clicking on the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on the business’s website or mobile application.

Specifically, the website or app must include:

A business that substantially interacts with consumers offline or does not operate a website must also provide notice to the consumer by an offline method to facilitate consumer awareness of the consumer’s right to opt-out, and establish, document, and inform consumers of their right to direct a business that sells their personal information to stop selling their personal information.

Notice of Financial Incentive

The CCPA and proposed regulations require businesses to explain to the consumer each financial incentive or price or service difference a business may offer in exchange for the retention or sale of the consumer’s personal information so that the consumer can make an informed decision on whether to participate.

Under the proposed regulations, regulated entities must include the following in their notices of financial incentive:

Privacy Policy

The proposed regulations set forth the scope of what is required in a business’ privacy policy and how that policy must be made available to consumers. Generally, the proposed regulations require that the privacy policy include a “right to know” about the personal information collected, disclosed, or sold; right to request deletion of personal information; right to opt-out of the sale of personal information; the right to non-discrimination for the exercise of a consumer’s privacy rights; and provide consumers with a contact for questions or concerns about the business’s privacy policies and practices. The privacy policy must explain these rights to consumers and provide instructions or describe the process for how to exercise these rights.

Business Practices for Handling Consumer Requests

The proposed regulations also provide for the methods required for submitting requests to know and requests to delete personal information, as well as how a business must respond to such requests.

For example,

Training and Recordkeeping

The proposed regulations also set forth training and record-keeping requirements for businesses.

For example, the proposed regulations mandate that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA must be informed of all the requirements in the CCPA and its regulations, and how to direct consumers to exercise their rights under the CCPA and regulations. The proposed regulations also include guidance on how businesses verify requests from consumers and require that businesses maintain records of consumer requests made pursuant to the CCPA and how the business responded to said requests for at least 24 months. The regulations include additional obligations for businesses buying, receiving, sharing, or selling personal information of 4,000,000 or more consumers, and requirements for collecting or maintaining information of minors.

The draft regulations are open for public comment until December 6, 2019. California’s Attorney General will consider all comments and may revise the regulations in response, which will open up an additional public comment period. Following the comment period, the Attorney General will submit the final text of the regulations, a final “Statement of Reasons”, responding to every comment submitted, and an updated informative digest to the Office of Administrative Law to review the regulations for approval.