Newsletter

California AG Releases Proposed CCPA Implementing Regulations

November 2019

Last month, California Attorney General (AG) Xavier Becerra released the long-awaited draft regulations for the California Consumer Privacy Act (CCPA). These rules, once finalized, will govern compliance with the CCPA.

The proposed regulations—24 pages in length—establish procedures and provide guidance for businesses covered under the CCPA. Below is an illustrative list of some of what the proposed rules cover:

  • Notice. The proposed regulations detail what notice must be provided at the time of data collection—distinguishing between online and offline (in person) collection. They also outline the notice that must be provided to consumers about how to exercise an opt-out request. For those businesses offering financial incentives or price of service differences, a description of the specific notice that must be provided about those offerings is also detailed in the draft.
  • Privacy Policy. The proposal details the information that the CCPA requires to be included in the privacy policy of a business, including specific information about consumer rights, and how the consumer can exercise those rights, designate an authorized agent to exercise those rights, or contact the business for more information. Additionally, the proposed regulations include a requirement that would require a business to include in its privacy policy an affirmative statement about whether or not the business has disclosed or sold personal information to third parties in the preceding 12 months.
  • Business Practices for Handling Consumer Requests. The proposal details the procedures businesses should have in place to process consumer requests to exercise their rights under the statute. The proposed regulations outline a two-step process for the exercise of certain consumer rights, including deletion and opt-out. They require businesses to confirm receipt of such requests within 10 days, in addition to responding to the request within 45 days from the date of receipt. The proposed regulations also require that businesses treat user-enabled privacy controls, such as browser plugins or privacy settings, as a valid request to opt-out.
  • Verification Procedures. Businesses are required by the proposed regulations to establish a “reasonable” method to verify—“to a reasonable degree of certainty”—that the consumer making a request is the individual about whom the business has collected information, including that the business satisfy a minimum number of verification points depending on the type of information involved. The proposed regulations tie the level of verification required to the sensitivity of the data. The proposed regulations contemplate that consumers could designate an authorized agent to exercise rights on their behalf and propose additional verification requirements for such entities.
  • Training and Record-Keeping. The proposed regulations require that all individuals responsible for handling consumer inquiries receive training about CCPA requirements. Businesses, under the proposed regulations, must establish procedures for record-keeping and would be required to maintain records of consumer requests made pursuant to the CCPA for at least 24 months.
  • Special Rules Regarding Minors. The CCPA requires that minors under 13 years of age must affirmatively opt-in to the sale of their personal information. The proposed regulations require that businesses establish a reasonable method for verifying the identity of a parent or guardian of a child who would be exercising the opt-in on behalf of their child. The regulations list examples of several methods that are reasonably calculated to ensure that the person providing consent is the child’s parent or guardian. The regulations also set out special requirements for notices to minors under 16 years of age.

The CCPA will take effect January 1, 2020, and enforcement by the Attorney General will begin six months after the final implementing regulations are published, or on July 1, 2020, whichever comes first. The CCPA applies to a for-profit business that collects a California resident’s personal information, does business in California, and meets at least one of the following criteria: (1) has annual gross revenues in excess of $25 million; (2) receives or discloses the personal information of 50,000 or more consumers, households or devices per year; or (3) derives 50% or more of their annual revenues from selling the personal information of California residents. There are limited exceptions to the scope of the law, including for information that is governed by the HIPAA or the Gramm-Leach-Bliley Act.

The Attorney General is currently accepting written comments on the proposed regulations through December 6, 2019.  Additionally, the Attorney General will be holding four public hearings at which interested parties may submit oral or written testimony.  The public hearings are scheduled for December 2 in Sacramento, December 3 in Los Angeles, December 4 in San Francisco, and December 5 in Fresno. 

If your organization would like to participate in the upcoming hearings or submit written comments, or for more information on how the CCPA applies to your organization, please contact, Megan Brown, Matt Gardner, Duane Pozza, Antonio Reynolds, Joan Stewart, or Kat Scott.

Read Time: 4 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek