On October 10th, California state attorney general Xavier Becerra announced the release of proposed implementing regulations concerning the California Consumer Privacy Act (CCPA).
The regulations address five main areas:
- Notice to Consumers: The regulations govern the notices that businesses are required to provide consumers at or before the time of collection of personal information; notices of the right to opt-out of sale of personal information (including requirements for providing a “Do Not Sell” button); notices of financial incentives or price or service differences that may be offered in exchange for the collection, sale, or deletion of personal information; and content that must be contained in businesses’ privacy policies.
- Business Practices for Handling Consumer Requests: The regulations contain specific requirements for providing methods for submitting requests to access and requests to delete data, and for responding to such requests; requirements specific to service providers; requirements governing requests to opt-out; and training and recordkeeping requirements. The regulations also address requirements for responding to requests to access or delete information belonging to a “household.”
- Verification of Requests: The regulations provide requirements for verifying consumer requests, and list factors for businesses to consider when determining the level of verification required. The regulations also govern the means by which consumers can submit requests via authorized agents.
- Special Rules Regarding Minors: The regulations provide specific requirements for processing opt-ins to the sale of personal information from parents (for children under 13) and from children between the ages of 13-16.
- Non-Discrimination: Under the CCPA, businesses generally are prohibited from discriminating against a consumer because the consumer exercised his or her rights under the statute. However, businesses are permitted to offer a different price or service if the difference is “directly related” to the value provided to the business by the consumer’s data. The regulations provide additional requirements for exercising this option, including requirements for calculating the value of consumer data.
Interested stakeholders can submit written comments until December 6, 2019 at 5 PM (Pacific Time). In addition, four public hearings will be held on December 2nd (Sacramento), December 3rd (Los Angeles), December 4th (San Francisco) and December 5th (Fresno).