CCPA Draft Regulations Released by California's Attorney General
TOPICS: Data Protection, Data Subject Rights, Children Privacy, COPPA, CCPA, California, US
The Attorney General of California published the Draft Regulations implementing the California Consumer Privacy Act ("CCPA"). The Draft was published shortly after the Californian legislator enacted five amendments to the CCPA and aims to concretize the CCPA's application and requirements.
Although the CCPA is expected to take effect on 1 January 2020, its enforcement by the Attorney General would only commence six months after the publication of the final Regulations or on 1 July 2020, whichever occurs earlier.
The Draft Regulations specify the obligations of businesses subject to the CCPA, such as requirements to provide notice and information regarding the collection of personal data and the consumers' right to opt-out of the sale of personal information. Such a notice shall be written in a plain and straightforward language and be obvious to consumers using different devices. The notice shall be available in any language the business uses in its ordinary course of operations and must be accessible to consumers with disabilities.
The Draft Regulations require businesses to provide at least two designated methods for consumers to submit requests in order to know or delete personal data. When deciding which methods to provide, a business shall take into consideration the way by which it interacts with its consumers in its regular course of business, such that at least one method reflects the manner in which the business primarily interacts with its consumers. In addition, the Draft Regulations provide instructions on how as well as the timeframe by which businesses must respond to such requests.
A business shall also implement reasonable methods for verifying that the person making personal data requests is the consumer about whom the business has collected information. If the business cannot verify the identity of the person making the request, then it shall not disclose any personal information and shall notify the consumer that it cannot verify their identity. If the same happens in a request to delete, the business may deny the request and notify the requestor.
According to the Draft Regulations, businesses must inform all employees responsible for handling consumer inquiries as to the business's privacy practices and the CCPA requirements. A business shall also maintain records of any request made by a consumer and the respective responses for at least 24 months. Such information shall not be used for any purpose other than record keeping.
The Draft Regulations also address collection of personal data from minors. When a business has actual knowledge that it collects or maintains personal information on minors, the Regulations provide instructions on how it shall obtain authorization for the sale of their personal information. The required actions differ depending on the age of the minor in question.
The Draft Regulations are to be discussed at public hearings across California, to take place 2 through 5 December 2019. The deadline for written comments is 6 December 2019. There will be a second public comment period following revisions to the Draft Regulations of either 15 or 45 days, depending on the extent of changes in response to the first public comment period.
Earlier this year, we published our CCPA Compliance Playbook in order to assist with preparing to the upcoming regulatory change. Please feel free to contact us for any assistance in preparing your company for the CCPA.
This update was published as part of our Technology & Regulation monthly client update. To read more about HFN's Technology & Regulation Department, click here.