Recently, we blogged concerning the California State Attorney General’s release of draft California Consumer Privacy Act (“CCPA”) regulations and the associated request for public comment. In that blog, we highlighted that new obligations had been added that were not included in the CCPA itself. Today, we discuss one such new provision – Section 999.317(g) of the proposed CCPA regulations, which creates new record-keeping and disclosure obligations for every business that “alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers.”
What are the new disclosure and record-keeping requirements contained in Section 999.317(g)?
- The number of requests to know, the number of requests to delete, and the number of requests to opt-out that the business received, complied with (in whole or in part), and denied; and
- The median number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.
Additionally, a business that achieves the 4 million threshold is required to establish, document, and comply with a training policy that will ensure that all individuals responsible for handling consumer requests and compliance with the CCPA are informed of all the requirements contained in the CCPA itself and the Attorney General implementing regulations.
The Intent of this CCPA Regulation
Each business that annually buys, collects, sells or shares the personal information of more than 4 million California State residents is handling the personal information of approximately 10% of California State’s population. The Attorney General reasons that a business operating at this size should have the ability to adequately respond to the significant volume of consumer requests that it will receive. The first step in complying with this new and seemingly onerous regulation is for every business to ascertain the volume of California State resident personal information that it is handling on an annual basis. Regardless of whether a company meets the 4 Million California consumer threshold or not, revising business privacy policies (among many other necessary measures) in advance of the statute’s January 1, 2020 effective date will be a significant undertaking for all companies that fall within the CCPA definition of “Business.”