Recently, we blogged concerning the California State Attorney General’s release of draft California Consumer Privacy Act (“CCPA”) regulations and the associated request for public comment. In that blog, we highlighted that new obligations had been added that were not included in the CCPA itself. Today, we discuss one such new provision – Section 999.317(g) of the proposed CCPA regulations, which creates new record-keeping and disclosure obligations for every business that “alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers.”

What are the new disclosure and record-keeping requirements contained in Section 999.317(g)?

Mandated Privacy Policy Disclosures

Generally, the proposed CCPA regulations require businesses to maintain records of consumer requests for at least 24 months. The regulations describe how such records must be maintained, including that they may be kept in ticket or log format and contain the: 1) date of request; 2) nature of request; 3) manner in which the request was made; 4) date of the business’s response; 5) nature of the response; and 6) basis for the denial of the request if the request is denied in whole or in part. In addition, the proposed CCPA regulations require that every business that annually buys, collects, sells or shares the personal information of more than 4 million California State consumers for commercial purposes, compile and disclose in its privacy policy (or separately post on its website, which must be accessible from a link included in its privacy policy), the following metrics from the previous calendar year:

  • The number of requests to know, the number of requests to delete, and the number of requests to opt-out that the business received, complied with (in whole or in part), and denied; and
  • The median number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

Additionally, a business that achieves the 4 million threshold is required to establish, document, and comply with a training policy that will ensure that all individuals responsible for handling consumer requests and compliance with the CCPA are informed of all the requirements contained in the CCPA itself and the Attorney General implementing regulations.

The Intent of this CCPA Regulation

Each business that annually buys, collects, sells or shares the personal information of more than 4 million California State residents is handling the personal information of approximately 10% of California State’s population. The Attorney General reasons that a business operating at this size should have the ability to adequately respond to the significant volume of consumer requests that it will receive. The first step in complying with this new and seemingly onerous regulation is for every business to ascertain the volume of California State resident personal information that it is handling on an annual basis. Regardless of whether a company meets the 4 Million California consumer threshold or not, revising business privacy policies (among many other necessary measures) in advance of the statute’s January 1, 2020 effective date will be a significant undertaking for all companies that fall within the CCPA definition of “Business.”