The California Consumer Privacy Act (CCPA) is slated to go into effect on January 1, 2020. Similar to Europe’s General Data Protection Regulation (GDPR), the CCPA grants to California consumers several rights relating to the data that companies have about them—including the right to opt-out of the sale of that information and the right to have that information deleted. We have previously written on the CCPA’s substantive requirements, and have provided guidance on creating a compliance strategy as well as interpreting the CCPA’s data security “reasonableness” standard.
We have been anticipating the California Office of the Attorney General to release proposed regulations for the CCPA, and on October 10, they released draft regulations which fill in several gaps in the law. The regulations actually created additional substantive legal requirements.
The draft regulations contain five main components:
- Notices to Consumers: The regulations expand on the CCPA’s notice requirements, by, among other things, requiring covered entities to list the categories of personal information being collected and, for each category, provide the purpose for the data collection. The regulations also clarify that entities that do not collect personal information directly from consumers are not required to provide an initial notice.
- Handling Consumer Rights Requests: The regulations provide instructions for how entities must receive, verify, respond to, and document consumer rights requests (e.g., requests to delete data).
- Special Rules Regarding Minors: The regulations expand on the CCPA’s requirements for how businesses handle consumer requests for people under 16.
- Non-Discrimination: In the wake of a failed amendment to exclude loyalty programs from the CCPA all together, the regulations attempt to provide additional guidance on what constitutes “discrimination” under the law by creating an exemption to the discrimination prohibition for a price difference that is “is reasonably related to the value of the consumer’s data.”
- Service Providers: The regulations seemingly contradict the CCPA, which states that service providers do not need to reply to consumer rights request, by stating that service providers must provide a basis for denying such requests. The regulations also clarify that an entity may be a service provider where it is collecting information consumers as directed by another entity.
The comment period for the draft regulations closes on December 6, 2019, and additional changes are expected to the regulations as the attorney general’s office weighs the draft regulations against public comments. The final regulations are expected to be released in early 2020 and will be enforced by the attorney general’s office beginning in July 2020.
TIP: Keep an eye out for regulator guidance to dial in your privacy compliance, and, in the meantime, send any written comments on the Attorney General’s Draft Guidance to [email protected].