Last Thursday, the California Attorney General finally released the first draft of the proposed regulations under the California Consumer Privacy Act of 2018 (“CCPA”). Although not final, they provide some insight into the future of the CCPA, while we grapple with the latest amendments to the statute signed by the California Governor last Friday, further amending the statute before its January 1, 2020 effective date. In addition, the law’s sponsor has announced yet another new ballot initiative for the 2020 election, currently dubbed the California Privacy Rights and Enforcement Act of 2020.
For this round of regulations, the Office of Attorney General is scheduled to hold several meetings in early December for feedback. At first glance, the regulations do not appear to provide the clarifications on the statute that many were hoping for, but they do have some helpful nuggets of guidance. The regulations focus on six areas: (1) requirements for consumer notices, (2) practices for handling consumer requests for access, deletion, and opt-outs for sales of information, (3) verification rules for access and deletion requests, (4) training and record keeping, and (5) additional rules for minors, as well as some bit of clarification on (6) service providers.
Several things of note, based on these proposals:
- User enabled privacy controls on devices that signal a choice to opt-out of sale of data are considered valid requests to opt-out. This would seem to bring technology, such as the long disputed “do not track” signals, back into play for industry consideration.
It is contemplated that these proposals will spark a lot of discussion and continued debate to lead us into the New Year. Final comments on the proposals are due into the Attorney General by December 6