Proposed CCPA Regulations Contain Unexpected Requirements - Summary

Yesterday, the California Attorney General’s Office issued the long-awaited California Consumer Privacy Act Proposed Regulations. The proposed regulations focus on the following CCPA provisions:

  1. notice to consumers;
  2. business practices for handling requests;
  3. verification of requests;
  4. special rules regarding minors; and
  5. nondiscrimination.

Organizations will have until December 8 to submit comments on the proposed regulations, and four public hearings will be held in early December to collect further comments.

Summary

While the proposed regulations are analyzed in detail on our blog, businesses should be particularly aware of the following new requirements:

  • Privacy Policy Must Describe Verification Process. Among other things, a business’s privacy policy must describe (a) the verification process the business will use in relation to consumer requests to know, delete, and opt out, including the information consumers must provide in relation to such process, and (b) how consumers can designate an authorized agent to make a request on their behalf.
  • Financial Incentives/Estimated Value of Consumer Data. Businesses offering financial incentives must provide consumers with an explanation of why the financial incentive is permitted under the CCPA, a good-faith estimate of the value of the consumer’s data in relation to the financial incentive, and a description of the method used to calculate the value.
  • Two-Step Deletion Process. Business must have a two-step deletion procedure whereby a consumer submits a deletion request online, and thereafter the business confirms the consumer wants their personal information deleted prior to honoring the deletion request.
  • Large Data Processors Must Publish Rights Metrics. A business that annually buys, receives, sells, or shares for commercial purposes the personal information of four million+ consumers, must be able to disclose the number of requests to know, delete, and opt out it received; the number it complied with in whole or in part; the number it denied; and the median number of days the business took to respond to such request for the previous calendar year.
  • Partial Opt-Out Choices. A business can provide more granular opt-out choices for selling, including presenting a consumer with the opportunity to opt out of only certain types of sales or certain data categories for sale, as long as the business displays the global, full opt-out more prominently.

Read the full analysis of the proposed regulations here.