As most are now already aware, the California Consumer Privacy Act (CCPA), a law that provides extensive privacy rights to California residents and places numerous requirements on businesses who process personal data of California residents, goes into effect on January 1, 2020. Notably, on October 10, 2019, the California Attorney General released draft implementing regulations for the CCPA that provide additional insight on what the CCPA requires. The regulations are very broad and quite prescriptive on a variety of aspects of CCPA compliance. The following are some key highlights of the regulations that businesses should consider as they are working on their compliance initiatives:
- At least two methods for consumers to submit access or deletion requests are required, including a toll-free number, and if a business operates a website, an interactive webform. In certain cases, businesses may be required to offer at least three methods.
- Privacy policies must be accessible to those with disabilities and available in an additional format that allows consumers to print them as a separate document.
- Businesses must confirm receipt of access or deletion requests within 10 days, and then they will have 45 days to respond to the request with a possible extension of an additional 45 days.
- Records of consumer requests and how the businesses responded must be kept for at least 24 months, with extensive record-keeping requirements for businesses that receive or share personal information of 4 million or more consumers.
- If a business collects personal information indirectly from consumers (e.g. from another source that is not the consumer), it needs to either contact the consumer directly or obtain signed attestations from the source of the information before it can sell it.
Of course, the above list is far from exhaustive. Businesses should be sure to review the entire draft regulations and integrate them into their CCPA compliance efforts.