California’s Attorney General, Xavier Becerra, issued last Thursday the regulations that will likely govern the operation of the California Consumer Privacy Act (CCPA). The regulations provide begin to flesh out some of the details of the operation of the CCPA. Over the weekend, the California Governor signed the CCPA amendments passed in September by the state legislature, so the CCPA is now ready for enforcement.
The draft regulations are not final. The Attorney General will hold four public hearings the first week of December and accept written comments through December 6. Few changes are expected, however, so the regulations issued yesterday will likely be effective on January 1, 2020. Enforcement of the regulations set to begin on the earlier of July 1, 2020 or six months after the publication of the final regulations.
Notification Requirements
The regulations describe the notices required under the CCPA, specifying what information must be provided when collecting information from consumers, including opt-out rights. They even contain a mock-up of a “Do Not Sell My Personal Information” button to be placed on websites. The regulations specify how to notify consumers if their personal information is in exchange for a financial incentive from the business, and how to calculate the value of that data. The new regulations also require businesses to notify consumers of the process and proof needed to request access to or deletion of their personal information.
Data Access and Deletion Deadlines and Processes
One big concern with CCPA is the obligation to promptly respond to consumer data access requests. The regulations describe the processes that must be in place. A business must acknowledge such a request within 10 days and respond within 45 days, or assert a single extension of another 45 days. The regulations specify additional data tracking and recordkeeping processes, and state that businesses must provide two or more designated methods for submitting such requests, with one method being a toll-free telephone number. Businesses that do not interact directly with consumers in their ordinary course of business must have at least one method for submitting requests online.
Verifying Those Who Make Data Access Requests
The most vexing question to be answered by the regulations was how businesses verify the identity of those requesting access to or deletion of personal information. The regulations establish a sliding scale of verification requirements based on the sensitivity and value of the personal information, the risk of harm to the consumer posed by unauthorized access to that personal information, and the likelihood that fraudulent actors would seek the personal information collected. Non-account holders are particularly suspect, as a business can make account holders first sign into their business account to verify identity.
The regulations establish two verification standards, a “reasonable degree” of certainty and “reasonably high degree” of certainty. If a consumer requests only the categories of personal information collected by a business, a reasonable degree of certainty applies, and the consumer must provide two data points to verify identity. If the consumer requests specific pieces of personal information, a reasonably high degree of certainty applies, and the consumer must provide at least three data points. For consumer requests to delete specific pieces of personal information, the standard will vary, depending on the sensitivity and the risk of harm to the consumer. The regulations allow consumers to designate an agent to make requests for them, and discuss how to verify such agents. Businesses must maintain records of consumer requests for at least 24 months.
Requirements for Dealing With Minors
For minors, the draft CCPA regulations require businesses to establish and maintain reasonable methods for verifying the identity of parents or guardians of a child who provide consent to collect and sell information from their children. The regulations provide a number of examples of such methods, and set forth special notice requirements to minors under the age of 16.
Stay tuned for new developments as the CCPA effective date nears.
