On October 10, 2019, the California Attorney General's office issued the much-anticipated proposed text of its California Consumer Privacy Act (CCPA) regulations (the Regulations). The nearly 10,000-word Regulations propose detailed rules regarding required notices for consumers, business practices for handling consumer requests, verification of requests, special rules regarding minors, and non-discrimination. The Regulations go beyond clarifying ambiguities in the law and propose new requirements, many of which are not contained in the Act. Alongside the Regulations, the Attorney General published an Initial Statement of Reasons, which aim to provide the justifications for each requirement. Given the timing of their release, the Regulations do not incorporate any of the CCPA amendments approved by the California legislature in September, and signed by California Governor Gavin Newsom on October 11, 2019 (a day after the Regulations were issued). The Attorney General indicated, however, that the Regulations will be updated to reflect the amendments. The Regulations come at a time when businesses have fewer than three months left to prepare before the CCPA takes effect on January 1, 2020, though the Regulations themselves will not take effect or be enforced until July 1, 2020.

The biggest takeaways from the Regulations include:

• Additional expansive notice requirements, including a requirement to post a notice offline for businesses operating offline, specifying the purpose of collection for each category of personal information collected, and obtaining explicit consent for purposes not previously disclosed to the consumer in the notice at the time of collection.
• New security requirements not contained in the CCPA, such as implementing reasonable security measures to detect fraudulent identity-verification activity and prevent unauthorized access or deletion, and prohibiting the disclosure of certain sensitive information to consumers.
• New specific record-keeping requirements, such as maintaining records of consumer requests and the business's response for twenty-four months, and requiring that businesses that buy or sell the personal information of four million consumers compile and disclose annual metrics on compliance with requests.
• Narrower limitations than in the CCPA on how service providers may use the personal information collected from a business, including prohibiting the use of the information to provide services to other entities, except for fraud prevention or to detect data security incidents.
• Requiring that businesses honor mechanisms that signal a consumer's choice to opt-out, which potentially includes Do Not Track requests.

For a more in-depth analysis of the main components of the Regulations, please see our Data Advisor article.

Next Steps

The Regulations are subject to a mandatory 45-day public comment period, during which the Attorney General's Office will hold four public hearings across California.

The Attorney General will accept comments on the Regulations at the hearings, by mail, or by email until December 6, 2019 at 5:00 p.m. We urge businesses affected by the Regulations to submit comments to the Attorney General and welcome any requests to assist with such submissions. WSGR will continue to monitor further CCPA developments.