California Attorney General Issues Proposed CCPA Regulations
Notices to Consumers
Point of Collection: The CCPA requires point of collection notices to inform consumers at or before the time of collection of the categories of personal information ("PI") collected and purposes for collecting it. The proposed regulations require businesses to make such notices easy to read and understand for an average consumer and accessible to consumers with disabilities. The regulations describe how to make point of collection notices accessible when collecting PI online and offline and identify the information that must be conveyed.
Right to Opt-Out of "Sale" of PI: California residents have a right to opt-out of the "sale" of their PI. The term "sale" is broadly defined in the CCPA as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's [PI] to another business or a third party for monetary or other valuable consideration." A transfer of information to a service provider does not constitute a sale, if the service provider adheres to certain restrictions. The proposed regulations describe how businesses should provide notice of this right to consumers, including through a "Do Not Sell" link, and the content of such notices. The regulations do not provide more specific guidance on what constitutes a "sale" of PI.
Financial Incentives: Businesses must provide notice of any financial incentive or price or service difference that is offered in exchange for the retention or sale of PI. The proposed regulations describe how a notice of financial incentives must be provided and what information must be conveyed.
Privacy Policy: The proposed regulations provide guidelines for privacy policies, including designing and presenting them in a way that is easy to read and understandable to an average consumer. Privacy policies must communicate consumers' rights under the CCPA.
Handling Consumer Requests
California residents have a right to request that businesses disclose what PI has been collected about them, request deletion of their PI in certain circumstances, and request to opt-out of the "sale" of their PI. The proposed regulations instruct businesses on how to handle consumer requests made pursuant to the CCPA and address methods for enabling consumers to submit requests, rules for authorized agents, the timeframe for responding to requests, verification of consumers, and how businesses can demonstrate compliance with the CCPA.
Consent From Children
The CCPA prohibits the "sale" of PI pertaining to consumers under age 16 unless the consumer (if between 13 and 16) or the consumer's parent or guardian (if under age 13) consents. The proposed regulations describe how businesses must obtain consent and how businesses can verify that the person authorizing consent for a child under age 13 is the parent or guardian. The draft regulations require a two-step consent process for minors 13 - 15.
Non-Discrimination
Businesses cannot discriminate against consumers who exercise their rights under the CCPA. The proposed regulations explain what kinds of business practices constitute discrimination under the CCPA and how to determine the value of a consumer's data for purposes of offering a financial incentive or price or service difference.
Recordkeeping
The proposed regulations require businesses to maintain records of consumer requests for at least 24 months, and describe how such records must be maintained. A business that buys, collects, sells, or shares for commercial purposes PI of 4,000,000 or more consumers must compile annually: the number of "requests to know" received, processed, and denied; the number of "requests to delete" received, processed, and denied; the number of "requests to opt-out" received, processed, and denied; and the median number of days within which the business responded to such requests. Any business required to compile this information must publish the information on its website or in its privacy policy.
Costs of Compliance
The Attorney General estimates that the initial costs of complying with the CCPA are $25,000 for a small business, with ongoing annual costs of $1,500. For larger businesses, initial costs are estimated at $75,000, with ongoing costs of $2,500 annually. Certainly input on expected costs could be quite helpful.
What's Next
A series of public hearings will be held across California on December 2-5, 2019. Comments may be submitted at the hearing, by mail, or by email until December 6, 2019. Affected businesses should review the proposed regulations carefully and provide feedback on any concerns or recommended changes.