The long-awaited draft regulations for the California Consumer Privacy Act of 2018 have finally been issued by the office of Attorney General Xavier Becerra. The proposed regulations would provide needed detail on how companies must carry out their new statutory duties under the Act (better known as the CCPA), which takes effect January 1.
Comments on the proposed regulations will be accepted for two months, and the Attorney General’s office will hold four public hearings around the state.
Though the proposed regulations do not deal with employee data, they do supply needed detail about how affected businesses should notify consumers about the personal information they collect, and how to verify and respond to requests for such data. A few aspects are particularly notable. For one, businesses would have to track the number of customer data requests they receive as well as the length of time that it took to respond to those requests. In addition, a business would be required to confirm receipt of a request within 10 days and inform the customer as to precisely how the request will be handled. The business would then have 45 days after the request to respond, plus an additional 45 days if the business provides a valid reason to the customer for the delay.
In other areas, when verifying a customer’s identity, the proposed regulations would mandate that businesses consider the sensitivity of the information they collect and the harm that it could cause if it were to get into the wrong hands. According to the proposed regulations, businesses should not disclose certain types of information, like a consumer’s Social Security Number or bank account information, even if the consumer requests it. Moreover, when customers request that their data be deleted, the option to delete all information must be “more prominently presented” than options to delete only part of the data. And when consumers choose to opt out of the sale of their personal information, businesses have up to 15 days to act and up to 90 days to notify third parties to whom they’ve sold the user information.
The regulations would also attempt to place a price tag on a consumer’s information by requiring companies that offer incentive programs to devise “a good faith method” for calculating the actual value of that data. Another provision requires businesses to treat user-enabled privacy controls, including a browser’s “do not track” features, as valid requests to opt out of the sale of their information. This imposes yet another layer of complexity – and cost – upon businesses.
An economic analysis of the proposed regulations released by the Attorney General’s office estimates that coming into compliance could cost businesses as much as $55 billion. The same report pegged the value of Californians’ collected data at approximately $10 billion. “This study includes troubling points for businesses that must comply with the California Consumer Privacy Act and shows the potential for a significant negative impact on the California economy,” according to a statement from Courtney Jensen, TechNet’s Executive Director for California.
“This is plowing new ground,” Mr. Becerra told reporters at a press conference in San Francisco. “We’re better than Captain Kirk and the Enterprise. We’re going really where no one in America has gone before.”
Although the CCPA will take effect on January 1, the AG’s enforcement will not begin until July 1.
But more is yet to come. Earlier this month, Alastair Mactaggart, the author of the ballot initiative that spawned the CCPA, has said that he seeks to introduce a new initiative titled “California Privacy Rights and Enforcement Act of 2020, Version 2.”
Hold on tight! This area of the law is evolving quickly. We will continue to keep you informed.