Finalized CCPA Regulations Released

The California Attorney General (AG) has issued the Proposed Text of Regulations for implementing the California Consumer Privacy Act of 2018 (CCPA) along with an Initial Statement of Reasons.  Governor Gavin Newsom has signed the amendments to the CCPA.  A short synopsis of the released draft regulations is below.

What is included in the Proposed Text of Regulations and the Initial Statement of Reasons?

In a press conference, the AG’s office iterated that the proposed regulations and Initial Statement of Reasons are among the best resources to follow for the CCPA’s expected implementation. Written comments may be submitted before the final CCPA regulations are issued by December 6, 2019. The AG’s CCPA Fact Sheet states that the AG will consider all and may revise the regulations in response.

Updated verbiage was added to the proposed rules that may impact operationalizing the CCPA. For instance, in Article 1, “household” is defined as “a person or group of people occupying a single dwelling.” Questions on engagements surrounded how to handle household requests.

The rules now define how the business must receive and verify requests on households.

Article 2’s notice requirement adds new language regarding accessibility requirements and notices to consumers with disabilities. Additional language on financial incentives states that the business must explain the incentive or difference in price or service. Finally, guidance on the opt-out button or logo and how it should look will be included at a later date.

Article 3 is broken out into seven sections that describe how businesses should handle consumer requests. Worth noting, prescriptive rules are spelled out for service providers, opt-out requests, training, and record-keeping.

Article 4 covers the verification of requests.  Businesses must establish methods to verify consumers who make requests and considerations when determining the method of verification, including third-party verification services.

Article 5 covers rules surrounding processes as it pertains to minors. A business must acquire affirmative authorization to sell the personal information of a minor under the age of 13. In essence, a business is recommended to implement mechanisms to determine that the person who provided the affirmative authorization for a minor under 13 was indeed a parent or guardian.

Moreover, for minors aged 13 to 16, businesses must also establish a reasonable process that enables these minors the ability to opt-in to the sale of their personal information. In addition, inform of their right to opt-out at a later date, and how to do so.

Finally, Article 6 contains guidelines on the CCPA’s non-discrimination and financial incentives language. For instance, there are some examples to help determine if a business practice is discriminatory and how to document a “reasonable and good faith method for calculating the value of the consumer’s data,” thereby offering a price or service difference. Out of the seven methods available to assess the value of consumer data, there is a catch-all provision, which allows organizations to implement a reasonable method that is practical given the business model.

What essential questions are answered by the proposed regulations?

Questions that have been swirling all year now have reliable answers. For example, there is clear guidance on how to respond to access requests, how to deliver sensitive personal information, how verifications may be processed, clarity on service providers and how to administer household data.

Included in the Proposed Rulemaking is an important point to note: “the adoption of these regulations may have a significant, statewide adverse economic impact directly affecting business, including the ability of California businesses to compete with businesses in other states.”

In summary, the comment period closes on December 6, at which point there may be a second set of draft rules, depending upon the comments submitted and subsequent revisions. The AG has also indicated that an organization should not rely upon the enforcement delay as a “safe harbor.” Stay tuned on the CCPA rulemaking process.

Ron Naulls

Senior Manager
Technology Consulting – Security and Privacy