A Closer Look: Proposed Text of CCPA Regulations from California AG

On October 10, 2019, the California Attorney General released proposed regulations to the California Consumer Privacy Act (CCPA), introducing some new requirements that were not originally included in the CCPA. The regulations are divided into seven articles, which we discussed in an earlier blog here. In this post, we will undertake a comprehensive review of the proposed regulations and identify recommended next steps to address the regulations.

While the analysis below is comprehensive and unpacked, the proposed rules provide direction on how the AG interprets and may enforce the CCPA. According to the Notice of Proposed Rulemaking Action, the AG mentioned that the regulations would “benefit the welfare of California residents because they will facilitate the implementation of many components of the CCPA.” The AG further states that the draft regulations “provide clear direction to businesses on how to inform consumers of their rights and how to handle their requests” (see Notice of Proposed Rulemaking Action, pg. 10).  Moreover, on January 6, 2020, the AG issued an advisory to consumers. The advisory informed consumers of their rights while holding organizations accountable for transparency and compliance under the statute. A final point: the AG released a CCPA fact sheet stating that over $12 billion worth of personal information will be protected each year from the CCPA, giving consumers unprecedented power over the use of their data.

Overall, the advisory, fact sheet and Initial Statement of Reasons do not provide any insight into the status of the proposed regulations, when the regulations would be finalized, nor whether to expect significant changes to the final regulations.  Since this is all formal guidance intended to operationalize the CCPA and provide practical guidance, subject to the law, it reiterates the CCPA’s core obligations, regulatory scope, and enforcement priorities while simultaneously providing consumers with actionable transparency regarding the use of their data.

Article 1. General Provisions

In Article 1, the scope provision ties the regulations to CCPA because it illuminates that a violation of the regulations equates to a violation of the CCPA (see Section 999.300(b)). This is significant to note because of the extensiveness of the CCPA statute. In other words, redress for any violation of the regulation is subject to the same remedies as a CCPA violation, either a fine of $2,500 for each violation or $7,500 for each intentional violation.

Additionally, this article includes 21 additional definitions that add clarity or remove ambiguity for previously undefined words like a “household.”

 Article 2. Notices to Consumers

As the name implies, Article 2 introduces guidance on the types of notices to consumers that an organization must disclose or provide under the CCPA. For instance, the proposed regulations stipulate that a business must present the notice at or before the collection of consumer information. Other requirements that must be within the privacy notice include the business purpose for the use of consumer information, categories of personal information collected, the right to  opt-out, a “Do Not Sell My Info” link (if applicable), a comprehensive description of the organization’s online and offline privacy practices with a link to the organization’s privacy policy, along with accessibility for consumers with disabilities among other things.

Article 2 also offers guidance on the type of disclosures that must be provided with each notice.  For instance, the regulations provide guidance on four types of notices: 1) notice at or before the collection of personal information, 2) opt-out/opt-in notice, 3) notice of any financial incentives and 4) an organization’s online and offline privacy policy.

California already has pre-existing online notice statutes like the California Online Privacy Protection Act (CalOPPA) and Shine the Light. Organizations will likely grapple with how to consider requirements for these regulations along with GDPR and notice requirements from other states like Delaware and Nevada.

Article 3. Business Practices for Handling Consumer Requests

The proposed regulations outline the proper handling of consumer requests.  Specifically, the article details the methods for verifiable requests along with receiving, processing, and responding to a consumer request to know (e.g. right to know about the categories of information collected and purpose), access (e.g. right to request disclosures) or delete. Upon receipt of a Request to Know or Delete consumer personal information, the organization must confirm receipt within ten (10) days and respond within 45 days.

In particular, for deletion requests, organizations are required to use a two-step process when the consumer asks to delete, coupled with confirmation from the consumer they do, indeed, want their personal information deleted (see Section 999.312(d)). Also of importance, personal information must be transferred securely, and all deleted information must be permanently erased, de-identified or aggregated. The deletion request does not apply to archived or offline backup systems unless the archive or offline backup system is later accessed or used.

However, if a deletion request is denied, in connection with an exemption for example, the organization must inform the basis for the denial and delete any personal information not applicable to the exemption.

Lastly, the article illuminates training and record-keeping requirements for all individuals responsible for handling consumer inquiries about the organization’s privacy practices or compliance with the CCPA. Records and logs must be maintained for all requests under the CCPA for at least 24 months. Organizations that sell, share or receive the personal information of 4 million or more consumers for a commercial purpose will have to compile metrics and disclose this information, either within the online privacy policy or posted on the organization’s website.

Article 4. Verification of Requests

Organizations are tasked with establishing, documenting and complying with a reasonable method for verifying the individual making the request is whom they claim to be. In connection with methods for verifying the individual, the business is also required to implement “reasonable security measures” to detect fraudulent identity-verification activity to prevent unauthorized access or deletion of a consumer’s personal information (see Section 999.323(d)).

A host of considerations are provided within the regulations to analyze whether personal information is sensitive or valuable, risks or harm to the consumer from unauthorized access or deletion, and third-party verification services, among others. A recommendation to avoid requesting “additional information” from the consumer for purposes of verification is also suggested. If the identity cannot be verified without requesting additional information, the organization should delete any new personal information collected for verification purposes.

Finally, a question often asked by clients: “Do we have to delete any consumer personal information?” The regulations are clear in that “if a business maintains consumer information that is de-identified, a business is not obligated to provide or delete this information in response to a consumer request or to re-identify individual data to verify a consumer request” ((see Section 999.323(e)).

Article 5. Special Rules Regarding Minors

Based on the California AG’s comments mentioned in a separate article, aggressive and early decisive enforcement will entail minor personal information. Thus, businesses should be prudent in authorization methods as it pertains to minors.

For minors under 13, methods must be in place for determining if the individual who provided the minor authorization is, in fact, the parent or guardian of the minor. Upon receipt of the authorization, the organization must notify the parent or guardian of both their right to opt-out at a later date and how they can opt-out. The methods mentioned can include a consent form signed by the parent or guardian to requiring the use of a payment system that notifies the parent after every financial transaction, among others.

For minors between 13 and 16 years of age, organizations must establish procedures to allow an affirmative opt-in to the sale of their personal information, along with notification of the right to opt-out and how it can be exercised. There are no parental affirmation requirements for minors between 13 and 16 years old.

Article 6. Nondiscrimination

For Article 6, businesses may offer financial incentives and price of service differences.  However, to prevent incentives from only being offered to consumers who do not opt-out, when a consumer exercises their privacy right, a business must reasonably relate the value of the incentive to the value of the consumer’s data.

Illustrative examples are given on how different practices would be treated by the statute.  Additionally, there are eight factors or methods introduced on how to calculate the value of a consumer’s data. Whatever method chosen must be documented.

Finally, an organization’s denial of a consumer’s request to know, delete, or opt-out for permitted reasons under the CPA should not be considered discriminatory.


While the above provides an inclusive summary of the AG’s proposed regulations, consider the following next steps:

  • Weigh the definition and applicability of “sale” pursuant to the CCPA. Organizations that do not sell personal information should be clear about this stance in their consumer-facing privacy policy. Note, additional liability can be inadvertently introduced if the organization takes the stance that “we do not sell personal information” yet a “sale” does occur. The Federal Trade Commission (FTC) can examine business practices (i.e., a “sale”) as investigatory predicate to a privacy harm that is unfair or deceptive business practice.
  • Conduct gap analysis with privacy policy notices as some organizations may have coinciding obligations from local, state, or international jurisdictions.
  • Continuously update data flow mappings or Records of Processing Activities (RoPA) documentation to assist with consumer rights and request compliance efforts.
  • Design methods and means to capture affirmations from parents or guardians of minors under age 13, and affirmations from minors between 13 and 16.
  • Update websites, draft and implement verification processes, train call center personnel or customer service representatives on the appropriate handling of consumer requests and how to respond to CCPA inquiries.

Finally, work with general counsel, the legal department or outside counsel to get a full accounting of what must be disclosed to the consumer, as well as being fully informed about the CCPA because it is prone to change as well as any other applicable privacy statutes.


Ron Naulls

Senior Manager
Technology Consulting - Security and Privacy

Subscribe to Topics

Protiviti’s Patrick Gilgour discusses how IT leaders should establish proactive and collaborative partnerships, while also touching on the importance of ongoing monitoring of key partnership metrics. https://ow.ly/YyBE50QHZZe #ProtivitiTech #CIO

NIST released version 2.0 of its Cybersecurity Framework this week. Find out how the updated framework expands its core guidance to help organizations of any size and sector manage and reduce their cybersecurity risks. https://ow.ly/CPUC50QJpoG #ProtivitiTech #Cybersecurity

NIST released version 2.0 of its Cybersecurity Framework this week. Find out how the updated framework expands its core guidance to help organizations of any size and sector manage and reduce their cybersecurity risks. https://ow.ly/CPUC50QJpoG #ProtivitiTech #Cybersecurity

“Privacy practitioners need to stay really in lockstep with what’s happening from an emerging perspective and be able to respond quickly,” says Sameer Ansari on approaching #Privacy training amid rapidly emerging technology. https://ow.ly/ZBBC50QI0tr #ProtivitiTech

Research out of Protiviti and the London School Economics finds that the productivity of Gen Z and millennial workers is affected, in part, due to the friction with older managers. Learn more: https://ow.ly/V68C50QHj14 #Protiviti #Generations

Load More