October has been an exciting time for anyone keeping an eye on developments involving the California Consumer Privacy Act (“CCPA”), scheduled to go into effect on January 1, 2020. On October 10, California Attorney General Xavier Becerra released a draft of the long-awaited CCPA regulations, and the very next day Governor Gavin Newsom signed seven CCPA amendments into law. Although the draft regulations are subject to upcoming public comment and further revisions, the proposed regulations and amendments provide a near-final view of what the CCPA will ultimately require of businesses when it goes into effect on January 1, 2020, and when it is enforced by the Attorney General’s office starting July 1, 2020. You can read our previous overview of the duties and obligations businesses have under the CCPA here.
Governor Newsom signed seven amendments that clarify various provisions and requirements of the CCPA:
Attorney General Becerra released proposed draft regulations under the following categories:
The notice of financial incentive must explain to consumers the reason for any incentive or price or service differential offered in exchange for the retention or sale of consumers’ personal information, including that the business must provide a good faith estimate of the value of the consumers’ data that forms the basis for the incentive or price or service differential.
Businesses must confirm receipt of Requests to Know or Requests to Delete within ten days and respond substantively within 45 days. Requests to Opt-Out must be acted upon within 15 days, and businesses are required to notify all third parties with whom they have shared the consumer’s personal information within the 90 days prior to the opt-out request.
Businesses must also keep documentation of consumer requests and the response to those requests for 24 months and ensure that all personnel handling consumer requests are informed of all CCPA rights and how to direct consumers to exercise those rights.
Where a business maintains a password-protected account with its consumers, the business may verify a consumer’s identity through the existing authentication practices for that account. Where a business or consumer does not have a password-protected account, the business must verify the consumer’s identity to a “reasonable degree of certainty” or a “reasonably high degree of certainty,” depending on the type of data involved, which may require matching up at least 2 or 3 pieces of personal data provided by the consumer with information maintained by the business. If the business cannot verify the consumer’s identity to the required level of certainty, it must deny the request and inform the consumer why the request was denied.
Although the proposed regulations are subject to further revision following public comment, the current draft provides enough guidance for businesses to take necessary steps now to be in compliance by January 1, 2020. Please contact Litigation and Data Privacy partner Scott Hall at firstname.lastname@example.org or 415.772.5798 to discuss the CCPA’s requirements in greater detail and how we can help your business comply.
The information provided herein is informative only and not intended to be relied on as legal advice. Please contact us to discuss specific legal or compliance questions or concerns.