California AG Issues California Consumer Privacy Act Regulations
Last month, the California Attorney General released draft regulations for the California Consumer Privacy Act (CCPA). (Here). The regulations focus on three primary areas: (1) consumer notices; (2) consumer requests for information and handling of information; and (3) verification requirements.
The implementation date for the CCPA is January 1, 2020. The deadline for submission of comments is December 6, 2019. The regulations will not become final until the Spring of 2020. The California AG has stated that it will not enforce the CCPA and its regulations until July 1, 2020.
The headlines from the regulations include: (a) new disclosure requirements for businesses that collect more than 4 million consumers; (b) acknowledgement of consumer requests within 10 days of receipt; (c) implementation of “do not sell” requests by consumers within 15 days of the request and notice to third parties within 90 days; and (d) businesses must obtain consumer consent to use personal information for a use not disclosed at the time of collection.
Consumer Notices and Requests for Information
With respect to consumer notices, the regulations discuss four types of notices: notice at time of collection, notice of right to-opt-out of sale of personal information, notice of financial incentives and notice of a privacy policy. All of the notices have to be up-to-date and made accessible at the required time of issuance.
A company’s privacy policy should be updated to incorporate CCPA requirements and practices. The privacy policy must identify the information for each category of personal information collected: the sources of the information, how the information is used and the categories of third parties to whom the information is disclosed.
For businesses that collect personal information of 4,000,000 or more consumers, the regulations require additional disclosures related to the number of consumer requests and the average response times.
Companies have to offer at least two methods for consumers to submit requests, usually an online form and a toll-free number. If a company primarily interacts with consumers off-line (e.g. in-store retail store), the company may need to provide a paper form.
The regulations also clarify that the 45-day timeline for a company to respond to a consumer request includes time required to verify the request. Additionally, businesses must confirm receipt of a request within 10 days, must respond to opt-out requests within 15 days, and must inform all third parties to stop selling the consumer’s information within 90 days.
Verification Requirements
In general, the more sensitive the information, the greater the verification requirements. Companies should not release sensitive information without verifying the identity of the individual requesting the information. Such verification can be completed by a password-protected system or re-authentication procedures.
The regulations also provide requirements for requests for information that cannot be verified. If a business cannot verify the identity of a person making a request for access, then the business may proceed with restricted disclosure requirements.