California AG Issues California Consumer Privacy Act Regulations
Last month, the California Attorney General released draft regulations for the California Consumer Privacy Act (CCPA). (Here). The regulations focus on three primary areas: (1) consumer notices; (2) consumer requests for information and handling of information; and (3) verification requirements.
The implementation date for the CCPA is January 1, 2020. The deadline for submission of comments is December 6, 2019. The regulations will not become final until the Spring of 2020. The California AG has stated that it will not enforce the CCPA and its regulations until July 1, 2020.
The headlines from the regulations include: (a) new disclosure requirements for businesses that collect more than 4 million consumers; (b) acknowledgement of consumer requests within 10 days of receipt; (c) implementation of “do not sell” requests by consumers within 15 days of the request and notice to third parties within 90 days; and (d) businesses must obtain consumer consent to use personal information for a use not disclosed at the time of collection.
Consumer Notices and Requests for Information
For businesses that collect personal information of 4,000,000 or more consumers, the regulations require additional disclosures related to the number of consumer requests and the average response times.
Companies have to offer at least two methods for consumers to submit requests, usually an online form and a toll-free number. If a company primarily interacts with consumers off-line (e.g. in-store retail store), the company may need to provide a paper form.
The regulations also clarify that the 45-day timeline for a company to respond to a consumer request includes time required to verify the request. Additionally, businesses must confirm receipt of a request within 10 days, must respond to opt-out requests within 15 days, and must inform all third parties to stop selling the consumer’s information within 90 days.
In general, the more sensitive the information, the greater the verification requirements. Companies should not release sensitive information without verifying the identity of the individual requesting the information. Such verification can be completed by a password-protected system or re-authentication procedures.
The regulations also provide requirements for requests for information that cannot be verified. If a business cannot verify the identity of a person making a request for access, then the business may proceed with restricted disclosure requirements.