Recently Proposed Regulations Expand Requirements of the California Consumer Privacy Act

The California Consumer Privacy Act imposes many new requirements and includes specific guidance on consumer rights.

As we noted in our initial post, on October 1, 2019, the California Attorney General’s office (“CAG”) issued proposed regulations to the California Consumer Protection Act (“CCPA”), which are intended to “establish procedures to facilitate consumers’ new rights...and provide guidance to businesses for how to comply.” See Ch. 20. California Consumer Privacy Act Regulations – Proposed Regulations 999.300 et seq.; full text available here. The proposed regulations impose many new requirements on businesses required to comply with the CCPA, and include specific guidance on each of the “rights” identified in the CCPA (i.e., right to: know, opt out, delete, and equal treatment), including, inter alia, that businesses must:

• acknowledge consumer requests to know, opt out, and delete within 10 days, generally, and must provide requested information or take requested action within 45 days of receipt;
• address requests made through non-designated methods in accordance with the requirements of the CCPA or provide consumers instructions on how to resubmit such requests correctly (i.e., incorrectly submitted requests cannot be ignored);
• treat a consumer’s use of user-enabled privacy controls as a choice by the consumer to opt-in or opt-out;
• implement certain security measures for the transmission of customer data;
• institute methods for verifying the identity of consumers making requests;
• conduct internal training on the requirements of the CCPA for all individuals handling consumer inquiries;
• maintain records of consumer requests for at least 24 months subject to specific requirements relating to the form and substance of the record; and
• if such businesses buy, receive, sell or share personal information of 4 million or more consumers annually, then maintain certain metrics regarding requests received from consumers in the previous calendar year and disclose such information in their privacy policy or on their website.

The comment period for the proposed regulations ended on December 6, and material changes to the regulations are not expected. Once the proposed regulations are implemented on July 1, 2020, the CAG can initiate enforcement actions and consumers can initiate a private right of action against noncompliant businesses.

In our final installment on the lead-up to the implementation of the CCPA we will provide some practical guidance with respect to how business subject to the CCPA can ready themselves for CCPA compliance.