Header graphic for print
Steptoe Cyberblog

The California Attorney General’s CCPA Regulations: Clarity or More Questions?

Posted in Privacy Regulation

Last week, California Attorney General Xavier Becerra released much anticipated regulations implementing and interpreting the California Consumer Privacy Act (CCPA). Given the Attorney General’s responsibility for enforcement and the many open questions surrounding the CCPA, even after another round of amendments were passed last month, businesses have been eagerly waiting for the draft regulations to be released. The draft regulations both provide much needed clarity on key aspects of the CCPA but also create additional and potentially burdensome requirements for businesses under the CCPA’s jurisdiction. Before becoming final, the draft regulations will go through a notice and comment period. The CCPA goes into effect on January 1, 2020, but with the draft regulations not expected to become final until the first half of 2020, enforcement likely will not commence until July 1, 2020.

The Draft Regulations

The draft regulations comprise seven articles clarifying or adding to various existing components of the CCPA. In particular, the draft regulations:

  • Clarify and define additional terms used in the CCPA
  • Clarify and expand on consumer notice requirements, including notice at the point of collection of personal information; notice of consumers’ right to opt-out of the sale of their personal information; notice of financial incentives; and privacy policy notices
  • Clarify and expand on the processes for handling and responding to consumer requests, including a new record keeping requirement
  • Detail the processes through which a business should verify consumer requests
  • Discuss mechanisms a business must use to receive opt-in permission to sell the personal information of minors
  • Clarify and expand on the CCPA’s prohibition of discriminatory practices, including the calculation of the value of a consumer’s personal information

Key Components

For businesses hoping that the Attorney General would clarify and potentially even limit some of the CCPA’s requirements, the draft regulations are a mixed bag.

Businesses will be pleased by many components of the draft regulations. For example, the draft regulations provide businesses with a clear framework for verifying consumer requests, providing much needed clarification with respect to a key component of the CCPA. To verify a consumer request through an existing password protected account, a business may use normal authentication procedures. For verification of non-accountholders, the draft regulations require a business to verify the identity of a consumer either with a reasonable degree of certainty (by matching at least two pieces of personal information provided by a consumer with their existing records) or a reasonably high degree of certainty (by matching at least three pieces of personal information provided by the consumer with their existing records and receiving a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request) depending on the nature of the consumer request. In addition, the draft regulations permit businesses to provide disclosures at the point of collection of personal information and of financial incentives through a link to their privacy policy under certain circumstances.

On the other hand, however, the draft regulations also add to many of the CCPA’s requirements and force businesses to undertake additional measures. For example, one of the most notable additions found in the draft regulations requires businesses wishing to offer consumers a financial incentive for their personal information to calculate the value of a consumer’s personal information and justify the financial incentive under the CCPA. In addition, the draft regulations contain detailed record keeping requirements for businesses’ handling of consumer requests.

Businesses should continue to monitor the status of the draft regulations as the notice and comment process begins. Businesses currently engaging in CCPA compliance efforts should also recognize that the draft regulations, while powerful guidance, are subject to change.