Last week, California Attorney General Xavier Becerra released much anticipated regulations implementing and interpreting the California Consumer Privacy Act (CCPA). Given the Attorney General’s responsibility for enforcement and the many open questions surrounding the CCPA, even after another round of amendments were passed last month, businesses have been eagerly waiting for the draft regulations to be released. The draft regulations both provide much needed clarity on key aspects of the CCPA but also create additional and potentially burdensome requirements for businesses under the CCPA’s jurisdiction. Before becoming final, the draft regulations will go through a notice and comment period. The CCPA goes into effect on January 1, 2020, but with the draft regulations not expected to become final until the first half of 2020, enforcement likely will not commence until July 1, 2020.
The Draft Regulations
The draft regulations comprise seven articles clarifying or adding to various existing components of the CCPA. In particular, the draft regulations:
- Clarify and define additional terms used in the CCPA
- Clarify and expand on the processes for handling and responding to consumer requests, including a new record keeping requirement
- Detail the processes through which a business should verify consumer requests
- Discuss mechanisms a business must use to receive opt-in permission to sell the personal information of minors
- Clarify and expand on the CCPA’s prohibition of discriminatory practices, including the calculation of the value of a consumer’s personal information
For businesses hoping that the Attorney General would clarify and potentially even limit some of the CCPA’s requirements, the draft regulations are a mixed bag.
On the other hand, however, the draft regulations also add to many of the CCPA’s requirements and force businesses to undertake additional measures. For example, one of the most notable additions found in the draft regulations requires businesses wishing to offer consumers a financial incentive for their personal information to calculate the value of a consumer’s personal information and justify the financial incentive under the CCPA. In addition, the draft regulations contain detailed record keeping requirements for businesses’ handling of consumer requests.
Businesses should continue to monitor the status of the draft regulations as the notice and comment process begins. Businesses currently engaging in CCPA compliance efforts should also recognize that the draft regulations, while powerful guidance, are subject to change.