Summary of California's AG Draft Rules for the CCPA

On October 10th, 2019, California’s Attorney General Xavier Becerra released the draft rules for the California Consumer Privacy Act (CCPA). In this post, we go over the key items highlighted by the AG and provide some more information.

The Draft Regulation focuses on five topics. Below is a high-level summary:

  1. Notices: Companies must provide notice to customers where the company discloses for each category the personal information collected, the categories of sources and the business or commercial purposes for which the information is collected, as well as the categories of third parties with whom the business shares that information. Notices must be provided at the time of data collection and must include clear guidance on how to opt-out of the sale of data. Special notice is required for companies providing financial incentives.

  2. Handling Consumer Requests: Businesses will be required to confirm the receipt of consumer requests to know or delete within 10 days, re-confirm requests to delete personal information, and maintain records on handling of consumer requests for at least two years. Businesses must provide consumers with two or more designated methods for submitting requests. After verification of identity, businesses should respond to household requests submitted via a non-password protected account with aggregate household information. Each request must be answered individually and must not be a template general response. A request to opt-out of the sale of data shall be completed within 15 days of the submission.

  3. Verification of Requests: the AG’s office provides clear guidance on how to verify the request of a consumer. While the proposed flows for existing users can be administered through existing account procedures, the directives for request verifications for non-account holders is more arduous: businesses need to match at least three data points of a consumer’s personal information if the request is for specific pieces of personal information, and the consumer has to submit a signed declaration under penalty of perjury. At least two data points must be matched for a request for category level information.

  4. Special Rules Regarding Minors: The CCPA requires that minors under 13 years of age must affirmatively opt-in to the sale of their personal information from a parent or guardian. The proposed regulations require that businesses establish a reasonable method for verifying the identity of said parent or guardian of a child. The rules also stipulate special requirements for notices to minors under 16 years of age, requiring expressive opt-in.

  5. Non-Discrimination and Financial Incentives: The draft rules define discriminatory incentives broadly as those that treat a consumer differently because the consumer exercised a right conferred by the CCPA or the draft regulations. However, a business may offer a price or service difference if it is reasonably related to the value of the consumer’s data. Businesses can provide a “good-faith estimate of the value of the consumer’s data,” to explain the difference in service when opting in for data collection and opting out, publicly, the draft said. Examples for discriminatory practices provided in the draft regulation is that of a streaming service where only members that are on a paid plan can opt-out of the sale of their data.

Further notable findings outside of the five topics covered above:

  • Cost: DOJ estimated compliance will cost businesses between $467 million and $16.5 billion between 2020 and 2030.

  • Most Impacted Industries: trade, professional, scientific and technical services, and health care and social assistance

  • Permissions for new use cases: if a business intends to use a customer’s data for a use case not yet disclosed at the previous point of collection, the consumer must be informed and has to provide expressive consent to the business leveraging said data for the proposed use case.

  • Mini-Data Broker Requirements: businesses that annually buy, share, or receives for commercial purposes, or sells the personal information of, 4 million consumers, it must compile a number of metrics, disclose such metrics in its privacy policy, and establish and document training. Notably, an entity need not meet the definition of a data broker (as specified in AB 1202) to be subject to this requirement.

  • Notice of Financial Incentive: A notice of financial incentive must include a good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive (or price or service differential), as well as the method used to calculate that value.

  • Service Providers: The proposed regulations clarify that a service provider shall not use personal information it collects from a business or consumer in connection with its provision of services to another person or entity

  • Individualized Responses: In responding to a consumer’s verified request to know the categories of personal information, categories of sources, and/or categories of third parties, a business shall provide an individualized response to the consumer as required by the CCPA.