Datawallet Website
Data Digest
Contact Us
Datawallet Resources
CCPA Overview
Intro
Who Does the CCPA Apply To?
Individual Data Rights: CCPA vs GDPR
CCPA Obligations
Actions and Fines For Violations of the CCPA
Key Definitions
CCPA Deep Dive
In-Depth Legal Summary of the CCPA
FULL TEXT: California Consumer Privacy Act (CCPA)
Proposed Amendments to the CCPA
Summary of California's AG Draft Rules for the CCPA
FULL TEXT: Draft Rules for the California Consumer Privacy Act (CCPA)
Datawallet and CCPA
The Bigger Picture, CCPA, and Personal Data
CCPA Action Plan
The Power of Trust
Nevada Privacy Law
The California Consumer Privacy Act (CCPA) versus The Nevada Privacy Bill (SB 220)
Datawallet One Pagers
CCPA Cheat Sheet
CCPA and the New Paradigm for Data
EU-GDPR OVERVIEW
Intro
Who Does the GDPR Apply To?
GDPR Data Subject Rights & Organizational Obligations
Actions and Fines for Violations of the GDPR
Key Definitions
EU-GDPR Deep Dive
In-Depth Legal Summary of the GDPR
FULL TEXT: General Data Protection Regulation (GDPR)
Powered by GitBook

Summary of California's AG Draft Rules for the CCPA

On October 10th, 2019, California’s Attorney General Xavier Becerra released the draft rules for the California Consumer Privacy Act (CCPA). In this post, we go over the key items highlighted by the AG and provide some more information.

The Draft Regulation focuses on five topics. Below is a high-level summary:

  1. Notices: Companies must provide notice to customers where the company discloses for each category the personal information collected, the categories of sources and the business or commercial purposes for which the information is collected, as well as the categories of third parties with whom the business shares that information. Notices must be provided at the time of data collection and must include clear guidance on how to opt-out of the sale of data. Special notice is required for companies providing financial incentives.

  2. Handling Consumer Requests: Businesses will be required to confirm the receipt of consumer requests to know or delete within 10 days, re-confirm requests to delete personal information, and maintain records on handling of consumer requests for at least two years. Businesses must provide consumers with two or more designated methods for submitting requests. After verification of identity, businesses should respond to household requests submitted via a non-password protected account with aggregate household information. Each request must be answered individually and must not be a template general response. A request to opt-out of the sale of data shall be completed within 15 days of the submission.

  3. Verification of Requests: the AG’s office provides clear guidance on how to verify the request of a consumer. While the proposed flows for existing users can be administered through existing account procedures, the directives for request verifications for non-account holders is more arduous: businesses need to match at least three data points of a consumer’s personal information if the request is for specific pieces of personal information, and the consumer has to submit a signed declaration under penalty of perjury. At least two data points must be matched for a request for category level information.

  4. Special Rules Regarding Minors: The CCPA requires that minors under 13 years of age must affirmatively opt-in to the sale of their personal information from a parent or guardian. The proposed regulations require that businesses establish a reasonable method for verifying the identity of said parent or guardian of a child. The rules also stipulate special requirements for notices to minors under 16 years of age, requiring expressive opt-in.

  5. Non-Discrimination and Financial Incentives: The draft rules define discriminatory incentives broadly as those that treat a consumer differently because the consumer exercised a right conferred by the CCPA or the draft regulations. However, a business may offer a price or service difference if it is reasonably related to the value of the consumer’s data. Businesses can provide a “good-faith estimate of the value of the consumer’s data,” to explain the difference in service when opting in for data collection and opting out, publicly, the draft said. Examples for discriminatory practices provided in the draft regulation is that of a streaming service where only members that are on a paid plan can opt-out of the sale of their data.

Further notable findings outside of the five topics covered above:

  • Cost: DOJ estimated compliance will cost businesses between $467 million and $16.5 billion between 2020 and 2030.

  • Most Impacted Industries: trade, professional, scientific and technical services, and health care and social assistance

  • Permissions for new use cases: if a business intends to use a customer’s data for a use case not yet disclosed at the previous point of collection, the consumer must be informed and has to provide expressive consent to the business leveraging said data for the proposed use case.

  • Mini-Data Broker Requirements: businesses that annually buy, share, or receives for commercial purposes, or sells the personal information of, 4 million consumers, it must compile a number of metrics, disclose such metrics in its privacy policy, and establish and document training. Notably, an entity need not meet the definition of a data broker (as specified in AB 1202) to be subject to this requirement.

  • Notice of Financial Incentive: A notice of financial incentive must include a good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive (or price or service differential), as well as the method used to calculate that value.

  • Service Providers: The proposed regulations clarify that a service provider shall not use personal information it collects from a business or consumer in connection with its provision of services to another person or entity

  • Individualized Responses: In responding to a consumer’s verified request to know the categories of personal information, categories of sources, and/or categories of third parties, a business shall provide an individualized response to the consumer as required by the CCPA.

CCPA Deep Dive - Previous
Proposed Amendments to the CCPA
Next - CCPA Deep Dive
FULL TEXT: Draft Rules for the California Consumer Privacy Act (CCPA)
Last updated 1 month ago