California AG Releases Draft CCPA Implementation Regulations

Datawallet
Oct 12 · 4 min read

On October 10th, 2019, California’s Attorney General Xavier Becerra released the draft rules for the California Consumer Privacy Act (CCPA). In this post, we go over the key items highlighted by the AG and provide some more information.

The Draft Regulation focuses on five topics. Below is a high-level summary:

  1. Notices: Companies must provide notice to customers where the company discloses for each category the personal information collected, the categories of sources and the business or commercial purposes for which the information is collected, as well as the categories of third parties with whom the business shares that information. Notices must be provided at the time of data collection and must include clear guidance on how to opt-out of the sale of data. Special notice is required for companies providing financial incentives.
  2. Handling Consumer Requests: Businesses will be required to confirm the receipt of consumer requests to know or delete within 10 days, re-confirm requests to delete personal information, and maintain records on handling of consumer requests for at least two years. Businesses must provide consumers with two or more designated methods for submitting requests. After verification of identity, businesses should respond to household requests submitted via a non-password protected account with aggregate household information. Each request must be answered individually and must not be a template general response. A request to opt-out of the sale of data shall be completed within 15 days of the submission.
  3. Verification of Requests: the AG’s office provides clear guidance on how to verify the request of a consumer. While the proposed flows for existing users can be administered through existing account procedures, the directives for request verifications for non-account holders is more arduous: businesses need to match at least three data points of a consumer’s personal information if the request is for specific pieces of personal information, and the consumer has to submit a signed declaration under penalty of perjury. At least two data points must be matched for a request for category-level information.
  4. Special Rules Regarding Minors: The CCPA requires that minors under 13 years of age must affirmatively opt-in to the sale of their personal information from a parent or guardian. The proposed regulations require that businesses establish a reasonable method for verifying the identity of said parent or guardian of a child. The rules also stipulate special requirements for notices to minors under 16 years of age, requiring expressive opt-in.
  5. Non-Discrimination and Financial Incentives: The draft rules define discriminatory incentives broadly as those that treat a consumer differently because the consumer exercised a right conferred by the CCPA or the draft regulations. However, a business may offer a price or service difference if it is reasonably related to the value of the consumer’s data. Businesses can provide a “good-faith estimate of the value of the consumer’s data,” to explain the difference in service when opting in for data collection and opting out, publicly, the draft said. Examples for discriminatory practices provided in the draft regulation is that of a streaming service where only members that are on a paid plan can opt-out of the sale of their data.

Further notable findings outside of the five topics covered above:

  • Cost: DOJ estimated compliance will cost businesses between $467 million and $16.5 billion between 2020 and 2030.
  • Most Impacted Industries: trade, professional, scientific and technical services, and health care and social assistance
  • Permissions for new use cases: if a business intends to use a customer’s data for a use case not yet disclosed at the previous point of collection, the consumer must be informed and has to provide expressive consent to the business leveraging said data for the proposed use case.
  • Mini-Data Broker Requirements: businesses that annually buy, share, or receives for commercial purposes, or sells the personal information of, 4 million consumers, it must compile a number of metrics, disclose such metrics in its privacy policy, and establish and document training. Notably, an entity need not meet the definition of a data broker (as specified in AB 1202) to be subject to this requirement.
  • Notice of Financial Incentive: A notice of financial incentive must include a good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive (or price or service differential), as well as the method used to calculate that value.
  • Service Providers: The proposed regulations clarify that a service provider shall not use personal information it collects from a business or consumer in connection with its provision of services to another person or entity
  • Individualized Responses: In responding to a consumer’s verified request to know the categories of personal information, categories of sources, and/or categories of third parties, a business shall provide an individualized response to the consumer as required by the CCPA.

About Datawallet

Datawallet offers the perfect solution to comply with an increasingly complicated patchwork of data privacy laws and consumer expectations, by providing a single consumer portal and consent management platform (CPM)―continually and easily updated to align with every new data regulation due to its modularity. Jumpstart the virtuous cycle of trust and data with irreproachable, ethical data practices today.

Visit Datawallet.com to schedule a call with our experts.

You can also follow Datawallet on LinkedIn & Twitter.

Datawallet

Written by

Datawallet is a free, all-in-one, digital wallet that empowers you to securely collect and manage your data. Visit our website: https://datawallet.com

Datawallet Blog

Updates from the team, guest posts, opinions & more

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade