The California Attorney General has issued long-awaited draft regulations for the California Consumer Privacy Act (CCPA), which is scheduled to take effect in 2020.
High level takeaways:
- Big emphasis on disclosure and transparency: both format and content of the privacy notices.
- Separation between the privacy notice for “at or before collection of information” and the “website privacy policy.”
- Emphasis on reasoning for taking actions (e.g. not deleting per request, etc.).
- Specific instructions on how to respond to requests (Hint: can’t wait until day 44 to reply).
- Guidance on timing for response (Hint: time needed to verify does not extend the 45 days).
- Detailed guidance on how to verify the identity of a requesting consumer.
- Expanded requirements for companies collecting information of 4 million or more consumers (Hint: disclose stats on consumer requests and median time it takes to respond).
- Guidance on the methods for exercising the rights.
- Detailed guidance on how to calculate the value of the consumer’s information in order to provide a legal financial incentive.
- Detailed guidance re: CCPA-specific training.
- New records retention requirement for consumer request logs.
- Possible to express an opt-out request through browser preferences/user-enabled privacy controls.