The California Attorney General has issued long-awaited draft regulations for the California Consumer Privacy Act (CCPA), which is scheduled to take effect in 2020.

High level takeaways:
  • Big emphasis on disclosure and transparency: both format and content of the privacy notices.
  • Separation between the privacy notice for “at or before collection of information” and the “website privacy policy.”
  • Emphasis on reasoning for taking actions (e.g. not deleting per request, etc.).
  • Specific instructions on how to respond to requests (Hint: can’t wait until day 44 to reply).
  • Guidance on timing for response (Hint: time needed to verify does not extend the 45 days).
  • Detailed guidance on how to verify the identity of a requesting consumer.
  • Expanded requirements for companies collecting information of 4 million or more consumers (Hint: disclose stats on consumer requests and median time it takes to respond).
  • Guidance on the methods for exercising the rights.
  • Detailed guidance on how to calculate the value of the consumer’s information in order to provide a legal financial incentive.
  • Detailed guidance re: CCPA-specific training.
  • New records retention requirement for consumer request logs.
  • Possible to express an opt-out request through browser preferences/user-enabled privacy controls.

Read the full text of the draft regulations.