On October 10, 2019, the California Office of the Attorney General (“AG”) published the long-awaited proposed text of the California Consumer Privacy Act Regulations (the “Proposed Regs”). The Proposed Regs provide guidance on how covered businesses are to comply with California Consumer Privacy Act of 2018 (“CCPA”). In preparing these Regulations, the AG received over 300 written comments and held seven public forums.
Before the Proposed Regs are finalized and promulgated, the AG will hold four public hearings (December 2-5, 2019) to allow opportunity for statements or comments concerning the Proposed Regs. In addition, the AG will allow written comments regarding the Proposed Regs made before 5:00 pm PST on December 6, 2019.
Highlights of the Proposed Regs include:
- The Notice (at the time personal information (“PI”) is collected) must include the list of categories of PI and, for each category, the categories of sources, business or commercial purpose for which it will be used, and the categories of third parties with whom the business shares PI;
- The “Do Not Sell My Personal Information” link is only required if the covered business sells consumers’ PI;
- Notice is not required from businesses that do not collect PI directly from consumers, but the PI cannot be sold unless the consumer is contacted or the source of the PI is contacted with notice;
- Businesses shall use a two-step process for online requests to delete PI: the consumer must first make the request to delete and then the consumer must separately confirm that they want their PI deleted;
- If a request to delete cannot be verified, the business shall treat the request as a request to opt-out of sale;
- Businesses that store PI in archives or backup systems do not need to delete the PI until the archived or backup system is next accessed or used;
- A person or entity directed by a business to collect PI is considered to be a service provider;
- A service provider that is a business shall comply with the CCPA;
- A request to opt-out does not need to be a verifiable consumer request; and
- Businesses must maintain records of consumers’ requests for at least 24 months and may maintain information therein so long as it is not used for any other purpose other than record-keeping