phone 866-652-5003 Login
Apr 24th 2020

What to Expect from CCPA Regulations

Although COVID-19 has put majority of the country on hold, California Attorney General, Xavier Becerra, made clear his intentions to begin enforcement of the CCPA on July 1, as originally planned.

The announcement came despite the pleas of many businesses and organizations to get the deadline extended. While the attorney general has not yet published his final regulations on the CCPA, there are certain regulations we can expect to see in the final draft. 

Here’s a recap of what to expect:

Multiple Notice Requirements

The CCPA introduces several requirements with regards to consumer notice. These are considered “layered notices” within the CCPA. This means passive notice requirements in the form of a privacy policy are not all that is required. There are also affirmative notice requirements at different points of a business-consumer relationship – including the ways a business collects consumer personal data.

Section 304 of the CCPA lays out a roadmap for the types of notices required under the CCPA. It states that a business is required to have a privacy policy to comply with the CCPA. It imposes the requirement of a notice at the point a business collects personal information from a consumer. It also requires that a business provide a notice of a California consumer’s rights to opt out if a business is selling the consumer’s personal data. 

Finally, a business must also notify a consumer if it is offering a financial incentive or a price differential for the disclosure of personal information. 

The CCPA makes it abundantly clear that regardless of the type of notice a business is providing, it needs to be easily understandable, noticeable, interpretable and accessible. 

Specific Content Requirements

Throughout the multiple rounds of revisions, certain aspects of the Attorney General regulations have remained largely untouched. Therefore, it’s reasonable to rely on the following provisions being consistently incorporated into the final revision of the CCPA. Those preparing for the CCPA enforcement on July 1 should start ensuring the following: 

o Any notice of privacy policy provided to the consumers:

o Avoids legal jargon and technical language, and is instead prepared in plain, easy-to-understand language (don’t just reproduce the statutory language for categories of data collected)

o Is prepared in a format that is easily readable, considering the types of devices from which a reader may access. (mobile, tablet, desktop)

o Is available in the languages consistent with the contracts, disclaimers, announcements, etc., that the company provides in the ordinary course of business

o Is accessible to those with disabilities

o Your privacy policy should also generally outline the consumer’s rights to know about information collected, disclosed, or sold; their right to request deletion, right to opt out of the sale of their personal information, and right to non-discrimination; it should also include contact information for questions or concerns, and the date last modified.

Process Requirements

With all the notice requirements come requirements to have certain processes and procedures in place. CCPA regulations have been consistent across all three drafts regarding the following: 

o The business privacy policy is required to be posted on the website, or obviously available to consumers

o California consumer personal information is not used beyond the means initially disclosed at collection

o Collection does not happen unless a consumer has been notified

o No additional consumer information is collected or used beyond the disclosures at collection, without first notifying the consumer (and the notice must include all those other notice provisions listed above)

o Procedures are in place to handle consumer requests

o Consumers are provided with two or more methods for submitting requests to delete and opt out

o Businesses should consider their usual forms of contact with consumers to determine the appropriate mechanism for submitting these requests

o Businesses should develop a workflow to ensure requests are acknowledged within 10 business days, and responded to within 45 calendar days

o Businesses should ensure they are able to verify consumer identity open receipt of a request to know or delete

o Development of a two-person process for requests to opt into the sale of their personal information

o Appropriate training is performed so employees or contractors handling consumer personal information understand the requirements of the CCPA and regulations

o Record retention schedules and policies are updated to account for consumer records requests

o The business has reasonable security measures in place to transmit personal information

What’s Still Uncertain

While there is some insight into the content of the final regulations, there are certain important elements that aren’t stable yet. The components of notice at collection seem to be slightly unclear. The opt out right seems to also be changing. 

The same is the case with notice requirement around financial incentives (but components of this notice haven’t changed too much). Finally, the handling of requests to know/delete seem to be changing as well.

Following two rounds of revisions, we have a good understanding of what will be required of businesses under the CCPA. Various requirements and components of notice and the handling of consumer requests have remained largely unchanged, making those elements a reliable place to start in terms of CCPA compliance.

Related Articles:

CCPA Lawsuits Are Starting

Security Vulnerabilities and the CCPA

Will Coronavirus Impact the Deadline for CCPA Compliance?