California Attorney General Xavier Becerra recently released proposed regulations for the California Consumer Privacy Act of 2018 (“CCPA”), which expand upon and provide further details on the rights and obligations created by the CCPA. The CCPA requires the attorney general to adopt regulations to further the CCPA’s purposes and provide guidance to businesses on how to comply. In a recent press conference, Attorney General Becerra described the regulations as reflecting the most recent amendments1 and the feedback received from the public over the past year.

Hearings on the draft regulations will be held December 2-5, 2019, and any interested party may submit written comments at the public hearings, or by mail or email, through December 6, 2019. All comments received by then will be posted on the attorney general’s website and are subject to the Public Records Act.

The proposed regulations address how businesses can comply with various aspects of the CCPA, including: 1) notifications to consumers of their rights under the CCPA; 2) handling consumer requests regarding personal information; 3) verifying consumer requests; 4) protecting personal information of minors under 16 years of age; and 5) specifics regarding the anti-discrimination provisions. A violation of these regulations shall constitute a violation of the CCPA and may be subject to the remedies provided therein.

Included in the regulations are the following topics of note:

Expanded Disclosure Obligations. Importantly, the regulations generally increase disclosure obligations on covered businesses. For instance, businesses that substantially interact with consumers offline must notify them of their right to opt-out of the sale of personal information by offline methods. Businesses must disclose to consumers a good-faith estimate of, and the method to calculate “the value of the consumer’s data,” in the event businesses wish to provide a financial incentive or price or service difference in exchange for the retention or sale of personal information. The regulations provide eight different methods businesses can use to estimate “the value of the consumer’s data,” including the revenue or profit to the business generated from the data’s sale.

Additional Privacy Policy Requirements. The regulations require that covered businesses address additional topics within their privacy policies, including: 1) the categories of the personal information collected, the purposes for which such personal data is collected, as well as the sources from where that personal data is collected; 2) the rights afforded to consumers under the CCPA, including the rights to know, delete and opt-out of the sale of their personal information, as well as the right to non-discrimination; 3) instructions on how to submit a verifiable consumer request; 4) the processes used to verify consumer requests; 5) whether personal information is disclosed or sold to third parties and, if so, the categories of such third parties; and 6) how to designate an unauthorized agent to make a request on their behalf.

Format of Disclosures. Furthermore, the regulations generally require information communicated to the consumer pursuant to the CCPA to be readable, understandable and presented in a format that draws the consumer’s attention, including on smaller screens, if applicable. It also must be accessible to consumers with disabilities and be available in the languages in which the business otherwise communicates with consumers.

Verification Procedures. The regulations also impose specific obligations on the process a business should use to respond to and verify consumers who submit a “request to know” or “request to delete” pursuant to the CCPA. The regulations make clear that the time the business has to respond to such a consumer request, 45 days under the CCPA with a right to extend, starts to toll upon the business’ receipt of the request. Additionally, businesses are required to confirm receipt to the consumer within 10 days as well as provide information about how the business will process the request. To the extent a consumer did not submit their request through the proper channels provided by the business, then the business must either treat the request as if it had been properly submitted or provide the consumer with specific directions on how to re-submit the request. Furthermore, businesses that collect the personal information of 4,000,000 or more consumers must identify and record the number of requests (to know, delete and opt-out) received, fulfilled and denied, as well as the median number of days the business took to respond. Finally, businesses must retain the records of consumer requests they receive as well as how they responded to such requests for at least 24 months.

1 Coverage of the recent amendments to the CCPA can be found here: The CCPA Comes Close to Its Final Form, September 25, 2019.