On October 10, 2019, California Attorney General (AG) Xavier Bacerra posted the Text of the Proposed Regulations to implement the California Consumer Privacy Act of 2018 (CCPA). The AG also included a Notice of Proposed Rulemaking and an Initial Statement of Reasons.

The Proposed Regulations focus on five concepts: notice, handling requests, identity verification, rules regarding minors, and financial incentives. They are intended to give consumers and businesses that are subject to the CCPA practical guidance in relation to the appearance of notices and the process for handling different types of requests, the information of minors and households, different circumstances surrounding how to verify identities, and considerations when calculating the value of consumer data. The AG discusses, among other things, the policy rationale of the proposed regulations and the potential impacts on businesses.

Interested in learning more about the AG’s proposed regulations? Sign up for our webinar on Tuesday, October 15, 2019 at 10:00 a.m. (PST) | 1:00 p.m. (ET) or on Thursday, October 17, 2019 at 10:00 a.m. (ET) | 15:00 (BST)


Summary of Proposed Regulations

Notice Requirements

  • Notice at/before collection, right to opt-out of sale, financial incentive, privacy policy
  • Straightforward, plain language
  • Customer’s attention should be drawn to the notice
  • Accessible to those with disabilities
  • Cover all languages that contracts are offered in

Handling Requests

  • Must have two or more methods to submit requests
  • Send receipt of request
  • 45 days to process
  • Reasonable security measures when sending PI
  • Information regarding circumstances for denying request
  • Information regarding what to do if unable to verify identity
  • When a company can ask a person to opt back into the sale
  • Information regarding households and dealing with authorized agents

Verifying Identity Practices

  • Account Holders
    • Establish, document, and comply with method of verification
    • Consider sensitivity of PI and risk of harm due to unauthorized access or deletion
    • Password can be used as authentication process if there are reasonable security measures against fraud
  • Non-Account Holders
    • For categories of information: reasonable degree of certainty; match at least two data points of PI
    • For specific PI: high degree of certainty; at least three pieces of PI and signed declaration with penalty of perjury
  • Specific verification falls between both account holders and non-account holders. The balance sensitivity of information and the risk of harm due to unauthorized access or deletion. 


  • Specific procedure for affirmative opt-in for sale of greater than 16 years of age
  • Methods for verifying that affirmative opt-in for sale of greater than 13 years of age is actually a parent or guardian

Financial Incentives

  • Guidance for calculating value of consumer data to design financial incentive
  • Must disclose value and how the amount was calculated

Business Reporting Obligations

  • The proposed regulations impose reporting, recordkeeping, and other requirements

Ready to dive deep into the AG’s proposed regulations? Sign up for our webinar on Tuesday, October 15, 2019 at 10:00 a.m. (PST) | 1:00 p.m. (ET) or on Thursday, October 17, 2019 at 10:00 a.m. (ET) | 15:00 (BST)

The Proposed Regulations will have a public comment period which includes four public hearings. These public hearings provide all interested with an opportunity to present statements or comments in regards to the proposed regulations. Any interested persons, or their duly authorized representative, may submit written comments regarding the proposed CCPA regulations at the public hearings, by mail, or by email. The deadline to submit previously mentioned written comments is by December 6, 2019 at 5:00 p.m. (PST)


Policy Statement and the Proposed Regulations’ Anticipated Benefits

According to the AG, the proposed regulations will do the following:

  • Benefit California residents’ welfare
  • Make it easier for consumers to exercise their new rights
  • Promote greater transparency regarding how businesses collect, use, and share personal information and on what businesses must do to comply with the CCPA
  • Encourage businesses to provide full and timely responses to consumer requests
  • Protect consumers from abuses of information, such as discrimination, fraud, and harassment

The AG initially determined that the proposed regulations would have a significant, statewide adverse economic impact that would directly affect businesses, including the ability of California businesses to compete with businesses that operate solely outside of California. In particular, the AG estimates that the CCPA and the proposed regulations will affect 15,000 to 400,000 businesses in California, potentially costing them collectively $467 million to $16,454 million over the ten-year period between 2020 and 2030.


If you’re interested in learning more about the CCPA amendments, visit Free.DataGuidance.com to access OneTrust’s CCPA amendment tracker. Updated daily, the tracker includes an overview of each proposed amendment, as well as details relating to its current place in the legislative process and links to the full text of each amendment.

Regardless of the maturity of your privacy program, it’s never too soon to start planning for your CCPA readiness. OneTrust for CCPA is a full set of scalable solutions and services specifically designed to implement CCPA requirements and workflows to support a global privacy program.

For additional information, or to request a live OneTrust for CCPA software demo, visit www.OneTrust.com/ccpa-compliance or email [email protected].


Check out our CCPA blog series: