What’s Going On?

On October 10, 2019, the California Attorney General (AG), Xavier Becerra, issued proposed regulations under the California Consumer Privacy Act of 2018 (CCPA) for public consultation (the Proposed Regulations).

As mentioned in our previous blog post, the Proposed Regulations provide practical guidance for consumers and businesses that are subject to the CCPA. These regulations can be broken down into five concepts: notice, handling requests, identity verification, rules regarding minors, and financial incentives.

Interested in learning more about the AG’s proposed regulations? Sign up for our webinar on Tuesday, October 15, 2019 at 10:00 a.m. (PST) | 1:00 p.m. (ET) or on Thursday, October 17, 2019 at 10:00 a.m. (ET) | 15:00 (BST)

Clarification of Terms

With the CCPA containing terminology that is easy for consumers and businesses alike to misinterpret, Article 1 of the Proposed Regulations includes clarification on certain definitions of terms used in the CCPA, such as:


Defined as ‘a person or group of people occupying a single dwelling’

Categories of Third Parties

Defined as ‘types of entities that do not collect personal information directly from consumers, including but not limited to advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and consumer data resellers’

Privacy Policy

Privacy Policy is defined as ‘the statement that a business shall make available to consumers describing the business’s practices, both online and offline, regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their own personal information’

Financial Incentive

Defined as ‘a program, benefit, other offering, including payments to consumers as compensation, for the disclosure, deletion, or sale of personal information’

Third-Party Identity Verification Service

Defined as ‘a security process offered by an independent third party who verifies the identity of the consumer making a request to the business’

Notice to Consumers

Many consumers and businesses already knew that companies must provide notices to consumers, but the Proposed Regulations explain in detail the exact procedures that must be followed. The main notices that are highlighted are notices at the point of collection of personal information, of right to opt-out of sale of personal information, of financial incentive, and, of course, privacy policy.

These notices must be in an easily readable (even with small screens such as your cell phone) and understandable format. The goal is to make sure that the materials are using plain, straightforward language and to avoid technical or legal jargon which can be confusing to readers.

In addition to being perfectly clear, notices at collection need to provide a list of the personal information to be collected, the purpose for said personal information, and a link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” The Proposed Regulations also state that a business should not use a consumer’s personal information for any reason other than what was disclosed in the notice at collection.

Handling Consumer Requests

The Proposed Regulations provide details on handling consumer requests. In particular: submitting requests to know and requests to delete, how to respond to such requests, service providers, requests to opt-out, requests to opt-in after opting out of the sale of personal information, training and record-keeping, and requests to access or delete household information.

Businesses are required to have two or more designated methods for submitting requests to know. This includes, at a minimum, a toll-free telephone number and an interactive webform accessible through the business’s website or mobile application.

Should a business receive a request to know or delete, confirmation of receipt of request is required within 10 days. They must also provide information on how the process of the request will be handled. Requests must be responded to within a 45-day period, starting on the date the request was received. This is regardless of the time required to verify the request.

Verification of Requests

Once the consumer submits the request, businesses must establish, document and comply that a request has been submitted by the consumer. Consumers with a verified password-protected account may be verified through the business’s already existing authentication practices for the consumer’s account. Consumers without password authenticated accounts, may require at least two data points provided by the consumer to know categories of personal information and at least three pieces of personal information to know specific pieces of personal information.  requests that are submitted through authorized agents, businesses may require that the consumer provide written permission to do so and may verify their own identity directly with the business.

Rules Regarding Minors

In addition to rules regarding adults, the Proposed Regulations create rules for minors under 13 years of age, minors 13 to 16 years of age, and regarding notices to such minors.

If a business knowingly collects or maintains the personal information of children under the age of 13, that business will establish, document, and comply with a reasonable method for determining that the person authorizing the sale of personal information about the child is the parent or guardian of that child.


A financial incentive or a price or service difference is considered discriminatory and prohibited when a business treats a consumer differently because a consumer has exercised a right conferred by the CCPA or the Proposed Regulations.


Next Steps

The Proposed Regulations will have a public comment period which includes four public hearings hosted by the AG. Those interested will have an opportunity to submit comments regarding the proposed CCPA regulations via written comments regarding the proposed CCPA regulations at the public hearings, by mail, or by email. The deadline to submit previously mentioned written comments is by December 6, 2019 at 5:00 p.m. (PST)

Interested in learning more about the CCPA amendments?  Read our previous blog post or visit  Free.DataGuidance.com to access OneTrust’s CCPA amendment tracker. Updated daily, the tracker includes an overview of each amendment, as well as details relating to its current place in the legislative process and links to the full text of each amendment.

Regardless of where you are with your privacy program, it is never too early to start planning for your CCPA readiness. OneTrust for CCPA is a full set of scalable solutions and services specifically designed to implement CCPA requirements and workflows to support a global privacy program.

For additional information, or to request a live OneTrust for CCPA software demo, visit www.OneTrust.com/ccpa-compliance or email [email protected].




Check out our CCPA blog series: