What’s Going On?
On October 10, 2019, the California Attorney General (AG), Xavier Becerra, issued proposed regulations under the California Consumer Privacy Act of 2018 (CCPA) for public consultation (the Proposed Regulations).
As mentioned in our previous blog post, the Proposed Regulations provide practical guidance for consumers and businesses that are subject to the CCPA. These regulations can be broken down into five concepts: notice, handling requests, identity verification, rules regarding minors, and financial incentives.
Interested in learning more about the AG’s proposed regulations? Sign up for our webinar on Tuesday, October 15, 2019 at 10:00 a.m. (PST) | 1:00 p.m. (ET) or on Thursday, October 17, 2019 at 10:00 a.m. (ET) | 15:00 (BST)
Clarification of Terms
With the CCPA containing terminology that is easy for consumers and businesses alike to misinterpret, Article 1 of the Proposed Regulations includes clarification on certain definitions of terms used in the CCPA, such as:
Defined as ‘a person or group of people occupying a single dwelling’
Categories of Third Parties
Defined as ‘types of entities that do not collect personal information directly from consumers, including but not limited to advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and consumer data resellers’
Defined as ‘a program, benefit, other offering, including payments to consumers as compensation, for the disclosure, deletion, or sale of personal information’
Third-Party Identity Verification Service
Defined as ‘a security process offered by an independent third party who verifies the identity of the consumer making a request to the business’
Notice to Consumers
These notices must be in an easily readable (even with small screens such as your cell phone) and understandable format. The goal is to make sure that the materials are using plain, straightforward language and to avoid technical or legal jargon which can be confusing to readers.
In addition to being perfectly clear, notices at collection need to provide a list of the personal information to be collected, the purpose for said personal information, and a link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” The Proposed Regulations also state that a business should not use a consumer’s personal information for any reason other than what was disclosed in the notice at collection.
Handling Consumer Requests
The Proposed Regulations provide details on handling consumer requests. In particular: submitting requests to know and requests to delete, how to respond to such requests, service providers, requests to opt-out, requests to opt-in after opting out of the sale of personal information, training and record-keeping, and requests to access or delete household information.
Businesses are required to have two or more designated methods for submitting requests to know. This includes, at a minimum, a toll-free telephone number and an interactive webform accessible through the business’s website or mobile application.
Should a business receive a request to know or delete, confirmation of receipt of request is required within 10 days. They must also provide information on how the process of the request will be handled. Requests must be responded to within a 45-day period, starting on the date the request was received. This is regardless of the time required to verify the request.
Verification of Requests
Once the consumer submits the request, businesses must establish, document and comply that a request has been submitted by the consumer. Consumers with a verified password-protected account may be verified through the business’s already existing authentication practices for the consumer’s account. Consumers without password authenticated accounts, may require at least two data points provided by the consumer to know categories of personal information and at least three pieces of personal information to know specific pieces of personal information.￼ ￼ requests that are submitted through authorized agents, businesses may require that the consumer provide written permission to do so and may verify their own identity directly with the business.
Rules Regarding Minors
In addition to rules regarding adults, the Proposed Regulations create rules for minors under 13 years of age, minors 13 to 16 years of age, and regarding notices to such minors.
If a business knowingly collects or maintains the personal information of children under the age of 13, that business will establish, document, and comply with a reasonable method for determining that the person authorizing the sale of personal information about the child is the parent or guardian of that child.
A financial incentive or a price or service difference is considered discriminatory and prohibited when a business treats a consumer differently because a consumer has exercised a right conferred by the CCPA or the Proposed Regulations.
The Proposed Regulations will have a public comment period which includes four public hearings hosted by the AG. Those interested will have an opportunity to submit comments regarding the proposed CCPA regulations via written comments regarding the proposed CCPA regulations at the public hearings, by mail, or by email. The deadline to submit previously mentioned written comments is by December 6, 2019 at 5:00 p.m. (PST)
Interested in learning more about the CCPA amendments? Read our previous blog post or visit Free.DataGuidance.com to access OneTrust’s CCPA amendment tracker. Updated daily, the tracker includes an overview of each amendment, as well as details relating to its current place in the legislative process and links to the full text of each amendment.
Regardless of where you are with your privacy program, it is never too early to start planning for your CCPA readiness. OneTrust for CCPA is a full set of scalable solutions and services specifically designed to implement CCPA requirements and workflows to support a global privacy program.
- Learn more about OneTrust for CCPA
- Download the whitepaper: How OneTrust Helps: California Consumer Privacy Act (CCPA)
- Get the free OneTrust CCPA Initial Planning Assessment
- Download the free OneTrust CCPA Mobile App from the App Store and Google Play
Check out our CCPA blog series:
- CCPA Proposed Regulations
- Comply With the CCPA’s “Toll Free Requirement” with OneTrust
- California Privacy Rights and Enforcement Act Ballot Initiative
- CCPA Amendment Crunch Time
- CA Attorney General Holds Public Forums on the CCPA: What You Need to Know
- The Importance of the CCPA Look Back Requirement and What it Means for Your Organization
- 5 Simple Steps to CCPA Readiness
- CCPA: New Amendment Bills One Step Closer to Becoming Law
- How OneTrust Helps: CCPA Consumer Rights Management
- How OneTrust Helps: CCPA “Do Not Sell” Requirements
- Less Than One Month to Finalize CCPA Amendments
- The Dos and Don’ts of CCPA Consumer Right Requests
- California Privacy Rights and Enforcement Act Ballot Initiative