As the Jan. 1 effective date approaches for the nation’s toughest data privacy law, businesses have been waiting to see how the California Attorney General’s Office plans to enforce it.
They got an indication on Oct. 10, when the office released its proposed regulations for the California Consumer Privacy Act. The CCPA will require many businesses — even outside California — that handle Californians’ personal data to field requests about that data and notify consumers of their data handling practices, among many other obligations. Data privacy attorneys say the draft regulations help clarify the CCPA but also add more hurdles businesses must leap to comply with it.
According to a press release from the California Attorney General’s Office, “the regulations would address some of the open issues raised by the CCPA and would be subject to enforcement by the [California] Department of Justice with remedies provided under the law.”
Now that the office has revealed the draft regulations, it is accepting public comments on them until Dec. 6.
The CCPA, enacted last year, will grant Californians the right to opt-out of having businesses share or sell their personal data, and they may also have that data deleted by businesses and their service providers.
The law will generally apply to businesses that generate more than $25 million in annual revenue, handle personal data of more than 50,000 Californians, or derive more than half of their revenue from selling consumer data.
The CCPA will be a heavy lift for many companies that will have to staff up and install new processes to accommodate consumer data requests. An independent study prepared for the State of California found that the CCPA could cost companies $55 billion in initial compliance expenses. Businesses with more than 500 employees could spend an average of $2 million to get in line with the CCPA.
The proposed regulations outline what companies must include in their privacy policies and notices to consumers. For example, if companies give consumers a benefit or financial incentive in return for their personal information, the regulations call for a specific notice companies must give consumers about those incentives.
The detail the California Attorney General’s Office provides on notice requirements is at once “extremely helpful” and “extremely onerous,” according to Austin Chambers, a data privacy and security attorney and associate at Lewis Bess Williams & Weese in Denver. Overall, the draft regulations contain “a lot of new material, a lot of new obligations, and a lot of unanswered questions and new questions,” he said.
The draft rules also detail how companies are supposed to handle consumers’ requests to access their personal data and requests to delete it.
“The regulations represent a lot of technical processes that impacted businesses have to work through in a short timeframe,” said Chris Achatz, data privacy and security attorney at KO Law in Boulder. The CCPA represents new territory for most U.S. businesses that will be subject to it. Prior to the attorney general’s guidance, there’s been no model in the U.S. for how companies should respond to consumer requests for access to personal data or requests to delete it, Achatz added.
Some aspects of the CCPA will require confirmation processes that not even the EU’s GDPR requires of businesses, like double opt-in, Achatz said. A business must implement a two-step process to confirm a consumer’s deletion request. For many companies, that might mean a second confirmation via response to a separate email, although the regulations don’t specify a method to use.
The proposed regulations specify key timelines companies must follow. For example, they will have 10 days to confirm they’ve received a consumer’s request “to know” or delete their personal information and 45 to 90 days to respond to it. A “do not sell” opt-out requires a response in 15 days. Some CCPA timelines were only loosely laid out in the statute, Achatz said.
One of the big surprises in the draft regulations, Achatz and Chambers each said, is how it implicates online privacy controls or “Do Not Track” settings. When a consumer uses a browser plugin or privacy setting, the attorney general will consider it a request to opt-out of data sharing under the CCPA.
Under existing California law, companies haven’t been required to honor California-based users’ Do Not Track requests, but rather just disclose in their privacy policy whether they do. For plugins or privacy settings to inherently signal a request to opt-out of sale would be a big deal, logistically speaking, “because it’s a technical request [that] requires a technical operational response,” Chambers said.
One of the lingering questions that the regulations leave unanswered is what constitutes a “sale” of personal data in margin cases, Chambers said. A sale occurs under the CCPA when a business transfers data to another business or third party for “monetary or other valuable consideration.” The CCPA doesn’t define what a valuable consideration is, however, and the draft regulations are likewise silent on it. When a business moves personal data around to other parts of the business, that isn’t a sale subject to CCPA. What’s less clear is whether data sales to business affiliates are subject to CCPA requirements, Chambers said.
For companies that haven’t had the help of data privacy counsel, Achatz said, “there’s a lot to unpack here” with little time left to do so before the Jan. 1 effective date.
— Doug Chartier