California Attorney General Publishes Proposed Regulations Implementing CCPA

What Does This Mean for Covered Businesses?

Two important privacy law developments took place last week in California. On 10 October 2019, the California Attorney General (AG) published its proposed regulations under the California Consumer Privacy Act (CCPA), and on 11 October 2019, Governor Gavin Newsom signed several bills that were passed in mid-September amending the CCPA (click here for a summary of those amendments).

In this alert, we summarize some of the key requirements in the proposed CCPA regulations. While they clarify some aspects of California’s new comprehensive privacy law, they also expand on and introduce new requirements and regulatory ambiguities. At this point, these regulations are still in draft, and the AG is formally soliciting public comments until December 6, 2019. Since the CCPA will become operative just a few weeks later on January 1, 2020, companies should carefully consider these regulatory developments as part of any ongoing work to achieve CCPA readiness.

signing the papers

Privacy Notices

The CCPA requires a business subject to the statute to provide various privacy notices to California residents, including one at or before the point at which it collects their personal information (“notice at collection”), one that tells them how they can opt out of the selling of their personal information (“notice of right to opt-out”), one that tells them about any financial incentives it offers in exchange for retaining or selling their personal information (“notice of financial incentive”), and a comprehensive online privacy policy.

data protection

The regulations, however, contain detailed requirements regarding where these notices must appear and what they must say, and also require all notices to:

  • Be easy to read and understandable to an average consumer.

  • Use plain language and avoid technical or legal jargon.

  • Use a format that draws the individual's attention to them and makes them readable, including on smaller screens, if applicable.

  • Be available in the languages that the organization ordinarily uses in its ordinary course of business.

  • Be accessible to individuals with disabilities.
man in office

The following are examples of other noteworthy requirements proposed by the AG:

Notice at Collection: A business must describe the categories of personal information that it will collect from California residents in a manner that provides them with a meaningful understanding of the information being collected and, for each category of personal information, the business or commercial purposes for which it will be used.

A business may only collect from California residents the categories of personal information listed in such notice, and if a business wishes to use personal information for a purpose not previously disclosed in the notice, it must obtain explicit consent before doing so.

Moreover, if a business does not collect information directly from California residents, it need not provide them with a notice at collection, but additional requirements apply if that business intends to sell the information.

turkey law

Notice of Right to Opt-Out: This only applies to businesses that sell personal information. A business is not required to provide this notice to the extent that it does not and will not sell personal information, and states this in its privacy policy. If a business is required to provide this notice, then it must:

  • Include a description of California residents' right to opt-out.

  • Incorporate a webform consumers can use to submit a request to opt-out (or an offline equivalent if the business does not operate a website).

  • Describe the proof required if a California consumer wishes to use an authorized agent to exercise their right to opt-out.

The business must also provide a clear and conspicuous link to this notice entitled “Do Not Sell My Personal Information” or “Do Not Sell My Info” on any webpage where it collects California residents’ personal information.

Notice of Financial Incentive: If a business offers a financial incentive (e.g., a discount to use a service) to California residents in exchange for the right to collect, retain, or sell their personal information—which is only permitted if the value of the incentive is reasonably related to the value of the individual’s data—the business must provide a notice that:

  • Summarizes the incentive.

  • Describes the material terms of the incentive (including the categories of personal information implicated)

  • Explains how the California resident can opt-in to and withdraw from the incentive.

  • Outlines why the incentive is permitted under the CCPA based on the value of the data at issue.

A business must use and document a reasonable and good faith method for calculating the value of the consumer’s data based on a list of factors in the regulations (read more about CCPA compliance in California).

Privacy Policy: The privacy policy must include detailed information about how a business processes California residents’ personal information. For example, for each category of personal information that the business collects from California residents, the business must specify the:

  • Categories of sources from which that information was collected.

  • Business or commercial purposes for which the information was collected.

  • Categories of third parties with whom the business shares personal information.

The privacy policy must also include detailed information about California residents’ rights under the CCPA and how they can exercise them, including how a California resident can designate an authorized agent to make a CCPA request on their behalf.

Metrics: If a business processes the personal information of 4 million or more California residents, it must compile metrics regarding how many of each type of CCPA request it received and the median number of days within which it substantively responded to them; these metrics must be included in or via the business’ privacy policy.

Handling and Verifying CCPA Requests

The CCPA establishes new privacy rights for California residents, including the right to access copies of the information that a business holds about them and other details about how their information is processed (“right to know”), the right to have a business delete certain information about them (“right to delete”), and the right to opt out of a business’ selling of personal information about them (“right to opt-out”). The AG’s draft regulations, however, go on to clarify that it is the primarily responsibility of a business—and not a service provider—to give effect to these rights with respect to the personal information that it processes as a business under the CCPA. The regulations also include detailed requirements regarding how companies must handle requests to exercise CCPA rights, including the channels that must be made available for individuals to submit their requests, the content and timeline of responses, and how to verify the identity of the requestor. For example, consider the following.


Requests to Know: Businesses have 10 days to confirm receipt of the request and 45 days by default to respond to it. Businesses may take into account security risks when determining how to respond to requests, and is prohibited from disclosing certain sensitive categories of information to requestors, including Social Security numbers, government ID numbers, passwords and security questions and answers. If a California resident seeks details about how a business uses personal information about them, the response must generally be individualized to the requestor and explain how the specific personal information was processed. Denials of requests must also be explained.

Requests to Delete: Businesses must implement a two-step process to receive, and then confirm deletion requests. Businesses have 10 days to confirm receipt and 45 days by default to respond. A business may give effect to a request by permanently erasing, de-identifying, or aggregating the personal information at issue. There is a limited exception for backup and archived copies of personal information. If a business relies on a statutory exception to deny the request, it must explain the basis of the denial, delete any information outside the scope of the exception, and not use personal information about the requestor except in accordance with the exception. If a business cannot verify the identity of the requestor, it must treat the request as a request to opt-out of sale.

delete button

Requests to Opt-Out: Businesses that collect personal information online must treat user-enabled privacy controls (such as a browser plugin, privacy setting or other mechanism) that communicate or signal California residents’ choice to opt-out of the sale of their personal information as a valid opt-out request.

A business must act on a request to opt-out as soon as feasibly possible and no later than 15 days from receipt, and has 90 days to instruct all third parties to whom it sold personal information about the California resident to not further sell the information, following which the business must notify the individual that this has been completed. Businesses must respond to requests to opt-out even if they are not verified, but there is an exception if they believe the request is fraudulent. This elaboration of CCPA’s opt-out requirements could prove challenging for organizations to implement.

15 days to opt out

Verification: The regulations establish certain principles and rules regarding how businesses must verify the identity of requestors, which vary based on the type of personal information and request at issue. For example, the more sensitive the information at issue, the more stringent the verification process must be. Verifying the identity of an individual who wishes to know the categories of personal information processed about them requires a “reasonable degree of certainty,” whereas verifying the identity of an individual who wishes to know the specific pieces of personal information that a business holds about them requires a “high degree of certainty.”

Little clarity is provided on how to implement these regulatory standards.

green check

Also, businesses must generally avoid requesting additional information from the consumer for purposes of verification, though it may do so if necessary, in which case they must delete any such additional information as soon as practical after processing the request except pursuant to prescribed record-keeping requirements.

Authorized Agents: When a consumer uses an authorized agent to submit a request to know or delete, a business can require: (i) the authorized agent to submit a written permission with the request to know or delete; and (ii) the consumer to directly verify their identity with the business. If the proof is not submitted, the business may deny the request. This does not apply if the authorized agent is acting under power of attorney pursuant to Probate Code sections 4000 and 4465.

Special Rules Regarding Minors

The CCPA prohibits businesses from selling the personal information of children under 13 who reside in California without the affirmative authorization of their parent or guardian, and prohibits such sales without the minor’s affirmative authorization if they are between 13-15 years of age. The AG’s regulations clarify that affirmative authorization requirements apply in addition to any consents required under the U.S. Children’s Online Privacy Protection Act.

minors online

The regulations also require a business that has actual knowledge that it collects or maintains the personal information of minors to implement specific processes to obtain affirmative authorization to sell minors’ personal information and describe these processes in its privacy policy. All businesses are required to state in their privacy policy whether or not they sell the personal information of minors under 16 years of age without affirmative authorization.

Again, it is important to note that the AG’s regulations are still in draft, and more developments may unfold once the official public comment period ends on December 6, 2019. In the meantime, if you have any questions about this legislative development or any other privacy or technology law matter, please do not hesitate to reach out to one of the Contact Partners listed below.

Leave a Comment