On October 10, 2019, the California Attorney General released the much-anticipated California Consumer Privacy Act (CCPA) proposed regulations – providing some clarity to the strict data privacy law. The proposed regulations were divided into four key areas: notices to consumers, consumer requests, verification requirements, and special considerations for minors. What do you need to know about these regulations? How will they impact your organization’s CCPA compliance efforts? Let’s discuss.
CCPA Proposed Regulations: An Overview
1. Notices to Consumers
One of the key initiatives behind CCPA is giving consumers more autonomy over what happens to their personal information. In order to ensure that this happens, the Attorney General gave more direction on the types of notices businesses must give to consumers. To comply with CCPA, companies must provide notice of the following:
- Notice at Collection of Personal Information
- Notice of Right to Opt-Out of Sale of Personal Information
- Notice of Financial Incentive
In addition, according to the proposed regulations, each of the required notices must adhere to the following criteria:
- Use plain, straightforward language and avoid technical or legal jargon.
- Use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable.
- Be available in the languages that the business, in its ordinary course, provides contracts, disclaimers, sale announcements, and other information to consumers.
- Be accessible to consumers with disabilities; at a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.
- Be available online or at a physical location where consumers will see it before opting into the financial incentive or price or service difference.
2. Consumer Requests
Businesses must also be sure to include methods for consumers to submit requests about their personal information. According to the regulations, entities must:
- Have at least two methods for consumers to request to know and/or delete their personal information. This might include a toll-free number, an online form, an email address, or a form submitted through mail.
- Take into consideration the primary way it interacts with consumers when deciding which methods to collect consumer requests. For example, if an organization conducts most of its business online, then an online form and a toll-free number would be appropriate. On the contrary, if a business primarily interacts with consumers online and in person, three methods to collect would be necessary (i.e. an online form, a form to be mailed, and a toll-free number).
- Confirm receipt of consumer requests to know and/or delete within 10 days and respond to consumer requests to know and/or delete within 45 days – beginning on the day in which the request is submitted.
- Use a two-step process for online requests to delete where the consumer must first, clearly submit the request to delete and then second, separately confirm that they want their personal information deleted.
3. Verification Requirements
While consumers will have greater control over what happens to their personal information under CCPA, the Attorney General made it clear that businesses are responsible for verifying the identity of all persons requesting to know or delete their data. The regulations provide verification requirements for password-protected accounts, non-account holders, and authorized agents. It also gives general guidance for verifying consumers’ identities, including:
- Establish and document a reasonable method for verifying the identity of consumers requesting to know and/or delete personal information.
- Use the personal information already collected about consumers to match with verifying information. Businesses should avoid collecting any new personal information, when feasible.
- Implement reasonable measures to detect fraudulent identify-verification activity.
4. Special Considerations for Minors
According to KirkpatrickPrice Director of Regulatory Compliance and data privacy expert, Mark Hinely, organizations who process the personal information of minors should pay close attention to the Attorney General’s proposed regulations.
- When processing the data of minors younger than 13, organizations must establish and document a reasonable method for determining the identity of the parent or guardian of the child authorizing the sale of the personal information.
- When processing the data of minors between 13 and 16, organizations must establish and document a reasonable method for 13-to-16-year-olds to opt-in to the sale of their personal information. Those in this age range must also be reminded of their right to opt-out to the sale of their personal information at a later date.
With CCPA enforcement only two months away, are you sure your organization adheres to these updates? These regulations are bound to change over the next few months, and it’s imperative that you stay on top of the latest updates if your business is required to comply with the data privacy law. Let KirkpatrickPrice help keep you updated – subscribe to our blog or contact us today to speak to one of our data privacy experts about how we can partner with you to ensure compliance with these regulations and conquer CCPA.