Yesterday, the California Attorney General and team held a press conference announcing the release of the long-awaited draft regulations implementing the California Consumer Privacy Act or the CCPA. Today kicks off the official comment period for the proposed rules, and based on initial reactions to the draft regs and the Initial Statement of Reasons underlying the proposal, there will be a great many submitting constructive criticism through the December 6 deadline.

While arguably ‘simply implementing’ the statute, it is clear that the AG’s team aims to bring the CCPA closer to the EU GDPR in some ways. In others, such as the new concern about businesses with higher volumes of personal information, the proposed rules are genuinely moving the goal posts for companies to comply. Given the fact that January 1, 2020 is coming (let’s just call it “Winter”) soon and the statute has a 12 month look back period, companies must scramble to understand how these draft rules will impact their business, assuming that the submitted comments do not result in material changes to the proposed regulations.

Here are just some of the key brain benders – to be followed by our more detailed analysis in the coming days.

  • Verifiable Requests – Authenticate Requestors (but don’t collect more data, put any data at risk, allow fraud…): There are a number of provisions related to how businesses authenticate consumers to confirm verifiable requests. It’s clear that businesses should avoid requiring collection of additional personal data to verify the request; however, the rules suggest a risk-based approach is required as to the rigorousness of the verification process (depending on sensitivity of the data and risk if the data lands in the wrong hands). But don’t worry- you can also engage a service provider to complete the verification for you.


  • Using Data from Another Data Source? Diligence is On You: Before selling data, a business that doesn’t collect data directly from consumers must either: 1) contact consumers to provide notice and the choice to opt-out; or 2) confirm that the data source provided appropriate notice to consumers and obtain an attestation from the data source describing how notice was given at the point of collection and a copy of the notice.


  • Adhere to Deletion Requests… Mostly: The rules set forth a two-step deletion process and businesses must acknowledge receipt of the request within 10 days. Alternatives to deletion include de-identifying or aggregating the personal information. For back-ups and archives, businesses can postpone deletion on those repositories until “next accessed or used” (which could be never?).


  • Evidence Your Good Work: Training (specific to the CCPA and final regs) and good record keeping will be essential. Logs of consumer requests and responses to the request must be maintained for 2 years and the content of the logs/records is also prescribed.


  • Attention Service Providers – Particularly Payment Vendors and the Like: For service providers thinking they would forever be fighting off limitations on data use across customers, the rules allow service providers to combine personal data collected from one or more businesses to which it provides services, when necessary to detect fraud, security incidents, or illegal activity. In other words, services where a vendor needs to combine data from each of its business customers in order to provide fraud prevention services to those customers will be allowed (e.g., credit card fraud at the point of sale).


  • Businesses with High-Volumes of Data, Here’s Your Call to the Carpet: Businesses that handle the personal data of > 4MM consumers must compile specific stats on consumer requests, responses, response times, and other details for the various categories of individual rights and post the previous year’s stats in the business’s privacy policy or on its website.


  • Equal and Fair Service and Fees to All… Unless You Properly Valuate Consumer Data: Charging a different price or providing disparate levels of service depending on whether a consumer exercised rights under the CCPA is discriminatory and prohibited unless the differences are reasonably related to the value of the consumer’s data. You may wonder, how do you determine the value of a consumer’s data to the business? Simply apply a reasonable, good faith method of calculation (balancing a number of factors set forth in the rules that would seem difficult to numerically quantify).

  Stay tuned to the blog over the coming week for our initial take on what these might mean for those subject to the CCPA.