On October 10, 2019, California Attorney General Xavier Becerra released proposed regulations to implement the California Consumer Privacy Act. These regulations focus on one aspect of the CCPA, the consumer’s new rights under the law, and give businesses guidance on how to effectuate these rights and comply with the law. This now triggers the process of public comment and finalization of the rule, which will extend into 2020.
The proposed regulations provide specific details about how the AG expects businesses to notify consumers about data collection and use. For example, the regulations propose required features for data collection notices, such as 1) a list of the types of data collected, 2) the business purpose for collecting the data, and 3) how to request that a business not sell the consumer’s data. Similarly, the proposed regulations set out required elements for privacy policies, including 1) an explanation of the consumer’s rights, 2) instructions for consumers to request or delete their data, and 3) how to request more information about the company’s privacy policies. While these specific requirements are not final regulations, all businesses should keep them in mind as they develop their CCPA compliance programs.
The most significant piece missing from the proposed regulations is any specific detail about the standards for determining whether a company’s data security measures are “reasonable” for purposes of the private right of action. The CCPA allows consumers to sue businesses after an unauthorized access to their data. The business is liable for the access, even if no injury occurs, if the business did not “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Civil Code § 1798.150(a). There was hope that the AG would adopt regulations that give greater clarity to this standard, but the proposed regulations are silent on this point.
The fact that the AG released these proposed rules is significant for two reasons. The first is that they are a model for how businesses should comply with the consumer-facing aspects of the CCPA. Even while these regulations are still in the proposed stage, they give more clarity and provide a good outline of what the final rules will look like. The second is that the AG had previously stated that his office would not begin enforcement actions until either the regulations were approved or in July of 2020, whichever came first. There is still a good chance these regulations will not be finalized by July of 2020, but by publishing them every business should be on notice that enforcement could come earlier than previously expected, and start planning their compliance now if they have not already begun to do so.