California’s Department of Justice has developed and released a draft of implementing regulations for the state’s upcoming data privacy law. The rules clarify how the state will enforce the California Consumer Privacy Act (CCPA) and explain what businesses have to do to ensure they are following the law.
The draft implementing regulations for CCPA groups the actions businesses have to take around five key components: how to notify consumers about what data is being collected; how to handle the consumer requests for information; how to verify the identity of consumers making the requests; how to handle requests for information for children younger than 16 years old; and what needs to be done to avoid discriminating against consumers who don’t want their data or sold. The comment period for the draft rules end Dec. 6.
Privacy is an “inalienable right” in California, and CCPA will reset “the power dynamic between [consumers] and businesses,” California Attorney General Xavier Becerra said at a press conference announcing the draft implementation. The CCPA “allows you to pull the curtain back and see what information companies have collected about you, so that if you want, you could have that data deleted.”
The implementation rules lay out the things businesses have to think about as CCPA becomes law. “We want businesses to understand consumers have rights,” Becerra said. “Everyone has an obligation to know their rights and responsibilities under CCPA.”
The CCPA isn’t just for businesses that collect data online. A business that “substantially interacts with consumers offline” also has to notify the consumer about the data being collected and provide an offline opt-out mechanism.
The new law also requires businesses to be “transparent” about the data’s value, so that “consumers know how their information is valuable to the business,” Becerra said. Towards that end, businesses have to clarify the “service difference” a business may offer in exchange of personal information, so that the consumer can make an informed decision.
California may be the first state to have such a far-reaching data privacy law, but it isn’t alone. However, most local laws have focused on one or two aspects of consumer privacy, such as opt-outs and collection. The breadth of California’s law means that companies have to make changes all across the data lifecycle. “We may be the first, but we won’t be the last.” Becerra said.
The law goes into effect on Jan. 1, but the rules implementing and enforcing the law won’t go into effect until July 1, said Stacey Schesser, California’s supervising deputy attorney general.