We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
08 November 2019
On October 10, California Attorney General Xavier Becerra (CA AG) released proposed regulations to implement certain provisions of the California Consumer Privacy Act (CCPA). The CA AG also released a Notice of Proposed Rulemaking and Initial Statement of Reasons that provide drafting insights and outline considerations that likely will continue to guide the rulemaking process. The CA AG is accepting written comments from the public until 5:00pm (PST) on December 6, 2019.
The proposed regulations would create many new requirements. They provide clarifications to businesses and consumers in five key CCPA areas as summarized below:
Businesses that do not directly collect PI from consumers are exempted from the pre-collection notice obligation but are required, before engaging in a sale, to take certain steps such as providing a pre-sale notice to consumers or contacting the source of the information to confirm they provided notice at collection and to obtaining from the source a signed attestation about their notice.
The proposed regulations would create training and record-keeping requirements and clarify acceptable methods for receiving and responding to consumer requests. Key provisions are listed below:
The proposed regulations require businesses to adopt different standards for verifying consumer requests ("reasonable" vs. "reasonably high" degree of certainty) depending on the type of request received, the type of PI involved, and the business relationship with the consumer. "Reasonable" verification may involve matching two pieces of PI from the requestor to the business's records, while "reasonably high" verification may involve matching three pieces of PI and obtaining a signed declaration from consumer. In addition, the proposed regulations require businesses to implement reasonable security measures to detect fraudulent identity verification activity and prevent unauthorized access and deletion of PI.
The proposed regulations clarify that the CCPA's requirement that businesses obtain consent from parents/guardians before selling the PI of children under 13 is separate from the consent required under the Children's Online Privacy Protection Act (COPPA) and provides examples of reasonable methods for determining that the individual consenting to such sales is the child's parent/guardian.
The proposed regulations allow businesses to treat consumers differently (including by denying certain CCPA rights) if the differential treatment is reasonably related to the value of the consumer's data. They also provide businesses with examples of reasonable methods for calculating the value of consumer data (for financial incentive and differential treatment reasons).
For further information on this topic please contact Mark M Brennan, Timothy P Tobin, Bret S Cohen or Melissa K Bianchi at at Hogan Lovells by telephone (+1 202 637 5600) or email (email@example.com, firstname.lastname@example.org, email@example.com or firstname.lastname@example.org). The Hogan Lovells website can be accessed at www.hoganlovells.com.
This article has been reproduced in its original format from Lexology – www.Lexology.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.