Lawmakers approved the CCPA, Gov. Gavin Newsom signed it, and it took effect Jan. 1. But enforcement won’t begin until final regulations, due by July 1, are released. The OAG received more than 200 comments totaling more than 1,000 pages, following its first draft regulations release Oct. 10. Responses to its second draft release were due Tuesday. The OAG will either release revised regulations or finalize them and send them to the state Office of Administrative Law for approval.
Exact enforcement details aren’t known, but it’s clear the law won’t apply to all businesses. The CCPA applies to businesses with gross annual revenues of more than $25 million; that buy, sell or receive the personal information (PI) of 50,000 or more consumers, households, or devices; and those that get 50 percent or more of their annual revenue by selling consumers’ PI. Among notable proposed changes to the law thus far:
• Several proposed definitions were partially revised including “categories of sources” — significantly expanded to include “advertising networks, internet service providers, data analytics providers … operating systems and platforms, social networks and data brokers … .” The law’s proposed definition of “household” was expanded to specify a person or group of people who live at the same address, “share a common device or the same service provided by a business, and are identified by the business as sharing the same group account or unique identifier … .”
• Wholly new definitions include “signed,” to mean something has “has either been physically signed or provided electronically per the Uniform Electronic Transactions Act”; “value of the consumer’s data,” meaning the value a customer’s data provides to a business; and “employment-related information,” or PI collected about a person for reasons identified in civil code.
“The collection of employment-related information, including for the purpose of administering employment benefits, shall be considered a business purpose,” the draft now reads.
• Among the required notices to consumers proposed, the law calls for businesses subject to complying to “provide a privacy policy in accordance with the CCPA”; for those that collect PI from consumers to “provide a notice at collection in accordance with the CCPA"; and for those that sell PI to “provide a notice of right to opt-out in accordance with the CCPA.”
The law also proposes adding a section requiring businesses that collect PI from mobile devices “for a purpose that the consumer would not reasonably expect” to provide “a just-in-time notice” summarizing categories of PI being collected and a link to a full notice.
• Proposed changes to the right to opt out of sale section include a specified location for an online opt-out button — and require it to be the same size as other buttons; and the specification that businesses can’t sell PI collected when they didn’t have opt-out notices posted, unless customers authorize that.
• The OAG has updated a section on proposed responses to requests from consumers to know what information a business possesses, adding “unique biometric data generated from measurements or technical analysis of human characteristics” to a list of non-discoverable data like Social Security and driver’s license numbers. The OAG also proposes requiring businesses that sell PI to ask customers if they’d like to opt out if they haven’t already asked to do so; and it proposes barring service providers from selling data on behalf of a business if a consumer has opted out on the sale of their PI with that business.
The OAG also proposes specifying that “a business shall not require the consumer to pay a fee for the verification of their request to know or request to delete”; and that “for the purpose of calculating the value of consumer data, a business may consider the value of the data of all natural persons to the business and not just consumers.”
