Security news that informs and inspires

California Releases Draft Rules for CCPA

California’s Department of Justice has developed and released a draft of implementing regulations for the state’s upcoming data privacy law. The rules clarify how the state will enforce the California Consumer Privacy Act (CCPA) and explain what businesses have to do to ensure they are following the law.

The draft implementing regulations for CCPA groups the actions businesses have to take around five key components: how to notify consumers about what data is being collected; how to handle the consumer requests for information; how to verify the identity of consumers making the requests; how to handle requests for information for children younger than 16 years old; and what needs to be done to avoid discriminating against consumers who don’t want their data or sold. The comment period for the draft rules end Dec. 6.

Privacy is an “inalienable right” in California, and CCPA will reset “the power dynamic between [consumers] and businesses,” California Attorney General Xavier Becerra said at a press conference announcing the draft implementation. The CCPA “allows you to pull the curtain back and see what information companies have collected about you, so that if you want, you could have that data deleted.”

The implementation rules lay out the things businesses have to think about as CCPA becomes law. “We want businesses to understand consumers have rights,” Becerra said. “Everyone has an obligation to know their rights and responsibilities under CCPA.”

Law's Five Elements

Businesses are required to notify consumers of their rights under CCPA “either at or before the point of data collection,” Becerra said. The rules clarifies that businesses can meet that provision by conspicuously posting a link to the notice on all the webpages where information is being collected, or on the mobile application’s download page. The notice has to clearly let consumers know what categories of personal information is being collected, and the purposes the information will be used, in a way “that is easy to read and understandable to an average consumer.” That means using straightforward terms—in the local language—and using a format that draws the consumer’s attention.

No putting the policy in tiny font that is too hard to read on a mobile screen, for example. If it isn’t accessible to consumers with disabilities, that would violate CCPA.

“As consumers, we decide the websites we spend time on and the businesses we visit,” Becerra said. “We should also understand what information the business is collecting about us and why. And, and we should have a say in whether they can share it with others. It would also allow you to say to the company ‘you can use this data on me for your own purposes, but you aren’t allowed to sell it to other companies or data brokers.’”

If the consumer has used a technical mechanism to opt-out of data collection, such as setting the “Do Not Track” setting on the web browser, the business has to respect that signal, Becerra said. If the consumer has made his or her wishes clear regarding data collection by using existing technical methods, businesses have to respect and honor that, Becerra said. Businesses cannot force consumers to opt-out for each company individually.

The CCPA isn’t just for businesses that collect data online. A business that “substantially interacts with consumers offline” also has to notify the consumer about the data being collected and provide an offline opt-out mechanism.

The new law also requires businesses to be “transparent” about the data’s value, so that “consumers know how their information is valuable to the business,” Becerra said. Towards that end, businesses have to clarify the “service difference” a business may offer in exchange of personal information, so that the consumer can make an informed decision.

Businesses can provide a “good-faith estimate of the value of the consumer’s data,” to explain the difference in service when opting in for data collection and opting out, the draft said. Businesses also can’t punish consumers for not agreeing to data collection or sharing.

“If you ask for a company to delete your data, that company wouldn’t be able to block you from accessing a rewards program as a means to incentivize you into sharing your data unless they can show that the reward is reasonably related to the value of your data,” Becerra said.

Future of Privacy

One of the biggest concerns by technology companies with business interests in California was that a far-reaching law such as CCPA would stifle innovation. There is also some concern about how much it would cost businesses to get ready for the law. A report prepared for the attorney general pegged the CCPA’s initial compliance costs at $55 billion.

Becerra said businesses would have “an appropriate degree of flexibility in coming up with processes and procedures for complying with the CCPA and responding to and verifying requests from consumers.” The law takes into account the size of the business and the industry it is in, and the rules discuss how the differences affect businesses. There are different metrics to track, and different ways to respond.

“We believe innovation shouldn’t come at the expense of privacy. We know we can have both. California can walk and chew gum,” Becerra said.

California may be the first state to have such a far-reaching data privacy law, but it isn't alone. However, most local laws have focused on one or two aspects of consumer privacy, such as opt-outs and collection. The breadth of California's law means that companies have to make changes all across the data lifecycle. “We may be the first, but we won’t be the last.” Becerra said.

The law goes into effect on Jan. 1, but the rules implementing and enforcing the law won’t go into effect until July 1, said Stacey Schesser, California’s supervising deputy attorney general.

“Our personal information, like gold, is precious to each of us,” Becerra said. "Help us get this right."