California AG releases proposed CCPA regulations

On October 10, California Attorney General Xavier Becerra (CA AG) released proposed regulations to implement certain provisions of the California Consumer Privacy Act (CCPA).

The CA AG also released a Notice of Proposed Rulemaking and Initial Statement of Reasons that provide drafting insights and outline considerations that likely will continue to guide the rulemaking process. The CA AG is accepting written comments from the public until 5:00pm (PST) on December 6, 2019.

The proposed regulations would create many new requirements. They provide clarifications to businesses and consumers in five key CCPA areas as summarized below:

1.     Privacy Notice Requirements

The proposed regulations emphasize that the pre-collection notice (a separate requirement from the online privacy policy) must describe the categories of PI to be collected and purposes for which each category will be used. The pre-collection notice is required for the collection of all personal information (PI). Such notice must be “visible or accessible where consumers will see it before any [PI] is collected.” For example, it can be provided by posting a link to the relevant information on the business’s website and, where a business collects PI at a bricks and mortar location, placing physical signage with the web address where the relevant information can be found. Notably, a business that intends to use previously collected PI for a new purpose not described in the pre-collection notice must obtain explicit consent from the consumer.

Businesses that do not directly collect PI from consumers are exempted from the pre-collection notice obligation but are required, before engaging in a sale, to take certain steps such as providing a pre-sale notice to consumers or contacting the source of the information to confirm they provided notice at collection and to obtaining from the source a signed attestation about their notice.

2.     Handling Consumer Requests

The proposed regulations would create training and record-keeping requirements and clarify acceptable methods for receiving and responding to consumer requests. Key provisions are listed below:

  • Acceptable methods for receiving consumer requests
    • Business’ means of interacting with consumers determine acceptable request methods.
    • Businesses may need to comply with deficient consumer requests, or requests submitted through non-designated methods.
    • Businesses must treat user-enabled privacy controls (e.g., browser plugins) as a valid method for submitting opt-out requests.
  • Requirements for responding to consumer requests
    • Businesses must provide individualized responses to requests for information about collection, use, and disclosure of PI (e.g., cannot rely on privacy policy) unless the information in the privacy policy would be the same for all consumers.
    • Businesses are prohibited from disclosing certain sensitive PI in response to a request under any circumstances (e.g., SSN, driver’s license number, health insurance or medical identification number).
    • Sale opt-out requests have a 15 day deadline.
    • Businesses must forward sale opt-out requests to all third parties to whom the business has sold the consumer’s PI in the past 90 days (and notify the consumer when this process is complete).
    • Businesses may limit responses for access requests to household data.
  • Deleting PI pursuant to consumer requests
    • Businesses can “delete” PI via (1) outright deletion, (2) deidentificaiton, or (3) aggregation.
  • Record keeping requirements
    • Large businesses (annually processing PI of 4 million or more consumers) must compile and publish metrics on their receipt of and response to consumer requests.

3.     Verification of Consumer Requests

The proposed regulations require businesses to adopt different standards for verifying consumer requests (“reasonable” vs. “reasonably high” degree of certainty) depending on the type of request received, the type of PI involved, and the business relationship with the consumer. “Reasonable” verification may involve matching two pieces of PI from the requestor to the business’s records, while “reasonably high” verification may involve matching three pieces of PI and obtaining a signed declaration from consumer. In addition, the proposed regulations require businesses to implement reasonable security measures to detect fraudulent identity verification activity and prevent unauthorized access and deletion of PI.

4.    Rules Regarding Minors

The proposed regulations clarify that the CCPA’s requirement that businesses obtain consent from parents/guardians before selling the PI of children under 13 is separate from the consent required under the Children’s Online Privacy Protection Act (COPPA) and provides examples of reasonable methods for determining that the individual consenting to such sales is the child’s parent/guardian.

5.    Non-Discrimination

The proposed regulations allow businesses to treat consumers differently (including by denying certain CCPA rights) if the differential treatment is reasonably related to the value of the consumer’s data. They also provide businesses with examples of reasonable methods for calculating the value of consumer data (for financial incentive and differential treatment reasons).

Public Comment Hearings on the Proposed Regulations

The CA AG will also host four public forums in various California cities to solicit live feedback. The public forums are scheduled as follows:

Monday, Dec. 2, 2019, 10 a.m.
CalEPA Building, Coastal Room 2nd Floor, 1001 I St., Sacramento, CA 95814

Los Angeles
Tuesday, Dec. 3, 2019, 10 a.m.
Ronald Reagan Building, Auditorium 1st Floor, 300 S. Spring St., Los Angeles, CA 90013

San Francisco
Wednesday, Dec. 4, 2019, 10 a.m.
Milton Marks Conference Center, Lower Level, 455 Golden Gate Ave., San Francisco, CA 94102

Thursday, Dec. 5, 2019, 10 a.m.
Hugh Burns Building, Assembly Room #1036, 2550 Mariposa Mall, Fresno, CA 93721


Authored by Mark Brennan, Timothy Tobin, Bret Cohen, Melissa Bianchi, Ryan Woo, Jonathan Hirsch and Julian Flamant


This website is operated by Hogan Lovells Solutions Limited, whose registered office is at 21 Holborn Viaduct, London, United Kingdom, EC1A 2DY. Hogan Lovells Solutions Limited is a wholly-owned subsidiary of Hogan Lovells International LLP but is not itself a law firm. For further details of Hogan Lovells Solutions Limited and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2022 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.