California Attorney General Xavier Becerra on Thursday released long-awaited proposed regulations to set forth how the state will enforce its tough new privacy law. The law, known as the California Consumer Privacy Act (CCPA), provides consumers control over how businesses collect and manage their personal data.
The proposed regulations require companies to notify individuals of their data privacy rights in plain language and must verify people’s identities before releasing data. The draft regulations also spell out ways people can ask for their personal information to be deleted from company databases.
The proposal includes specific requirements that businesses must comply with, such as including a “do not sell” link for consumers. Businesses would be required to treat consumer choices made in privacy settings as valid opt-out requests.
Other key requirements in the proposed regulation include:
- Companies must provide at least two ways for people to request what specific information the company possesses about them. In most cases, a toll-free number and an online form would suffice;
- To request deletion, people would first have to indicate they want their information to be erased and then confirm the decision in a two-step process;
- Companies would need to verify that a person requesting data is actually that person, which can be done by matching information in the request with information the company has collected over time;
- Companies could delete data by completely erasing it from company systems, by removing enough information so it can no longer be associated with a named person, or by aggregating it so it’s part of large groups of data;
- Companies that serve at least 4 million Californians would also need to publish an annual report noting the number of requests they get from people to see their own information, delete the information or opt out from sale;
- Third-party data brokers, which sell data for advertising and other purposes, would need to make sure people are properly notified that their data is being collected.
The CCPA is the most stringent data privacy protection in the nation. Implementation of the regulations could cost companies between $467 million and $16.5 billion between 2020 and 2030, according to estimates from the Attorney General’s office.
The deadline for submitting comments to the California AG’s office regarding the proposed CCPA rules is Dec. 6.