As part of the requirements for the enactment of the California Consumer Privacy Act, Xavier Becerra, the Attorney General of California, yesterday released proposed regulations that address how the law will be implemented.
A comment period regarding the proposed regulations is now open and four public hearings will be held in different cities in California in early December to allow individuals to submit comments in person or in writing. The public hearings will be held on Dec. 2 in Sacramento, Dec. 3 in Los Angeles, Dec. 4 in San Francisco, and Dec. 5 in Fresno.
A copy of the 24-page regulation can be accessed by clicking here. The regulations set forth the guidelines that companies will have to follow in order to comply with the CCPA, and address “some of the open issues raised by the CCPA,” according to a statement from Becerra. Among some of the regulations proposed are:
- A business shall not use a consumer’s personal information for any purpose other than those disclosed in the notice at collection. If the business intends to use a consumer’s personal information for a purpose that was not previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.
- What should be included in a company’s privacy policy, such as listing the categories of personal information that have been collected about consumers, and explaining that a consumer has the right to request that the business disclose what personal information it collects, uses, discloses, and sells.
- How consumers can request deletion of their personal information.
- Companies would be required to provide two or more designated methods for consumers to submit Right to Know or Requests to Delete, such as a toll-free telephone number, and if the business operates a website, an interactive webform accessible through the business’s website or mobile application. Other acceptable methods for submitting these requests include, but are not limited to, a designated email address, a form submitted in person, and a form submitted through the mail.
- Companies would be required to confirm receipt of a Right to Know or Request to Delete within 10 days and respond within 45 days.
“Knowledge is power, and in the internet age knowledge is derived from data. Our personal data is what powers today’s data-driven economy and the wealth it generates. It’s time we had control over the use of our personal data. That includes keeping it private,” said Attorney General Becerra. “We take a historic step forward today to protect Californians’ inalienable right to privacy. Once again, California leads the way putting people first in the Age of the Internet.”
The CCPA was enacted last year and is not scheduled to go into effect until Jan. 1, 2020, but the law gives individuals the right to ask for all of the personal information stored about them by companies for the preceding 12 months. The law gives consumers access to the information stored about them by companies and the right to request that information be deleted.