skip to main content

October 11, 2019

Stroock Special Bulletin

By: Quyen T. Truong, Christopher R. Fredrich

Yesterday, the California Attorney General’s Office (AG) published proposed regulations to implement the California Consumer Privacy Act (CCPA), the nation’s most stringent and comprehensive privacy law. The CCPA, which goes into effect on January 1, 2020, grants consumers new rights relating to access to, deletion of, and sharing of “personal information” (PI) collected by businesses. As we expected, the proposed regulations provide no relief but do flesh out some key aspects of the CCPA, including providing guidance on the content and delivery of privacy notices and policies, businesses’ verification and handling of consumer requests, and requirements for training and recordkeeping. The AG will hold four public hearings – on December 2 (Sacramento), 3 (Los Angeles), 4 (San Francisco) and 5 (Fresno) – and will accept written comments on its proposed regulations until December 6, 2019.

The proposed regulations operationalize and clarify the CCPA in the following areas, among others:

Rules regarding privacy policies and notices – specifically: (1) notice at or before the collection of PI; (2) notice of the right to opt out of the “sale” (disclosure) of PI; (3) notice of financial incentives; and (4) the business’s online and offline privacy policy. Unfortunately, the proposal does not address how its requirements interact with other State and Federal notice requirements (e.g., requirements of the Gramm-Leach-Bliley Act), including other California laws, nor provide model language for the privacy policy and notices to facilitate compliance.

Instead, the proposal identifies the mandatory information to be included in each of those notices and specifies that they must use “plain, straightforward language” in a “format that draws the consumer’s attention to the notice” and be available in the languages in which the business ordinarily provides contracts, disclosures or information to consumers. The proposal further details how the business must provide its privacy policy and notices, a description and instructions for the consumer’s exercise of their rights under the CCPA, etc. Some aspects of this framework will present particular practical challenges. For instance, if a business intends to use PI for a purpose that was not disclosed at the time of collection, it must “directly notify the consumer of this new use and obtain explicit consent.”

Rules regarding notice of financial incentives: One area of helpful clarification is the proposal’s guidance on providing notice of financial incentives, price or service differences offered by the business in exchange for the retention or sale of a consumer’s PI. A business may offer a price or service difference if it is reasonably related to the value to the business of the consumer’s data.  The proposed regulations offer guidance for calculating this value and require a business to disclose in any notice of financial incentive why it is permitted under the CCPA, including an estimate of the value to the business of the consumer’s data and a description of how it was calculated. The proposal also includes guidelines relating to the CCPA’s prohibition on discriminatory financial incentives or price or service differences if a consumer exercises a right conferred by the CCPA.

Rules for handling of consumer requests, including the methods by which consumers can submit requests and the timeframes for responding to them: Businesses must designate two or more methods for consumers to submit requests to know about their personal information and requests to delete, with at least one method reflecting the manner in which the business primarily interacts with the consumer. The methods must include, at a minimum, a toll-free number and a website (if the business operates online). Businesses must confirm receipt of a request within 10 days and respond within 45 days; however, a business may extend the 45-day response period up to an additional 45 days (for a maximum of 90 days) if it explains why additional time is needed.

In regards to requests to know, the proposed regulations specifically prohibit businesses from disclosing certain sensitive information such as a consumer’s identification numbers, financial account number and passwords -- which also happen to be data elements that would expose businesses to the CCPA private right of action for data breaches. A business also should not “provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.”

A business must respond to an opt-out request within 15 days and must notify and require compliance by all third parties to whom it sold the consumer’s personal information in the 90-day period prior to receiving the consumer’s request. The proposed regulations also address other subjects, such as service provider responses, circumstances under which a business may deny a request, and handling of requests made by authorized agents and requests pertaining to household information.

Rules for verification of the identity of consumers making requests: Where the amendments recently passed by the California legislature increased flexibility for businesses, the proposed regulations arguably impose more compliance obligations for businesses to establish a “reasonable” method to verify consumer requests “to a reasonable degree of certainty.” The proposal requires businesses to consider the sensitivity of the personal information at issue and the risk of harm posed by unauthorized access or deletion. For consumers with password-protected accounts, the business may verify a consumer’s identity through existing authentication practices if those practices include reasonable security measures to detect fraud.  For non-accountholders, the verification process depends on the type of consumer request, i.e., whether it is a request to know categories of personal information collected (a “reasonable degree of certainty” is required, matching at least two data points), a request to know specific pieces of personal information collected (a “reasonably high degree of certainty,” matching at least three data points and requiring a signed declaration under penalty of perjury from the consumer), or a request to delete (for which either the “reasonable” or “reasonably high” standards may apply, depending on the sensitivity of the particular personal information).

Other proposed regulations:  The proposal also addresses business obligations in other areas, including for example:

  • Rules requiring CCPA training for all individuals responsible for handling consumer inquiries;
  • Rules requiring procedures for record-keeping and maintenance of records of consumer requests and responses for at least 24 months; and
  • Rules for verification of identity and obtaining opt-in consent relating to the collection and sale of the personal information of minors under 13 years old, which requires parental or guardian consent, and minors 13 to 16 years old.

The CCPA authorizes the AG to begin enforcement six months after publication of the final implementing regulations or on July 1, 2020, whichever comes first. The AG, however, has warned us that enforcement will cover business activities going back to January 1, 2020. And the plaintiffs’ bar will seek to get active beginning January 1. In addition, as discussed in our September 27, 2019 bulletin, a new ballot initiative expected to be on the November 2020 ballot would expand the requirements of the CCPA and create a new California Privacy Protection Agency to pursue enforcement.


The attorneys of Stroock’s Financial Services Litigation, Regulation and Enforcement Group are well positioned to answer your questions about California’s evolving privacy framework, as well as other privacy and cybersecurity issues.  

Quyen T. Truong

Christopher R. Fredrich

This article is for general information purposes only. It is not intended as legal advice, and you should not consider it as such.