November 12, 2019

CCPA Draft Regulations: 5 Key Takeaways Businesses Need to Know

California'a Attorney General finally released the CCPA's enforcement draft regulations on October 10, 2019.

California's Attorney General finally released the CCPA's enforcement draft regulations on October 10, 2019. The five key areas these regulations focused on include;

  • Notices to consumers
  • Consumer requests
  • Verification requirements
  • Special rules concerning minors
  • Non-Discrimination

In the period leading up to their release, most businesses had expressed optimism that the Attorney General’s draft regulations would provide more clarity concerning crucial elements of the CCPA.

However, these regulations do not provide the desired clarifications. Instead, they layer on new obligations and create further ambiguities.

This article will explore the critical areas addressed by the CCPA draft regulations that businesses need to be aware of.

Notices to Consumers

The CCPA draft regulations cover four kinds of notices to users;

  • Notice at the point of collection
  • Notices of the right to opt-out of the sale of personal data
  • Notice of monetary incentives
  • A privacy policy

All the necessary notices should be;

  • Easy to read in plain, simple language
  • In a format that captures the reader’s attention
  • Accessible to persons with disabilities
  • Available in all languages in which the company regularly conducts business

According to the draft guidelines, updating your privacy policy to be compliant with CCPA is necessary. However, it is not enough. You must give a notice to consumers at the time you collect their data, which must be visible and accessible before any personal information is gathered.

The regulations also clarify that no personal data may be gathered without the appropriate notice. While you may utilize your privacy policy as the notice at the time of collection, you must to link to a particular section of your privacy policy that offers the legally required notice.

For offline collection, the CCPA draft regulations state that a business can provide a paper version of the notice or post prominent signage. Similar to the General Data Protection Regulation (GDPR), an enterprise may only use personal data for the reasons outlined at the time of collection. If not, the company must receive explicit consent to utilize the personal information for a new purpose.

Apart from the privacy policy obligations in the law itself, the regulations call for additional privacy policy disclosures. For instance, the company must provide guidelines on how to authenticate a consumer request and how to exercise user privileges through an agent. Moreover, for every type of personal data gathered, the privacy policy must identify;

  • The sources of data
  • How the data is utilized
  • The categories of third parties to whom information is disclosed

For companies that amass personal data of four million or more consumers, the regulations call for other disclosures connected to the number of customer requests and average response periods.

The CCPA draft regulations also state that if a company gives monetary incentives to users for permitting the sale of their data, it must provide a notice of the financial inducement. The notice must comprise;

  • A description of the incentive
  • The material terms of the inducement
  • Instructions on how to opt-in to the incentive
  • How to withdraw from the incentive
  • An explanation of why the CCPA authorizes the inducement

Lastly, the regulations posit that service providers who collect personal information on behalf of an enterprise are not allowed to process this information for their use. Instead, they are restricted to executing their obligations under the agreement between the company and the service provider.

The agreement between the entities must consist of the provisions outlined by the CCPA to guarantee that the engagement is a service provider-corporate relationship, instead of a sale of personal data between a company and a third-party.

Consumer Requests

The CCPA draft regulations state that companies must avail a minimum of two ways for consumers to submit requests. The standard methods, in this case, are a toll-free number and an online form. Additionally, one of the methods must mirror how the company usually interacts with its consumers.

For businesses that engage with consumers offline, the regulations require them to provide an offline technique for them to exercise their right to opt-out, such as issuing a paper form. For this reason, in-person retailers may require three ways;

  • A paper form
  • An online form
  • A toll-free number

The regulations do restrict some consumer request rights by ruling out the revelation of Social Security Numbers, Driver's license numbers, financial account numbers, medical-related identification numbers, passwords, as well as security questions and answers. Presumptively, this aspect may be informed by two core factors;

  • The individual in question should already be aware of this information
  • A significant proportion of these kinds of data are subject to exemptions from CCPA

A vital interpretation connected to the requests is that the 45-day period for answering consumer requests comprises any time needed to authenticate the request. Furthermore, the regulations introduce a new timeline obligation for user requests. Specifically, businesses must approve receipt of a request within ten days.

Another new obligation is that companies must answer address opt-out requests within 15 days and must alert all third parties to desist from selling the customer's information within 90 days. Additionally, the regulations obligate enterprises to store request records for two years.

Verification Requirements

The regulations state that a strict verification process should be applicable to more sensitive data. What this point implies is that businesses should not disclose sensitive data without being sure of the identity of the individual requesting the information.

The regulations also provide that companies should desist from collecting additional personal information during the verification process. Instead, they should rely on validating the information in their possession already.

Authentication can be performed through a password-protected account so long as the users re-verify themselves. For web platforms that give users accounts, requests must be made through that account. Pairing data points provided by the user with data points maintained by the business constitutes verification to a reasonable degree of certainty, whereas matching three data points constitutes a high degree of certainty.

Apart from the verification requirements, the regulations also offer guidelines on the measures to take in case the identity cannot be ratified. For instance, if a company cannot validate the identity of a person making an access request, it may proceed as if the user asked for disclosure of only the categories of personal information instead of the content of this kind of personal data. Similarly, if a company cannot authenticate the request for deletion, it should handle the request as one to opt-out of the sale of personal information.

Special Rules Concerning Minors

The draft rules introduce an additional obligation that overrides the US Children’s Online Privacy Protect Act to ‘establish, document, and comply with a reasonable’ approach to authenticate that the individual the sale of a data of a child below 13 years old is the parent or guardian.

For children aged between 13 and 15 years old. Companies will be obliged to receive consent through a two-step procedure in which the consumer must seek to opt-in and then confirm that decision. After being allowed by a parent or guardian, or from a minor within this age bracket, companies will be expected to alert the parent of their right to opt-out and the relevant procedure to do so.

Companies that ‘exclusively’ focus offers directly to consumers under age 16 and do not sell personal information of those minors without affirmative authorization would not need to provide a notice of the opt-out privilege.


The draft regulations offer a broad definition of discriminatory practices as those that treat customers differently because they exercised a privilege under the CCPA or its statutes. Nonetheless, enterprises are allowed to offer a different price or service if it is 'directly related' to the value offered to the company by the client's information.

In this context, the draft rules would require businesses to provide notice of each financial inducement, price, or service difference subject to CCPA requirements that the company may give subject to similar conditions for privacy notices.

Most importantly, they would need explanations not mentioned in the statutes comprising an explanation of why the monetary incentive or price difference is allowed and an honest estimate of the value of the consumer’s data, as well as the methodology employed in coming up with this value.

In conclusion, these draft rules add both ambiguities and clarity in equal measure to what is needed for CCPA compliance. As we edge closer to January 1, 2020, businesses should step up their preparations for compliant disclosures and notices as well as finalize their privacy policies and procedures to handle consumer requests.

Use our detailed step-by-step guide to find out how your business can become CCPA compliant, and avoid CCPA compliance penalties. For a personalized demo of our solution tailored to your unique business needs, schedule a call today.