CCPA Updates—Draft Guidance

Dhara Shah

Senior Editor

Loyola University Chicago School of Law, JD 2020


The California Consumer Privacy Act (CCPA) has been the first step away from the sectoral approach that United States’ privacy laws have followed for many years. While it is set to take effect on January 1, 2020—only recently was the first draft guidance published. Set forth by California’s Attorney General, Xavier Becerra, it states how the CCPA will be enforced. As is standard in notice and rulemaking standard in administrative law, a public consultation period is now in effect and will remain open for comments and hearings until December 6, 2019.

CCPA 101

The CCPA has been the headline in many newspapers due to its close, but not exact, resemblance of the General Data Privacy Regulation (GDPR)—the privacy act that revamped and refocused the importance of protecting one’s online data privacy. The CCPA is set to take effect in California on January 1st, 2020 with a six month period before the law is enforced.

Key requirements of the CCPA have been noted to be: (1) businesses are required to disclose data collection and sharing practices to its consumers; (2) consumers have the right to request deletion of their data; (3) consumers have an opt-out right in the sale and/or sharing of their personal information; and (4) businesses are not permitted to sell personal information of consumers under 16 without explicit consent.

Have thoughts on the CCPA?

Interested parties are encouraged to contribute to the comment period on the CCPA—allowing for adjustment prior to its January 1st, 2020 date. It has been announced that all comments received by said deadline will be posted to the Attorney General’s website. Additionally, four public hearings are planned to allow for oral and written comments to the CCPA. Details can be found here.

New CCPA Exemptions and Exclusions

In addition to the draft regulations, 6 amendments to the CCPA have also been made.

Employee PI Exemption. Assembly Bill 25 exempts certain personal information collected on employees by businesses in human resources capacities until January 1, 2021.

Publicly Available Info. Exemption. Assembly Bill 874 serves to modify the definitions of “publicly available” and “personal information” to exclude aggregated or de-identifies consumer information—including those collected from delineated public records.

Data Brokers. Assembly Bill 1202 simply requires data brokers to register with the attorney general.

Personal Information. Assembly Bill 1355 is also an exemption, but of aggregated or de-identified consumer information from the definition of personal information.

Vehicle Info. Exemptions. Assembly Bill 1146 exempts vehicle repair information relating to warranties or recall from CCPA’s right of deletion. It also serves to create a one year exemption for B2B data and expands an exemption for compliance with the Fair Credit Reporting Act.

Consumer Request for Disclosure Methods. Assembly Bill 1564 serves to allow online-only businesses that have a direct relationship with their customers to provide a single way to submit requests for information (e.g. just an email address).

Proposed regulations

The current set of proposed regulations include areas such as notices to consumers, processing and reviewing consumer requests, verifying consumer requests, consent for minors, and non-discrimination.

Notices to Consumers. Adds (1) general principles that apply to notices sent to consumers at the time personal information is collected; (2) language of the notice in which business ordinarily does business must be available; and (3) specifics that must be included in the notice. See § 999.305-08 (notice to consumers, right to opt out, notices of financial incentive, privacy policies).

Processing and Reviewing Consumer Requests. Adds a set of rules that state how businesses should handle consumer requests. See § 999.312-18.

Verifications of Consumer Requests. Adds a set of rules surrounding how a business must verify its consumers’ identities when they submit a request under the CCPA. See § 999.323-226.

Consent for Minors. Sets various rules for minors 13 and younger as well as those between 13-16 years old. Of note, the CCPA builds upon rules in the Children’s Online Privacy Protection Act (COPPA). See § 999.330-32).

Non-Discrimination. Sets standards on how to comply with non-discriminatory provisions of the CCPA. See § 999.336-37.

With these amendments and proposed regulations in mind, businesses should be well-along the compliance process as the CCPA’s date approaches. California businesses and residents can head over to the attorney general’s website for the latest information regarding current rulemaking activities, as well as to find more information on how to submit written comments.