Last Thursday, Xavier Becerra, the Attorney General of the State of California, held a press conference to announce the release of the first draft of the regulations to govern business conduct under the CCPA. The press conference was light on details, so privacy lawyers everywhere spent the end of last week pouring through the 24 pages of regulations. The regulations are subject to a 45-day comment period, so they could change substantially. There are some quirks – 99.305(1) and (2) discuss the “notice” that is required to be provided to consumer’s at the time of data collection, while “explicit consent” seems to be required only if the data will be used for some purpose not disclosed in the initial notice. There is no requirement to demonstrate informed consent as there is under the GDPR, but the rules state that the notice must be visible or accessible where consumers “will see it,” and not merely where they will have the opportunity to see it. We do have some guidance as to what B2B companies who never deal with consumers are supposed to do – either contact the consumer directly for consent or get attestation from the source of the data that they provided a notice, but it is not at all clear what the original notice from the source to consumers is supposed to say about third-party and downstream sales of data. And most tantalizingly, we are still waiting for directions on what that “DO NOT SELL” button is supposed to look like. (We’ve talked about this button before.
The regulations do offer guidance on consumer identification verification (in other words, knowing that the consumer who is asking for access to the collected information is actually the consumer who is the subject of that information), and some ideas as to how a company is supposed to value a consumer’s data for purposes of determining whether a financial incentive is discriminatory or not.
We will certainly go into more detail when the rules are finalized, and hopefully more questions will be answered then, especially around the relationship between B2C collectors of data and downstream buyers and sellers.
In the meantime, with what we know right now, if you have compliance questions on this new privacy law, I am here to help.