California AG Releases Proposed CCPA Implementing Regulations

Troutman Pepper

Pepper Hamilton LLP

[co-author: Karen Shin]*

On October 10, the California Attorney General released highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA, which takes effect on January 1, 2020, provides California residents with sweeping European-style rights to control use of their personal information by businesses. The proposed regulations come shortly after the California Legislature passed several amendments to the CCPA on the last day of its legislative session. The Attorney General will hold four public hearings from December 2 through December 5 and accept written comments until December 6 as part of the rulemaking process.

The proposed regulations cover several significant areas of the CCPA, including details regarding the notice that businesses must provide to consumers at or before the point of collection, the content of privacy policies, and how businesses should handle consumer data requests, including guidance on verifying the identity of consumers who submit requests.

Among other topics, the proposed rules:

  • detail the information that must be included in CCPA privacy policies, including specifying whether or not a business has sold personal information in the preceding 12 months, and require these privacy policies to be accessible to consumers with disabilities
  • provide that a business is exempt from providing notice of the right of opt out if the business states in its privacy policy that it does not and will not sell personal information
  • provide guidance on responding to consumer requests for disclosure of specific pieces of personal information and prohibit businesses from disclosing sensitive information such as Social Security numbers, government-issued identification numbers and account passwords in response to consumer requests
  • clarify the level of verification required to validate the identity of consumers making requests corresponds to the sensitivity of the requested data and the type of request being made, and prohibit businesses from requesting sensitive information to verify consumer identities
  • require businesses to maintain records of consumer requests for at least 24 months and require that businesses provide CCPA training to all individuals responsible for handling consumer inquiries
  • require businesses that, alone or in combination, annually buy, receive, sell or share the personal information of more than 4 million consumers compile and publicly disclose certain metrics regarding consumer requests they have received in the prior calendar year
  • provide special rules regarding the personal information of minors.


* Law Clerk in the Health Sciences Department of Pepper Hamilton.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.