[co-author: Karen Shin]*

On October 10, the California Attorney General released highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA, which takes effect on January 1, 2020, provides California residents with sweeping European-style rights to control use of their personal information by businesses. The proposed regulations come shortly after the California Legislature passed several amendments to the CCPA on the last day of its legislative session. The Attorney General will hold four public hearings from December 2 through December 5 and accept written comments until December 6 as part of the rulemaking process.

The proposed regulations cover several significant areas of the CCPA, including details regarding the notice that businesses must provide to consumers at or before the point of collection, the content of privacy policies, and how businesses should handle consumer data requests, including guidance on verifying the identity of consumers who submit requests.

Among other topics, the proposed rules:

• detail the information that must be included in CCPA privacy policies, including specifying whether or not a business has sold personal information in the preceding 12 months, and require these privacy policies to be accessible to consumers with disabilities
• provide that a business is exempt from providing notice of the right of opt out if the business states in its privacy policy that it does not and will not sell personal information
• provide guidance on responding to consumer requests for disclosure of specific pieces of personal information and prohibit businesses from disclosing sensitive information such as Social Security numbers, government-issued identification numbers and account passwords in response to consumer requests
• clarify the level of verification required to validate the identity of consumers making requests corresponds to the sensitivity of the requested data and the type of request being made, and prohibit businesses from requesting sensitive information to verify consumer identities
• require businesses to maintain records of consumer requests for at least 24 months and require that businesses provide CCPA training to all individuals responsible for handling consumer inquiries
• require businesses that, alone or in combination, annually buy, receive, sell or share the personal information of more than 4 million consumers compile and publicly disclose certain metrics regarding consumer requests they have received in the prior calendar year
• provide special rules regarding the personal information of minors.

* Law Clerk in the Health Sciences Department of Pepper Hamilton.