News & Resources

Publications & Media

First Glimpse at Proposed Regulations Under the California Consumer Privacy Act of 2018

Data Privacy & Security Alert Heather L. Buchta, Linda Emery

Last Thursday, the California Attorney General finally released the first draft of the proposed regulations under the California Consumer Privacy Act of 2018 (“CCPA”). Although not final, they provide some insight into the future of the CCPA, while we grapple with the latest amendments to the statute signed by the California Governor last Friday, further amending the statute before its January 1, 2020 effective date. In addition, the law’s sponsor has announced yet another new ballot initiative for the 2020 election, currently dubbed the California Privacy Rights and Enforcement Act of 2020.

For this round of regulations, the Office of Attorney General is scheduled to hold several meetings in early December for feedback. At first glance, the regulations do not appear to provide the clarifications on the statute that many were hoping for, but they do have some helpful nuggets of guidance. The regulations focus on six areas: (1) requirements for consumer notices, (2) practices for handling consumer requests for access, deletion, and opt-outs for sales of information, (3) verification rules for access and deletion requests, (4) training and record keeping, and (5) additional rules for minors, as well as some bit of clarification on (6) service providers.

Several things of note, based on these proposals:

  1. The privacy policy required under these regulations must describe the company’s practices both online and offline. This seems to be the first indication that privacy notices have moved from an online world into all consumer interactions with a company.
  2. These regulations require all notices to be accessible by those with a disability. With the rise of American with Disabilities Act claims for websites, this is perhaps not a surprise, but this seems to be the first time regulations in the privacy policy context have expressly pulled website accessibility factors into consideration.
  3. User enabled privacy controls on devices that signal a choice to opt-out of sale of data are considered valid requests to opt-out. This would seem to bring technology, such as the long disputed “do not track” signals, back into play for industry consideration.

It is contemplated that these proposals will spark a lot of discussion and continued debate to lead us into the New Year. Final comments on the proposals are due into the Attorney General by December 6.

Please join us on November 7 for our monthly Business Law Training luncheon and webinar, where we will discuss new developments and best practices of the CCPA and its current state in more detail. Click here to register.

For more information about the CCPA regulations or its implementation at your business, please contact your local Quarles & Brady attorney or: