Electronic Discovery & Information Governance - Tip Of The Month: Proposed CCPA Regulations

Author:Ms Kendall C. Burman
Profession:Mayer Brown


A retailer sells its products both at a physical store in San Francisco and via its website. The retailer is in the process of updating its privacy and data retention policies. The retailer's general counsel wants to make sure that preservation of data for litigation purposes is incorporated into these policies.

California Consumer Privacy Act of 2018 and Its Proposed Regulations

California Attorney General Xavier Becerra recently released proposed regulations for the California Consumer Privacy Act of 2018 ("CCPA"), which expand on and provide further details on the rights and obligations created by the CCPA. The CCPA requires the attorney general to adopt regulations to further the CCPA's purposes and provide guidance to businesses on how to comply. In a recent press conference, Attorney General Becerra described the regulations as reflecting the most recent amendments1 and the feedback received from the public over the past year.

The proposed regulations address how businesses can comply with various aspects of the CCPA, including 1) notifying consumers of their rights under the CCPA, 2) handling consumer requests regarding personal information, 3) verifying consumer requests, 4) protecting personal information of minors under 16 years of age and 5) adhering to the specifics regarding the anti-discrimination provisions. A violation of these regulations will constitute a violation of the CCPA and may be subject to the remedies provided therein.

Included in the regulations are the following topics of note:

Expanded Disclosure Obligations. Importantly, the regulations generally increase disclosure obligations on covered businesses. For instance, businesses that substantially interact with consumers offline must notify them of their right to opt out of the sale of personal information by offline methods. Businesses must disclose to consumers a good-faith estimate of, and the method to calculate, "the value of the consumer's data" in the event businesses wish to provide a financial incentive or price or service difference in exchange for the retention or sale of personal information. The regulations provide eight different methods businesses can use to estimate "the value of the consumer's data," including the revenue or profit to the business generated from the data's sale.

Additional Privacy Policy Requirements. The regulations require that covered businesses address additional topics within their privacy policies, including 1)...

To continue reading