October 18, 2019
Recently, we blogged concerning the California State Attorney General’s release of draft California Consumer Privacy Act (“CCPA”) regulations and the associated request for public comment. In that blog, we highlighted that new obligations had been added that were not included in the CCPA itself. Today, we discuss one such new provision – Section 999.317(g) of the proposed CCPA regulations, which creates new record-keeping and disclosure obligations for every business that “alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers.”
What are the new disclosure and record-keeping requirements contained in Section 999.317(g)?
- The number of requests to know, the number of requests to delete, and the number of requests to opt-out that the business received, complied with (in whole or in part), and denied; and
- The median number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.
Additionally, a business that achieves the 4 million threshold is required to establish, document, and comply with a training policy that will ensure that all individuals responsible for handling consumer requests and compliance with the CCPA are informed of all the requirements contained in the CCPA itself and the Attorney General implementing regulations.
The Intent of this CCPA Regulation
Each business that annually buys, collects, sells or shares the personal information of more than 4 million California State residents is handling the personal information of approximately 10% of California State’s population. The Attorney General reasons that a business operating at this size should have the ability to adequately respond to the significant volume of consumer requests that it will receive. The first step in complying with this new and seemingly onerous regulation is for every business to ascertain the volume of California State resident personal information that it is handling on an annual basis. Regardless of whether a company meets the 4 Million California consumer threshold or not, revising business privacy policies (among many other necessary measures) in advance of the statute’s January 1, 2020 effective date will be a significant undertaking for all companies that fall within the CCPA definition of “Business.”
We will continue to provide ongoing CCPA coverage in this blog. In the interim, if you are interested in learning more about this topic or require assistance in connection with consumer data privacy compliance for your business, please e-mail us firstname.lastname@example.org, or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Similar Blog Posts: