As of January 1, 2020, the California Consumer Privacy Act (CCPA) is now in effect. As we explained here, the CCPA imposes requirements on merchants and payment processors to protect personal information of California residents.

Enforcement of the law does not begin until July 1, 2020, which is good because the regulations interpreting the law have not even been finalized yet. The draft regulations, published this past October by California’s Attorney General, propose rules relating to consumer disclosures, processing consumer requests, and other implementation details. Final rules will be issued before the July 1, 2020 enforcement date.

Among other requirements, some of the major proposals in the draft regulations include the following:

1. Notices must be designed and presented in a way that is easy to read and understandable to an average consumer and visible before any personal information is collected. These notices must be made available in the languages in which the business normally communicates with consumers and must be accessible to consumers with disabilities.
2. Privacy policies must: (i) provide notice of the right to opt out and the right to request disclosure or deletion of personal information; (ii) provide instructions for how to submit such opt-out and deletion requests; and (iii) describe the process that the business will use to verify any such request, including specifying any particular information that the consumer must provide as part of the request. The links to the privacy policy must be conspicuous and must contain the word “Privacy.”
3. Businesses must provide two or more dedicated methods for submitting requests. At a minimum, a company that employs phone numbers and/or websites for its business operations must make these available as valid contact methods (and the phone number must be toll-free). Opt-out forms accessible via website must be provided using a clear and conspicuous link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” Other acceptable methods for receiving consumer requests include mail, email, and in-person submissions.
4. If a business offers a financial incentive or a price or service difference in exchange for personal information, it must provide a notice to the consumer in plain, straightforward language that includes, among other information, an explanation of why the incentive or price/service difference is permissible under the CCPA. As part of this explanation, the business must include a good-faith estimate of the value of the consumer’s data and a description of the method used to calculate the value of such data. The proposed rule lists a number of permissible calculation methods, one or more of which must be used in determining the data’s value.

In addition, California has announced plans to roll out a standardized logo or button that can be included on a website in addition to (but not in lieu of) posting the required opt-out notice, but the final design has not been publicly made available yet.

The next six months are a critical time for getting ready for CCPA compliance. Don’t be caught unprepared by the time July 1, 2020 rolls around.