“Data is today’s gold. Everyone is rushing to mine data. Here in California, we are not unfamiliar with gold rushes… [in fact,][w]e are better than Captain Kirk and the Enterprise. We are going [with the CCPA regulations] to where no one has gone before! [A]nd it’s going to be a great series, maybe they will even make a movie about it.” With this lofty introduction, livestreamed on YouTube (see it at here) from a press conference in San Francisco at 10:30 a.m. on Oct. 10, California Attorney General Xavier Becerra released advance copies of the much awaited proposed implementation regulations to the California Consumer Privacy Protection Act (CCPA) and announced public hearings on the regs across the Golden State, to take place Dec. 2 through 5. The deadline for written comments is Dec. 6. There will be a second public comment period following revisions to the draft regulations of either 15 or 45 days depending on the extent of changes in response to the first public comment period. The AG’s office will not entertain private meetings, in order to further a transparent process.
The AG indicated that the time for getting to final published regulations would likely result in an enforcement delay to close to the July 1, 2020, deadline set by the legislature in AB 1121 last year. However, he warned businesses that the law goes into effect Jan. 1, 2020. When asked whether the enforcement delay is a safe harbor, AG Becerra responded with a question of his own: “If someone is murdered and it takes us six months to arrest whoever did it, does that mean that they should go free?” He then answered both questions by saying, “Look, I don’t think so. The law is the law.” This is consistent with comments he has made in the past warning companies not to rely on either the enforcement delay of the CCPA’s notice or the 30-day opportunity to cure. Regarding the cure provision of the CCPA, the AG has previously stated that he is not sure how it is possible to cure a violation of a consumer’s rights that has already happened.
The draft regulations, which number 24 pages, provide more detail on what notices are required to be given to consumers and how notice is delivered (Article 20); how to handle consumer rights requests (Article 3); requirements for verification of consumers making requests (Article 4); special rules for minors (Article 5); and standards for applying the CCPA’s nondiscrimination mandate (Article 6). Also of interest to covered businesses, the Office of the AG issued 47 pages of guidance and explanation titled “Initial Statement of Reasons.” Researchers and trade groups will find the accompanying 48-page economic impact report of interest.
And while we’re on the topic of Star Trek quotes, I leave you with some of my favorites:
- “Highly illogical.” – Spock
- “Make it so.” – Capt. Picard
- “Nuclear wessels.” – Mr. Chekov
- “Resistance is futile.” – Robotic alien in Star Trek TNG “Best of Both Worlds” episode 1
- “Change is the essential process of all existence.” – Spock
And I’ll leave you with this: “There is a way out of every box, a solution to every puzzle; it’s just a matter of finding it.” – Capt. Jean-Luc Picard
The U.S. Consumer Privacy Compliance Team at BakerHostetler can help you address your CCPA quandaries and come to see that “things are only impossible until they’re not.” (Capt. Jean-Luc Picard). Venture forward, and “live long and prosper!”
The draft regulations and related filings, which will be officially filed Oct. 11, 2019, are here:
Notice of Proposed Rulemaking Action (NOPA), pdf
Text of Proposed Regulations, pdf
Initial Statement of Reasons (ISOR), includes Appendices A, B, pdf
STD 399 – Economic and Fiscal Impact Statement, pdf
STD 400 (Part A), pdf
See also https://oag.ca.gov/privacy/ccpa for more information on the CCPA rulemaking process and how to participate and receive alerts.
If you would like more information on the proposed rules, what they mean and how to file comments, contact the author at firstname.lastname@example.org.