Expect AG to Issue California Privacy Regulations in June 2019

The California Consumer Privacy Act authorizes the CA Attorney General to issue regulations for compliance with the new privacy law, and the legislature got a quick glimpse into some aspects of that process as part of the budget process last week.

The AG’s office intends to finalize the California privacy regulations pursuant to the law in June 2019, according to testimony last week before the Senate Budget Committee. The information was relayed to the legislature by the Assistant Program Budget Manager for the Department of Finance, who was discussing a legislative proposal to authorize $700,000 and five staff positions for the Attorney General’s office to work on the regulations.

The CCPA regulations will provide more specific procedures for consumers to exercise their rights under the law and additional information on how businesses can carry them out and stay in compliance with the law’s requirement. The AG is given broad authorization by the law to issue any regulations that it deems necessary, but AB-375 specifically called on it in a number of areas. These include:

1. Updating the list of categories of personal information to address changes in technology, data collection, privacy concerns and obstacles that arise in implementation of the law.

2. Updating the identifiers to be submitted by consumers to facilitate obtaining information from the business under the right to access.

3. Establish exceptions necessary to comply with state or federal law.

4. Establish rules to govern the submission of a request to opt out and business compliance with the consumer’s request, including the development of an opt-out logo or button to be used by all businesses to promoted awareness by the public.

5. Establishing rules, procedures and exceptions to ensure that the notices are easily understood by the average consumer, accessible to consumers with disabilities, and available in the language used to interact with the consumer.

6. Establish rules and guidelines for financial incentive offerings.

7. Establish rules and procedures to govern the determination that a request from a consumer is a verifiable request aand to minimize the administrative burden on consumers. This includes how to determine that an agent is authorized to receive information, how to authenticate a consumer’s identity who does not maintain an account with a business, and whether to treat a request submitted through a password-protected account as a verifiable request.

A few of the regulations are required by law to be issued within one year of the passage of AB 375. As a result, they would need to be in place by June 28, 2019. This would generally provide businesses with six months to adapt to the regulations before the effective data of January 1, 2020.

The funding for the development of the California Consumer Privacy Act regulations is contained in SB 862 and AB 1828. The bills are part of the budget package for the current fiscal year and will go into immediate effect once enacted. The bills are expected to be sent to Governor Jerry Brown by the end of August.

This will probably be the first of additional requests for funding in the enforcement process. The CaAG previously estimated that it would need 57 full time staff to enforce the privacy law and it would have to secure over $57.5 million in civil penalties to cover the cost of the staff and enforcement. As there would likely be a ramp up period in enforcement efforts, the first few years of the enforcement budget would need to be funded by the state before it could be self-funding.

SEPTEMBER 2018 UPDATE: Although the California Attorney General initially indicated that it would be done with the timetable established in the law, it later sent a letter to several members of the California legislature indicating that the deadlines were unrealistic because of a lack of funding and insufficient experience as a regulatory body (as opposed to an enforcement agency). California subsequently passed SB 1121 to amend the California Consumer Privacy Act (set forth in AB 375) and extended the amount of time for the AG to publish final regulations. Enforcement of the new privacy law will begin six months after the regulations are published, but in no event later than July 1, 2018.

Other Blog Posts on the California Consumer Privacy Act:

PWC Survey on CCPA: Enterprise Compliance Expected at 52% by January 1, 2020
California Adopts SB-1121 Amendments to Consumer Privacy Act
SB 1121 to Amend California Consumer Privacy Act Soon
California AG Objects to 5 Sections of CCPA Privacy Law
SB 1121 Won’t Make Substantive Changes to New California Privacy Law
SB 1121 Amendments Kickoff Debate Over California Consumer Privacy Act Changes
Will California’s Privacy Law Extend to the Rest of the Country?
Privacy Policy Changes Required by California Consumer Privacy Act
Big Day for California Privacy Law
California to Pass New Privacy Law: CA Consumer Privacy Act

Improve Data Privacy for GDPR or CCPA with Clarip

The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.

Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.