- California state attorney general Xavier Becerra outlined for the first time what companies will have to do to comply with the state's landmark privacy law, the California Consumer Protection Act (CCPA).
- The law will go into effect Jan. 1, 2020.
- The draft regulations instruction companies on how quickly they should respond to customer requests about their data and how they should verify customers requesting to see or delete their data.
California Attorney General Xavier Becerra outlined for the first time Thursday how businesses will need to comply with the state's new landmark privacy law.
The legislation, which will impact tech giants like Facebook and Google all the way down to some small businesses, will go into effect on Jan. 1, 2020. An economic impact assessment prepared for the AG's office found the law could cost companies a total of up to $55 billion in initial compliance costs. With Thursday's announcement, businesses now have a guideline for what they have to do to become complaint, pending any revisions after a public comment period that closes Dec. 6 at 5 p.m. Pacific Time. According to the law, the attorney general's office can begin enforcement six months after the final regulations are in place, or by July 1, 2020 the latest.
"Until now, no one has attempted to do anything like this," Becerra said at a press conference announcing the draft regulations. "But we are at a crossroads. Americans should not have to give up their digital privacy to live and thrive in this digital age."
The draft rules guide businesses on several key areas of the law. The rules explain how businesses should notify consumers of their rights under CCPA, how they should handle consumer requests about data, including from minors, and verify those requests. It also advises on how to avoid discriminating against customers who don't agree to allow their data to be collected or sold.
Under the draft regulations, businesses must confirm they received a request to know or delete their data within 10 days of receiving the request and inform the customer of how they will handle it. The business must respond to the request within 45 days, unless it provides a reason to the customer for taking an additional 45 days.
Businesses are instructed not to disclose personal information about the customer making a request if they cannot verify their identity. The regulations mandate businesses consider how sensitive the information could be and how much harm it could cause in the wrong hands when verifying a customer's identity. Businesses should not disclose certain types of information, like a consumer's Social Security number or bank account information, the rules say, even if requested.
When customers request their data be deleted, the option to delete all information must be "more prominently presented" than options to delete only part of the data. When they choose to opt-out of the sale of their personal information, businesses have up to 15 days to act and up to 90 days to notify third parties to whom it's sold the user's info and notify the customer when it's completed.
The rules present a number of ways companies could verify parental consent of a child under 13. These include having a parent or guardian call a trained person to provide consent or checking the parent or guardian's ID.
Finally, the rules describe how businesses should avoid discriminating against customers who exercise their rights under CCPA. Businesses may not provide different prices or financial incentives to customers based on their choice to opt out of data collection or delete their data, unless the price difference "is reasonably related to the value of the consumer's data." The rules also explain how a business can value its customer data, such as by determining the profit created by the business from collecting or selling customers' data.
The law will apply to a large swath of businesses that deal with customer data, though the compliance costs are expected to vary depending on the size of the companies. Companies making over $25 million in gross annual revenue will have to comply with the law and researchers who compiled the economic impact assessment estimated as many as 75% of California businesses earnings less than $25 million in revenue would be impacted. The law will also apply to businesses in the state that derive at least half of their annual revenue from selling customers' personal information; or that buy, sell or share personal information from at least 50,000 consumers, households or devices.
Federal lawmakers are looking to the fate of the CCPA as a guide as they consider a national privacy law. Researchers noted that California businesses could benefit from having a head start on compliance should a national law go into effect. So far, however, a national bill does not seem imminent.
Tech companies would likely prefer a national standard over state laws to lower the burden of complying with different restrictions. Facebook CEO Mark Zuckerberg visited Washington, D.C. last month to discuss national regulation with lawmakers. But for a state as big as California, many privacy and legal experts believe the CCPA could effectively become a broader standard for companies dealing with data. When Europe instituted its General Data Protection Regulation in 2018, many businesses made changes beyond the geographies subject to the regulation.
-CNBC's Ylan Mui contributed to this report.