Draft rules for businesses add enforcement detail to California’s consumer privacy law

by Steve Blum • , , ,

Gagged by privacy

California’s tough consumer privacy law technically takes effect in January, but enforcement won’t begin until next July. The California attorney general has the job of writing the detailed rules that businesses will have to follow, and then enforcing those rules.

The first draft of those new rules was posted for public review and comment. They apply to businesses with more than $25 million in “annual gross revenues”, or collects or deals in “the personal information of 50,000 or more consumers, households, or devices”, or that deal in people’s personal information for a living.

Such businesses have to let customers know what kinds of information they’re collecting, and give them an easy way to opt out of any sale of their info to third parties. The California Consumer Privacy Act was designed with online businesses in mind – the default assumption is that businesses will post notices and receive opt out orders via their websites – but it applies equally to companies that have no online presence at all, or that only interact with customers in person. The draft rules cover those situations, too.

There are separate and stricter rules about gathering information from children and teens.

Opting out is not supposed to result in higher prices for consumers, unless a discount offered in exchange for permission to sell is “reasonably related to the value of the consumer’s data”. Otherwise, discounts have to be available on a non-discriminatory basis to all customers. The draft doesn’t provide a lot of guidance as to what’s discriminatory and what’s not, but it does offer a couple of examples, such as…

A music streaming business offers a free service and a premium service that costs $5 per month. If only the consumers who pay for the music streaming service are allowed to opt-out of the sale of their personal information, then the practice is discriminatory, unless the $5 per month payment is reasonably related to the value of the consumer’s data to the business.

Public hearings are scheduled around California to get input on the draft, and written comments can be submitted by the 6 December 2019 deadline.

California Department of Justice CCPA documents:
Proposed Text, California Consumer Privacy Act Regulations, 11 October 2019
Initial Statement Of Reasons, Proposed Adoption of California Consumer Privacy Act Regulations, 11 October 2019
Notice of Proposed Rulemaking Action, California Consumer Privacy Act, 11 Oct 2019
Economic and Fiscal Impact Statement, California Consumer Privacy Act Regulations, 14 August 2019
Standardised Regulatory Impact Assessment, California Consumer Privacy Act of 2018 Regulations, 14 August 2019