California AG Unveils Draft Guidelines For Businesses To Comply With New Data Privacy Law

California has unveiled its long awaited draft rules for enforcing the state’s sweeping—and impending—data privacy laws that will soon govern how companies collect and use consumer data.

Recalling the Wild West’s gold rush of the 1800s, California Attorney General Xavier Becerra on Thursday announced the proposed regulations for the California Consumer Privacy Act, which goes into effect in January 2020 after being passed last year. And while the gold-mining metaphor itself isn’t entirely new—the era of Big Data has been compared to the “new oil” for while—it does paint a picture: The state is looking at companies that profit from data-driven advertising and marketing.

“Data is today’s gold,” Becerra said in his opening remarks at a press conference. “Everyone is rushing to mine data, and California, as you know, is not unfamiliar with gold rushes. But there’s a big difference between 170 years ago when gold was being stripped from the land to today when data is being stripped from you and your privacy. There’s a rush to mine, use and sell our personal information. And that’s why we’re here today.”

CCPA will require businesses to disclose data collection and sharing practices with consumers while also providing ways for consumers to have their data deleted or for them to receive a report about what a company knows about them or what it’s shared with others. The law also has an opt-out component that will require companies to allow consumers to decline sharing personal information with a company altogether.

The draft rules focus on five key areas for clarifying the law. For example, it details how businesses will have to notify consumers of their rights under the law before collecting data while also addressing how they will handle requests for information about the data that’s collected. The rules also clarify how businesses will verify a consumer’s identity before providing information after a request and how to avoid discriminating against consumers who choose not to have their data stored or sold.

The proposal now enters a 45-day period for stakeholders to submit commentary for consideration, which will culminate with a series of public hearings in several cities in early December.

State lawmakers recently finished revising the law through a number of amendments to CCPA, which originally passed in less than a week in order to preempt a state referendum. Meanwhile, advertising and technology trade groups have been pushing for federal data privacy law that would replace the potentially fragmented landscape of state-by-state regulations.

“There is much on the line during this rule-making process. IAB’s member companies are desperate for guidance as they work to comply with CCPA ahead of January 1, 2020,” Dave Grimaldi, executive VP for public policy at Interactive Advertising Bureau, said in a statement. “ IAB is currently evaluating the proposed regulations and will provide detailed feedback to the Office of the Attorney General. However, we have initial concerns that further remedy of some of the unintended consequences of CCPA is still needed to help businesses meet their obligations and to empower Californians with more control over their information.”

According to an economic impact report conducted by California’s state finance department, between 15,000 and 400,000 businesses will likely be affected. And while the law is in some ways a response to the controversial data-collection practices used by the largest tech giants such as Google and Facebook, the state estimates that up to 50% of companies affected by the law will be small businesses. The report also estimated that 261 jobs will be created as a result, while nearly 10,000 could be eliminated mostly due to “job shuffling.” The economic impact of CCPA could be large, too. California’s finance department estimates the total cost to businesses could range from $467 million to $16.45 billion.

In an interview last month, Dan Jaffe, group executive VP for government relations at the Association of National Advertisers, told Forbes that an October unveiling of a law that goes into effect in January was “creating a great deal of concern” for businesses scrambling to comply with the law.

“Frankly, to not have more data as to how things are operating, it’s clearly premature and in my view reckless to go ahead until you get at least some sense of what’s going on here,” he said.

Becerra said the regulations aren’t meant to be “gotcha activities,” but instead are meant to help businesses understand consumers privacy rights. He added that “ignorance is not an excuse.”

“This is now the meat on the bones,” Becerra said. “I think it’s a pretty good road map. We tried to make it user-friendly.”

Gary Kibel, a partner at the New York-based law firm Davis & Gilbert who advises tech companies on data privacy issues, says the application of the new law might not be understood until the state takes its first enforcement actions against businesses that don’t comply.

“Industry has been anxiously awaiting the release of these draft regulations since the text of the CCPA raised many unanswered questions,” he says. “While this release is helpful, it’s not the end of the process.”

Send me a secure tip.