Rachel R. Marmor and Emily Bruemmer of Davis Wright Tremaine note that California Attorney General Xavier Becerra filed the final proposed regulation for administrative review of the California Consumer Privacy Act (CCPA) on Monday. I’ve pulled out some of their post about new compliance requirements for entities:
Regulations Add New Compliance Tasks
Spanning 29 pages, the regulations contained within the submission include several hundred unique sub-requirements. Even where covered businesses have taken substantial steps to comply with the statutory text of the CCPA, the regulations will likely require additional actions. For instance, the regulations require that organizations:
- Post their privacy notices in accessible format – This may be particularly complicated for ecommerce businesses that may not previously have taken steps to comply with Web Accessibility Guidelines due to the lack of clarity over whether an organization without a brick-and-mortar store is a “public accommodation.”
- Consider how to respond to “Do Not Track” Signals – Organizations must honor “user-enabled global privacy controls,” such as browser plugins or privacy settings, as requests to opt out of the sale of personal information. This likely includes the “Do Not Track” settings on browsers or devices—which many organizations currently do not honor due to the lack of standards around implementation.
- Offer a global opt-out option – Organizations must offer consumers the opportunity to take a single action to opt out of all sales of their personal information by the company. Offering granular options is permitted, but the global option must be more prominently presented than the other choices.
Read more on Privacy & Security Law Blog.
Related: See also DLA Piper’s post on Privacy Matters and SheppardMullin’s post.