By way of background, section 999.308 of the final regulations prescribes the information businesses must provide in their privacy policies. Among other things, section 999.308 requires businesses to:
- Explain that a consumer has the right to (1) request that the business disclose what personal information it collects, uses, discloses, and sells; (2) delete that information; (3) opt-out of the sale of personal information; and (4) not be discriminated against for exercising those rights;
- Provide instructions for submitting verifiable requests to know and delete;
- Describe in general the process the business will use to verify consumer requests;
- Identify the categories of personal information the business has collected about consumers in the preceding 12 months, the categories of sources from which the personal information was collected, and the business or commercial purposes for collecting or selling personal information; and
- Identify the categories of personal information, if any, that the business has disclosed for a business purpose or sold to third parties in the preceding 12 months and, for each category, identify the categories of third parties to whom the information was disclosed or sold.
The office was presented with a host of comments, criticisms, and suggestions regarding that regulation.
To facilitate the drafting process, many commentators requested that the Attorney General’s office provide model notices. The office rejected that request, stating that “[f]urther analysis is required to determine whether to provide models, sample language, and/or templates in the future.” See Appendix A, Response ##917 & 269.
The Attorney General also refused to state whether businesses could use existing notices, such as those required by the Gramm-Leach-Bliley Act (GLBA), to comply with the CCPA’s requirements. The office stated that “[g]iven the wide variety of different industries subject to both the CCPA’s notice requirements and additional notice requirements under other laws, there are many different ways in which businesses may comply with the laws.” However, “[n]either the CCPA nor the regulations proscribe that [the] CCPA notice must be separate, as long as the CCPA notice complies with the CCPA and its regulations.” See Appendix A, Response #269; see also Appendix A, Response #268 (stating, in response to comment that “[b]usinesses should be permitted to use and appropriately modify existing formats, such as under GLBA,” that the “comment’s proposed change is not more effective in carrying out the purpose and intent of the CCPA because it is not necessary for the OAG to state whether a business may use and appropriately modify existing formats.”).
The office also rejected many commentators’ request to “harmonize and align the CCPA’s requirements with existing privacy laws” such as the California Online Privacy Protection Act (CalOPPA), the European Union’s General Data Protection Regulation (GDPR), and the Children’s Online Privacy Protection Act (COPPA). The office observed that the CCPA and GDPR “differ in several important respects” and that it had “made every effort to utilize existing privacy frameworks in the regulations, where appropriate.” See Appendix A, Response #856.