The California Attorney General (AG) Xavier Bacerra has posted Proposed Regulations to implement the California Consumer Privacy Act of 2018 (CCPA). Bacerra also has posted a Notice of Proposed Rulemaking Action (NOPA) and an Initial Statement of Reasons (ISOR).
Critics already are playing up that they can’t do business if they have to follow regulations set to protect privacy of consumers. These lobbying types are, of course, peddling risk management nonsense in the face of far too many breaches and a long slide downward of consumer confidence in data platforms.
The current round of criticism reminds me of those opposed to food safety regulations even after Upton Sinclair’s 1906 book The Jungle pointed out how rats and workers’ body parts were being ground up and shipped as sausage.
Cloud providers are like sausage factories, especially the largest ones, and for far too long have been allowed to operate without basic duties of care, deliberately avoiding innovation investment because avoiding accountability for harms. And yes, Facebook is the wurst.
Those of us actively innovating in information technology see regulations such as CCPA as welcome guard rails, which spur long overdue innovations in data platform controls and help the data platform market grow more safely.
The proposed regulations set out some clear “shall not” of consumer personal information:
(3) A business shall not use a consumer’s personal information for any purpose other than those disclosed in the notice at collection. If the business intends to use a consumer’s personal information for a purpose that was not previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.
(4) A business shall not collect categories of personal information other than those disclosed in the notice at collection. If the business intends to collect additional categories of personal information, the business shall provide a new notice at collection.
(5) If a business does not give the notice at collection to the consumer at or before the collection of their personal information, the business shall not collect personal information from the consumer.
They also set out clear timelines for requests to delete data:
(a) Upon receiving a request to know or a request to delete, a business shall confirm receipt of the request within 10 days and provide information about how the business will process the request. The information provided shall describe the business’s verification process and when the consumer should expect a response, except in instances where the business has already granted or denied the request.
(b) Businesses shall respond to requests to know and requests to delete within 45 days. The 45-day period will begin on the day that the business receives the request, regardless of time required to verify the request.