Companies will need to verify that a person
requesting data is actually that person. That
can be done by matching information in
the request to information the company has
collected over time.
Data can be deleted by completely erasing it
from company systems, by removing enough
information so it can no longer be associated
with a named person, or by aggregating it so it’s
part of large groups of data.
Companies that serve at least 4 million
Californians — which will include all large tech
companies and many retailers — would also
need to publish an annual report noting the
number of requests they get from people to
either see their own information, delete it or
opt-out from sale.
The rules also state that third-party data brokers,
which are often the ones selling data for
advertising and other purposes, need to make
sure that people are properly notified their data
is being collected. Those companies, which
rarely interact directly with consumers, can do
that either by sending out notices or making
contracts with the consumer-facing companies
that people use.
The proposed regulations also make it possible
for people to use browser extensions that
automatically opt them out of the sale of data
on each site they visit.
The law’s original creator, real estate investor
Alastair Mactaggart, recently introduced a new
ballot proposal to expand on the law. It would
create a new state agency to enforce the law.
The proposed rules will now open to public
comment and forums before being finalized.