Companies must notify California residents of their data privacy rights in plain language and must verify people's identities before releasing data, state officials proposed Thursday.
California Attorney General Xavier Becerra announced draft regulations that also spell out ways people can ask for their personal information to be deleted from company databases.
The rules are being drafted to implement a landmark state privacy law taking effect in January. The law allows California residents to learn what information companies hold on them, request deletion and opt out of the sale of their personal info.
Although only California residents can make requests, the law is expected to have broader impact on how companies manage and sell people's information online. That's because companies outside the state must comply if they meet relatively low thresholds.
"Data is today's gold," Becerra said at a press conference in San Francisco. "Everyone is rushing to mine data."
The law was born out of a desire for people to have more control over their personal information online. It's a topic that has been top of mind in recent years as high profile leaks, smarter home artificial intelligence systems and targeted advertisements show just how much companies know about their customers.
Privacy experts and researchers expect California's law to pave the way for laws from other states and possibly Congress.
California's privacy law has been a hot-button issue for lobbyists all year, often pitting tech industry interest groups against privacy rights advocates. But neither side made major traction during the year, and the bill that was finalized last month remains largely unchanged from the original version.
The attorney general's proposed rules say companies must provide at least two ways — in most cases, a toll-free number and an online form — for people to request what specific information companies hold on them. To request deletion, people must first indicate they want their information to be erased, and then confirm the decision in a two-step process.
Companies will need to verify that a person requesting data is actually that person. That can be done by matching information in the request to information the company has collected over time.
Data can be deleted by completely erasing it from company systems, by removing enough information so it can no longer be associated with a named person, or by aggregating it so it's part of large groups of data.
Companies that serve at least 4 million Californians — which will include all large tech companies and many retailers — would also need to publish an annual report noting the number of requests they get from people to either see their own information, delete it or opt-out from sale.
The rules also state that third-party data brokers, which are often the ones selling data for advertising and other purposes, need to make sure that people are properly notified their data is being collected. Those companies, which rarely interact directly with consumers, can do that either by sending out notices or making contracts with the consumer-facing companies that people use.
The proposed regulations also make it possible for people to use browser extensions that automatically opt them out of the sale of data on each site they visit.
The law's original creator, real estate investor Alastair Mactaggart, recently introduced a new ballot proposal to expand on the law. It would create a new state agency to enforce the law.
The proposed rules will now open to public comment and forums before being finalized.