California outlines ways to comply with upcoming privacy law

Fingers type on a computer keyboard
A law that takes effect in January allows California residents to learn what information companies hold on them, request deletion and opt out of the sale of their personal information.
(Elise Amendola / Associated Press)

Companies must notify California residents of their data privacy rights in plain language and must verify people’s identities before releasing data, state officials proposed Thursday.

California Atty. Gen. Xavier Becerra announced draft regulations that also spell out ways people can ask for their personal information to be deleted from company databases.

The rules are being drafted to implement a landmark state privacy law that takes effect in January. The law allows California residents to learn what information companies hold on them, request deletion and opt out of the sale of their personal information.


Although only California residents can make requests, the law is expected to have a broader effect on how companies manage and sell people’s information online. That’s because companies outside the state must comply if they meet relatively low thresholds.

“Data is today’s gold,” Becerra said at a news conference in San Francisco. ”Everyone is rushing to mine data.”

The law was born out of a desire for people to have more control over their personal information online. It’s a topic that has been top of mind in recent years as high-profile leaks, smarter home artificial intelligence systems and targeted advertisements show just how much companies know about their users and customers.

Privacy experts and researchers expect California’s law to pave the way for laws from other states and possibly Congress.

California’s privacy law has been a hot-button issue for lobbyists all year, often pitting tech-industry interest groups against privacy rights advocates. But neither side got major traction, and the bill that was finalized last month was largely unchanged from the original version.

The attorney general’s proposed rules say companies must provide at least two ways — in most cases, a toll-free number and an online form — for people to request what specific information the company holds on them. To request deletion, people must first indicate they want their information to be erased, and then confirm the decision in a two-step process.


Companies will need to verify that a person requesting data is actually that person. That can be done by matching information in the request to information the company has collected over time.

Data can be deleted by completely erasing it from company systems, by removing enough information so it can no longer be associated with a named person, or by aggregating it so it’s part of large groups of data.

Companies that serve at least 4 million Californians — which includes all large tech companies and many retailers — would also need to publish an annual report noting the number of requests they get from people to see their own information, delete the information or opt out from sale.

The proposed rules also state that third-party data brokers, which are often the ones selling data for advertising and other purposes, need to make sure people are properly notified that their data is being collected. Those companies, which rarely interact directly with consumers, can do that either by sending out notices or by making contracts with the consumer-facing companies that people use.

The proposed regulations would also make it possible for people to use browser extensions that automatically opt them out of the sale of data on each site they visit.

The law’s original creator, real estate investor Alastair Mactaggart, recently introduced a new ballot proposal to expand on the law. It would create a new state agency to enforce the law.

The proposed rules will now be open to public comment and forums before being finalized.