Companies must notify California residents of their data privacy rights in plain language and must verify people’s identities before releasing data, state officials suggested Thursday.

California General Xavier Becerra (Xavier Becerra) announced the development of draft rules, which also set out the ways in which people can request their personal information from company databases.

The rules are being drafted to implement the state’s landmark privacy law, which takes effect in January. The law allows California residents to find out what information companies hold on them, request removal and refuse to sell their personal information.

While only California residents can make requests, the law is expected to have a broader impact on how companies manage and sell people’s information online. This is because companies outside the state must comply if they meet a relatively low threshold.

“Data is today’s gold,” Becerra said at a news conference in San Francisco. “Everyone is in a hurry to get data.”

Privacy experts and researchers expect the California law to pave the way for laws from other States and possibly Congress.

California’s privacy law has been a hot-button issue for lobbyists all year, often pitting tech industry interest groups against privacy rights advocates. But neither side has received major traction, and the bill that was finalized last month was largely unchanged from the original version.

The rules proposed by the attorney General say companies must provide at least two ways – in most cases, a toll-free number and an online form – for people to request what specific information the company holds on them. To request removal, people must first indicate that they want their information removed and then confirm the decision in a two-step process.

Companies will have to make sure that the person requesting the data is actually that person. This can be done by matching the information in the request to the information the company has collected over time.

Data can be deleted by completely removing it from a company’s systems, by removing enough information so it can no longer be associated with a named person, or by aggregating it so that it is part of large groups of data.

Companies that serve at least 4 million Californians – which includes all major technology companies and many retailers – will also have to publish an annual report noting the number of requests they receive from people to see their own information, delete information or choose from a sale.

The proposed rules also state that third-party data brokers, who often sell data for advertising and other purposes, should make sure people are properly notified that their data is being collected. Those companies that rarely interact directly with consumers can do so either by sending out notifications or by Contracting out companies that are on consumers that people use.

The proposed rules will also allow people to use browser extensions that will automatically opt out of selling data on every site they visit.

The original Creator of the law, real estate investor Alastair McTaggart, recently submitted a new ballot proposal to expand on the law. This will create a new state body to enforce the law.

The proposed rules will now be open to public comment and forums until they are finalized.

Subscribe for unlimited access