California Attorney General Xavier Becerra. Photo: Diego M. Radzinschi/ALM

Attorney General Xavier Becerra on Thursday unveiled draft rules for enforcing the California Consumer Privacy Act, the sweeping data protection rules that take effect next year.

The release of the 24-page regulations and accompanying documents starts the clock on a two-month public comment period that will include four hearings around the state. Final comments are due by Dec. 6.

The draft rules detail how companies must notify customers about the personal information they collect about them as well as how they must respond to and verify consumers' requests for collected data. The regulations also attempt to attach a price tag to consumer information by requiring companies that offer incentive programs to devise "a good faith method" for calculating the value of that data.

"This is plowing new ground," Becerra told reporters at a San Francisco press conference. "We're better than Captain Kirk and the Enterprise. We're going really where no one in America has gone before."

The regulations are the product of a year of work by Becerra's point person on privacy, Supervising Deputy Attorney General Stacey Schesser, longtime state privacy official Joanne McNabb and a team of consumer protection lawyers in the state Department of Justice. Schesser has been with the attorney general's office for more than nine years.

The attorney general's office was charged last year with writing compliance and enforcement rules for the Consumer Privacy Act, after the Legislature approved the measure to ward off an expensive ballot initiative fight. Lawmakers continued to tinker with the law this year as tech and business groups lobbied to restrict its reach.

The rules offer consumers broad opportunities to bar the selling of their personal information. One provision requires businesses to treat user-enabled privacy controls, including browser's "do not track" features, as valid requests to opt out of the sale of their information.

The rules also place additional record-keeping and training requirements on businesses that collect information about more than four million Californians. Those companies will have to track the number of customer record requests they receive as well as how long it took to respond to those requests, Schesser said.

An economic analysis of the proposed regulations released by the attorney general's office estimates that coming into compliance could cost businesses as much as $15 billion. The same report pegged the value of Californians' collected data at approximately $10 billion.

Critics of the new law have seized upon the potential compliance costs and what they say are vague or unworkable standards to plead with federal lawmakers for a national standard that would preempt California's law.

"This study includes troubling points for businesses that must comply with the California Consumer Privacy Act and shows the potential for a significant negative impact on the California economy," TechNet executive director for California Courtney Jensen said in a prepared statement.

With no concrete action to date in Congress, however, other states have enacted new privacy policies. A Nevada law that took effect Oct. 1, for instance, gives residents there the power to opt out of businesses' use of their personal information.

"We may be the first in the nation," Becerra said Thursday. "I guarantee you we won't be the last."

Becerra declined to comment on a new privacy initiative proposed for the 2020 ballot by Consumer Privacy Act author Alastair Mactaggart, noting that his office will have to write the ballot title and summary for the measure if it qualifies.

Although the California Consumer Privacy Act is set to take effect Jan. 1, the law will not be enforced until the attorney general finalizes rules July 1.