CCPA Update: Analyzing the AG's Proposed Regulations
On October 10, 2019, the California Attorney General's office published its long-awaited proposed California Consumer Privacy Act (CCPA) regulations. What are they, and what should enterprises do to achieve compliance and avoid costly fines?
On October 10, 2019, the California Attorney General’s (AG) office published its long-awaited proposed California Consumer Privacy Act (CCPA) regulations. The AG’s office also announced that it will hold public hearings on the regulations on December 2-5. The written comment period will end on December 6, 2019, at 5:00 p.m.
The regulations are broken into the following seven articles:
- Article 1. General Provisions
- Article 2. Notices to Consumers
- Article 3. Business Practices for Handling Consumer Requests
- Article 4. Verification of Requests
- Article 5. Special Rules Regarding Minors
- Article 6. Non-Discrimination
- Article 7. Severability
Here, we examine Articles 1 through 4, which are generally applicable to all businesses subject to the CCPA. As a general point, it is worth noting that the regulations comprise 24 pages of single-spaced text. In comparison, a printed version of SB 1121 (the pre-amended version of the CCPA), totals roughly 16 pages of single-spaced text. In other words, there is a lot to unpack in the regulations, and there is no doubt that we will dig further into the requirements over the next few weeks.
Article 1. General Provisions
Article 1 does two things: it provides the scope of the regulations and defines 21 terms, some of which appear in the CCPA and others that are used for the first time in the regulations. Section 999.300(b) states that a violation of the regulations constitutes a violation of the CCPA and will be subject to the CCPA remedies. Considering the breadth of the requirements set forth in the regulations, businesses should take note of that provision.
The definitions section provides a number of useful definitions, such as “affirmative authorization,” “categories of third parties,” “financial incentive,” and “third-party identity verification service.” Of particular note, the regulations answer the long-held question of what constitutes a “household” to mean “a person or group of people occupying a singe dwelling.” Certainly not ground-breaking, but useful nonetheless.
Article 2. Notice to Consumers
As its name foretells, Article 2 provides guidance on the various notices to consumers that a business must provide. Before digging into the requirements, it is useful to note what the regulations do not do, namely, they do not provide a form privacy notice or form language for business’s to employ. This will come as a disappointment for businesses that were hoping the AG’s office would provide a format that could be readily employed to ensure compliance.
- Use plain, straightforward language and avoid technical or legal jargon;
- Use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable;
- Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements and other information to consumers; and
- Be accessible to consumers with disabilities.
Notice of Collection
Notice of Right to Opt-Out of Sales
This notice must “inform consumers of their right to direct a business that sells (or may in the future sell) their personal information to stop selling their personal information, and to refrain from doing so in the future.” Of course, the addition of the phrase “or may in the future sell” is sure to cause headaches for businesses.
The regulation also sets forth requirements for how businesses must provide the notice. Businesses are required to “post the notice of right to opt-out on the Internet webpage to which the consumer is directed after clicking on the “Do Not Sell My Personal Information” or “Do Not Sell My Info’ link on the website homepage or the download or landing page of a mobile application.”
Notice of Financial Incentive
This notice is intended to “explain to the consumer each financial incentive or price or service difference a business may offer in exchange for the retention or sale of a consumer’s personal information so that the consumer may make an informed decision on whether to participate.” The notice will apply to customer loyalty programs and must provide a summary of the financial incentive or price difference offered, describe the material terms of the financial incentive or price of service difference, explain how the consumer can opt-out, notify consumers of their right to withdraw and explain why the financial incentive or price difference is permitted under the CCPA.
Notably, this provision does not address how the CCPA’s requirements should be read in light of California’s pre-existing online notice statutes, such as the California Online Privacy Protection Act (CalOPPA) and the Shine the Light Law. Those statutes are still good law and businesses will need to consider those requirements, as well.
It also does not address how the California privacy notice should interact, if at all, with General Data Protection Regulation (GDPR)-complaint online privacy notices or notices required by Nevada and Delaware. Presumably, reasonable minds will differ on the right approach, which could lead to variation in policies between businesses. Given that the regulation states that policies must be “easy to read and understandable to an average consumer,” businesses will need to wrestle with how to incorporate all of these disclosure requirements (and presumably more as other states enact similar laws).
Article 3. Business Practices for Handling Consumer Requests
This article covers the proper process for handing verified consumer requests, which businesses were waiting for guidance on.
Methods for Submitting Requests to Know and Requests to Delete
This part of the regulation clarifies the methods that businesses must provide for submitting verified requests. Those methods differ depending on whether the request is a request to know or request to delete. For online requests to delete, businesses are required to use a two-step process where the consumer must first submit a request to delete and then confirm that they want their information deleted.
Responding to Requests to Know and Requests to Delete
After receiving a request to know or delete, a business must respond within 10 days to confirm receipt and explain how the business will process the request, including the business’s verification process. Businesses must respond to these requests within 45 days, but can take up to an additional 45 days it they provide notice to the consumer.
In responding to requests to know, the regulations specifically prohibit businesses from disclosing “a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers.” That is significant and must not be overlooked by businesses because it is not provided for in the CCPA and covers the type of data elements that are subject to the CCPA’s statutory damages for data breaches.
A business also should not “provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.” Further, a business is not required to respond to requests to know if it cannot verify the consumer’s identity pursuant to the requirements of Article 4. A business that denies a consumer’s request pursuant to an exemption to the CCPA must inform the requestor and explain the basis for the denial. This provision also further specifies the exact types of information that must be relayed to the consumer.
In responding to requests to delete, a business must completely and permanently erase the personal information on its existing systems, but it does not have to do so with archived or back-up systems. This provision will be welcomed news for businesses that have struggled with the concept of having to modify back-up tapes, which, by their very nature, are supposed to remain unchanged. However, if the archived or back-up system is later accessed or used, the request must be honored. If a business denies a request to delete, it must inform the consumer, describe the basis for the denial, delete any personal information that is not subject to the exemption and not use the retained information for any reason other than the exempted purpose.
Those familiar with the CCPA will know that it defines “service provider” in relation to “third-party” and sets forth certain requirements (i.e. written contract containing specific provisions) for entities to be considered service providers. In turn, the regulations modify those requirements through two provisions:
First, the regulations provide that “to the extent that a person or entity provides services to a person or organization that is not a business, and would otherwise meet the requirements of a “service provider” under the Civil Code, that person or entity shall be deemed a service provider for purposes of the CCPA and these regulations.” That provision addresses that the CCPA’s definition of service provider is: an entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information.”
Second, the regulations provide that “to the extent that a business directs a person or entity to collect personal information directly from a consumer on the business’s behalf, and would otherwise meet all other requirements of a “service provider” under the Civil Code, that person or entity shall be deemed a service provider for purposes of the CCPA and these regulations.” This may address a potential loophole in the service provider definition, which only discusses “processing” information on behalf of a business and not “collecting” information on behalf of a business. The Article identifies a few other requirements for service providers, including how they should handle requests to know or delete.
Requests to Opt-Out
Notably, in responding to a request to opt-out, “a business may present the consumer with the choice to opt-out of sales of certain categories of personal information as long as a global option to opt-out of the sale of all personal information is more prominently presented than the other choices.”
A business must respond to an opt-out request no later than 15 days from the date the request is received and notify all third parties to whom it sold the consumer’s personal information in the 90-day period prior to receiving the consumer’s request. The business must tell those third parties that the consumer has exercised the right to opt-out and instruct them not to further sell the information. A request to opt-out does not need to be a verifiable request, but if a business reasonably believes that the request is fraudulent, it can deny the request.
Training and Record Keeping
Article 4. Verification of Requests
Pursuant to this article, businesses are required to establish, document and comply with a reasonable method for verifying that the person making the request is who they represent to be. The regulations identify three requirements:
- Whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service.
- Avoid collecting the types of personal information identified in the Civil Code, unless necessary for the purpose of verifying the consumer.
- Consider a number of factors such as the nature of the personal information collected and maintained, the risk of harm to the consumer, the likelihood of fraud, whether the personal information used to verify the identity is susceptible to being spoofed or fabricated, the manner in which the business interacts with the consumer and available technology for verification.
Businesses also are required to implement reasonable security measures to detect fraudulent identity-verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information.
While this analysis provides an overview of the AG’s proposed regulations, there is no doubt that businesses will be pondering these provisions for many weeks to come. Businesses also will need to keep in mind that these are only proposed regulations and are susceptible to change. Nonetheless, they provide much needed guidance on the CCPA’s requirements, while leaving many questions unanswered.