On October 10, 2019, with just weeks to go until the law goes into effect, the California Attorney General released the long-awaited draft regulations for the California Consumer Privacy Act (CCPA). The proposed rules shed light on how the California AG is interpreting and will be enforcing key sections of the CCPA. In the press release announcing the proposed regulations, Attorney General Becerra described CCPA as “[providing] consumers with groundbreaking new rights on the use of their personal information” and added, “It’s time we had control over the use of our personal data.” The proposed regulations are intended to operationalize the CCPA and provide practical guidance to consumers and businesses subject to the law. In addition to the draft rules, the AG’s office also published a “CCPA Fact Sheet” and the “Initial Statement of Reasons,” which also provide insights as to the regulatory focus and enforcement priorities. According to the AG’s office, the draft rules summarized below, are needed to “[mitigate] the asymmetry of knowledge and power between individuals and businesses.” Businesses “must comply to the greatest extent it can” to give consumers greater control over their personal information: to vest consumers with the right to know details about how their personal information is collected, used, and shared by businesses; the right to take control of their information by having businesses delete it and stop selling it; and the right to exercise these privacy rights without suffering discrimination in price or service.
The rules are not final. The Attorney General will hold public hearings in four California cities during the first week of December to hear comments. Written comments will be accepted by the Attorney General until 5 PM (Pacific time) on December 6, 2019.
Below is a summary of the proposed regulations that may have the most impact for organizations who are seeking to operationalize the CCPA requirements in time for the January 1 deadline.
Article 1: Definitions
In addition to the definitions already set forth by CCPA, the proposed regulations define additional terms that will be important in interpreting the CCPA and how the California Attorney General will enforce the CCPA’s provisions. For example, “Household” is defined as “a person or group of people occupying a single dwelling” (999.301(h)). Article 3 provides rules on how requests to access or delete household information should be treated. We have received many questions from our clients on how to handle requests relating to the household. The rules answer some of these questions but they also add a new logistical step regarding how the businesses must design the web form to receive, verify and process requests relating to household data.
The rules also define “Third-party identity verification service” as “a security process offered by an independent third-party who verifies the identity of the consumer making a request to the business.” Article 4 of the proposed rules explicitly allows the business to use a third-party service to verify the consumer’s identity.
Article 2: Notices to Consumers
Article 2 requires businesses to give consumers notices of their privacy practices at or before the time personal information is collected. Notice should be provided in a clear, conspicuous and easy to understand format. Under the draft rules, businesses can only use consumer’s personal information in a manner that is consistent with the privacy notice provided to consumers at the time their information was collected. If a business wants to use personal information in a way not previously disclosed, the business must directly notify the consumer of this new use and obtain explicit consent.
- The draft rules have added a new language and accessibility requirement. Notices must be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers. Notices must also be accessible to consumers with disabilities. At a minimum, businesses should provide information on how a consumer with a disability may access the notice in an alternative format. (999.305(a)(2)(d); 999.306(a)(2)(d); 999.307(a)(2)(d); and 999.308(a)(2)(d))The draft regulations make it clear that the notice requirement covers not only online but also offline collection of personal information. (999.308(a)(1) A business that substantially interacts with consumers offline shall also provide notice to the consumer by an offline method that facilitates consumer awareness of their right to opt-out. Such methods include, but are not limited to, printing the notice on paper forms that collect personal information, providing the consumer with a paper version of the notice, and posting signage directing consumers to a website where the notice can be found. (999.306(b)(2))
- Businesses that sell information must provide a link, clear notice of the practice and instructions on how to opt out. (999.306(c))
- Only businesses that sell personal information need to include a “Do No Sell My Info” link; businesses that do not sell personal information must state that they do not sell personal information. (999.306(d)
- Businesses that provide financial incentives in exchange for the ability to sell a consumer’s information must explain the incentive or difference in price or service. (999.307(b)(5))
- A business that does not collect personal information directly from consumers cannot “sell” a consumer’s personal information unless it has received signed attestations from the source of the personal information that a notice has been provided, including an example of the notice. These attestations must be retained by the business for at least two years and made available to the consumer upon request. (999.305(d))
- For everyone that has been waiting for guidance on how an opt-out logo or button should look, no guidance was included in these draft rules. The AG’s office adds a note that guidance on the button or logo will be added in a modified version of the regulations at a later date. (999.306(e)
Article 3: Business Practices for Handling Consumer Requests
Article 3 addresses the AG’s rules on how businesses should receive and respond to consumer requests to invoke their rights to access (or “know”), delete or opt-out. The Article is broken into seven sections and includes specific sections on Service Providers and Training/Record-Keeping. In general, the rules provide guidance on how a business must respond to requests and what constitutes an acceptable response. Some of these rules are quite prescriptive and may not match with what businesses have planned to do as part of their current CCPA compliance program. For example:ser
- Business must provide two or more methods for receiving requests including a toll free number at a minimum and an interactive web form if the business operates a website. The business must take into account its primary method of interacting with customers. Using a brick and mortar retail business as an example, the rules state that if the business operates a website but primarily interacts with customers in person at a retail location, the business shall offer three methods to submit requests to know a toll-free telephone number, an interactive webform accessible through the business’s website, and a form that can be submitted in person at the retail location. Even if the request is received in a manner that is not one of the designated methods of submission, e.g., online chats, businesses must still treat the request as if it had been submitted in accordance with the business’s designated manner or provide the consumer with specific directions on how to submit the request or remedy any deficiencies with the request. (See 999.312 (c) & (f)).
- Business must use a two-step process for deletion requests: (1) the consumer must clearly submit a request to delete; and (2) the business must separately confirm the consumer wants to delete its personal information. (999.312 (d))
- Business have ten (10) days to confirm receipt of a request for access or deletion and must provide in response information about “how the business will process the request.” (999.313 (a))
- Unsurprisingly, a business shall not provide access to a consumer if the business cannot verify the consumer making the request. (999.313 (c)(1) & (2)) The rules however also state that “a business shall not provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk” to the security of the information, the business systems or the consumers account. (999.313 (c)(3)) A business is also prohibited from disclosing a consumer’s “Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password or security questions and answers.” It does not state whether partial redaction is preferable or if this means those specific pieces of information are now exempted from the consumer’s right to access. (999.313 (c)(4))
- In response to request to delete, a business may do one of three things: (1) permanently and completely delete; (2) de-identify; or (3) aggregate. (999.313 (d)(2)).
- The draft rules have a new section on service providers. The impact of these proposed rules cannot be overstated for any organization that has been focused on figuring out if certain businesses are third parties or service providers. Directly addressing a scenario that has often caused confusion, the draft rules state that to the extent that a business directs a person or entity to collect personal information directly from a consumer on the business’s behalf, that person or entity shall be deemed a service provider for purposes of the CCPA and these draft regulations. On the contrary, the proposed rules state that a service provider cannot “use personal information received either from a person or entity it services or from a consumer’s direct interaction with the service provider for the purpose of providing services to another person or entity.” It is unclear whether this is meant to address the scenario of when businesses that are performing a service for another business may also use the personal information it has collected to improve the product or service for another person or entity. (999.314).
- The proposed rules create a new requirement that a business that receives an opt-out request must notify all third-parties with whom it sold the data during the ninety (90) days prior to receiving the request of the consumer’s request to opt-out, and the business must instruct them not to sell the data in the future. (999.315 (f)).
- The draft regulations create record keeping rules for businesses including a requirement for businesses to keep for 24 months any record of requests received and processed. Business that annually buy, receive, sell or share the personal information of more than 4,000,000 consumers must annually tabulate and report metrics regarding the impact of CCPA on the business. (999.317 (g))
- Under the proposed rules, if a request to access or delete the household information is received from one of the members of the household and the consumer submitting the request does not have a password-protected account with the business, the business may respond to a request to know or request to delete household information by only providing aggregate household information. If all consumers of the household jointly request access to specific pieces of information for the household or the deletion of household personal information, and the business can individually verify all the members of the household subject to verification requirements set forth in Article 4, then the business shall comply with the request. (999.318)
Article 4: Verification of Requests
The proposed regulations provide that a business must establish rules and methods to verify the identity of consumers who make requests. (999.323) In addition to matching the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, businesses may also use a third-party identity verification service to verify the consumer’s identity. The draft regulations provide a series of factors businesses must consider when determining the method of verification, including:
- The type, sensitivity, and value of the personal information;
- The risk of harm to the consumer posed by unauthorized access or deletion;
- Likelihood that malicious actors would see the information;
- Whether information provided can be protected against becoming spoofed or fabricated;
- The manner which the business interacts with the consumer; and
- Available technology for verification.
Other items to note:
- When a consumer has a password-protected account with the business, traditional authentication practices (e.g., two-factor authentication) may be used to verify the consumer, and consumers must re-authenticate themselves prior to the disclosure or deletion of data. (99.324(a))
- Businesses must not comply with any request where there is a suspicion of malicious activity until the consumer’s identity has been properly identified. (999.324(b))
- In the case of non-accountholders, the draft regulations set forth differing standards for verification. (999.325)
- When a consumer uses an authorized agent to request on his or her behalf a request to know or a request to delete personal information, businesses may require that the consumer either provide written permission to the agent or verify their own identity directly with the business. (999.326(a))Businesses can deny a request from a proposed agent, if the agent fails to submit proof that the consumer has authorized that agent to act on their behalf. (999.326 (c))
By David Kessler, Jeewon Kim Serrato, Susan Ross, Anna Rudawski and Max Kellogg