Just under three months before the January 1, 2020 deadline to comply with the California Consumer Privacy Act (“CCPA”), the California Attorney General (“AG”) released a notice of proposed rulemaking and draft regulations pursuant to the CCPA on October 10, 2019. The next day, California Governor Gavin Newsom signed into law several CCPA-related bills that will make important changes to the statute. Businesses subject to the CCPA now face the difficult task of adjusting their compliance efforts on-the-fly to address these developments.
Amendments
The newly-signed amendments become binding law when the CCPA becomes operative on January 1, 2020 and include:
- B2B and HR data. A one-year grace period for certain obligations involving business contacts (AB 1355) and personal information (“PI”) of business personnel (AB 25).
- Data brokers. A requirement to register with the AG as a “data broker” for businesses that knowingly “sell” (as defined in CCPA) personal information of consumers with whom they do not have a direct relationship (AB 1202).
- Data security. Expansion of the data covered by California’s breach notification and data security statutes (AB 1130), and thus the CCPA’s private right of action for data breaches.
- Scope of personal information. Clarification of the scope of “personal information”, “deidentified” and “aggregated information” under the CCPA (AB 874).
- Toll-free number exemption. Exemption of online-only businesses from the requirement to have a toll-free number for submitting CCPA information and access requests (AB 1564).
- Auto industry exemption. A specific exemption for car dealers/manufacturers (AB 1146).
See our previous previous post on these amendments for details.
Draft regulations
The draft regulations are unlikely to be finalized until after January 1, 2020, but provide needed guidance in a number of areas—particularly with respect to handling consumer requests and verifying requester identities. They also create new requirements that many businesses will not have factored into current planning. Notable examples include requirements regarding:
- Readability of privacy notices, including requirements to translate them into relevant languages, optimize for mobile screens and ensure accessibility to disabled readers
- Changes to privacy policies, including a requirement to get explicit consent to make new and previously undisclosed uses of PI
- Sale of indirectly-sourced data, including requirements to obtain from data sources signed attestations that required notices have been given
- Informing PI purchasers of opt-out requests
- Privacy notice signage in brick-and-mortar stores and locations
- Annual reports on consumer requests
- Obtaining consent to sell personal information from minors under 16
Rulemaking process
The draft regulations are intended to fulfill the AG’s mandate under the CCPA to adopt regulations to further the purposes of the law. They follow an initial period of public participation that included seven public forums held around the state earlier in 2019 and elicited over 1300 pages of public comments.
The draft regulations address CCPA requirements in the following areas:
- Notices to consumers
- Handling consumer requests
- Verifying consumer requests
- Special rules regarding minors
- Nondiscrimination and valuing personal information
Interested parties may present comments on the draft regulations at four public hearings throughout California on December 2-5, 2019 or submit written comments by December 6, 2019 5:00 p.m. Pacific. Under California’s rulemaking process, substantial changes to the regulations will undergo another comment period before the regulations are finalized (45 days for “major” changes and otherwise at least 15 days).
Highlights
Notable requirements in the five areas addressed by the draft regulations are as follows.
Notices to Consumers
In addition to privacy policies, the regulations address three notice types—notice at collection of PI, notice of the right to opt-out of sales of PI, and notice of financial incentives (these notices generally can be delivered when interacting with consumers online by linking to a section of a privacy policy containing the required notice content).
Readability
All notices must be easy and understandable to the average consumer. For example, they must:
- Use plain language and avoid technical or legal jargon
- Use a conspicuous format and if applicable, be easy to read on smaller screens
- Be available in languages that the business uses in its ordinary course of providing contracts, sale announcements, or other information to consumers
- Be accessible to disabled consumers
- Be accessible online and offline as appropriate
Notice at collection of PI
- Timing. The notice must be given at or before PI is collected on the homepage for websites, the download page for mobile applications, and in paper notices or signage with a notice URL in the case of offline collection.
- Using PI for new purposes. The notice must disclose the business or commercial purpose for which the PI will be used, and the business cannot later use the PI for other purposes not explained in the notice unless it first directly notifies the consumer and obtains their explicit consent to the new use.
- The PI collected. The notice must disclose the PI the business collects, and a business cannot collect PI that it did not disclose unless the business provides a new notice.
- Sale of indirectly sourced PI. A business that does not collect PI directly from consumers is not required to provide notice at collection to the consumer, but the business cannot sell the PI unless it either:
- contacts the consumer to provide notice that the business sells PI and that the consumer has a right to opt-out; or
- obtains a signed attestation from the source confirming that the source gave the consumer the required notice at collection.
Notice of right to opt-out of sales
This notice must, among other things, include a “Do Not Sell My Personal Information” link to a webpage for submitting opt-out requests.
A business is exempt from providing a notice of right to opt-out if it:
- Does not, and will not, sell PI collected during the time period during which the notice of right to opt-out is not posted; and
- States in its privacy policy that it does not and will not sell PI.
A consumer whose PI is collected while a notice of right to opt-out notice is not posted shall be deemed to have validly submitted a request to opt-out.
Notice of financial incentive
This notice is intended to explain to consumers the financial incentive or price or service differences a business might offer in exchange for retaining or selling a consumer’s PI. The notice must:
- Describe the incentive or price/service differences, including what PI they implicate
- Instruct consumers how to opt-in, and later opt-out
- Explain how the business calculates the value of PI that is used for the financial incentive or price/service difference
Verifying Consumer Requests
The draft regulations provide that a business must establish and document a reasonable method to verify the identities of individuals who make CCPA consumer requests.
Reasonable verification
A reasonable method accounts for factors such as:
- the ability to match identifying information provided by the consumer with PI held by the business
- the sensitivity of the PI covered by the request
- the risk of harm from unauthorized access or deletion
- the likelihood that requests are made by fraudulent or malicious actors, or are spoofed or fabricated
- the context of the business’s relationship with the customer
Data minimization and reasonable security
In order to verify a consumer request, a business should match the information in its records with the information provided by the consumer, and avoid requesting additional information from the requester unless needed to verify their identity. The business may use the additional information for verification or fraud-prevention purposes only and must delete it as soon as practicable. Additionally, a business must implement reasonable security to detect fraudulent requests.
Verification to be proportionate
Verification must be proportionate to the nature of the request and/or the underlying PI. For example:
- Requests to know categories of PI collected must be verified to a “reasonable degree” of certainty (e.g., matching two data points provided by the consumer with those held by the business).
- Requests to know specific PI collected must be verified to a “reasonably high degree” of certainty (e.g., matching three data points and obtaining a signed identity declaration sworn under penalty of perjury from the requester).
- Requests to delete PI can be verified to either a reasonable or reasonably high degree of certainty, depending on the sensitivity of the PI and the risk of harm to the consumer if the deletion were unauthorized.
Requests submitted by agents
A business is entitled to verify the consumer’s identity and require written proof from the consumer that the agent is authorized to act on their behalf (with certain power of attorney exceptions).
Password-protected accounts
A consumer logging into a password-protected account maintained by the business to exercise a CCPA request is enough to verify the request—unless the business has reason to suspect fraudulent access.
Inability to verify requests and reporting obligations
If a business cannot reasonably verify a particular consumer’s request, it must explain this to the consumer. If a business can never reasonably verify any consumer’s request, it must state this in its privacy policy, annually re-evaluate its inability to verify requests, and document its evaluation.
Handling Consumer Requests
- Intake. Businesses must provide two or more designated methods to submit requests for access to or deletion of PI, one of which must be a toll-free telephone number. (Certain online-only businesses are exempt from the toll-free number requirement due to a recent amendment.) The draft regulations add that at least one designated method must reflect the manner in which the business primarily interacts with the customer, even if this means more than two methods are required (e.g., a brick-and-mortar retailer with a website must also accept offline requests in-store).
- Deficient submissions. If a consumer submits a request to know or delete through a channel not designated by the business, the business must either accept the request as properly submitted or instruct the consumer how to properly submit the request.
- Confirming receipt. The business must acknowledge receipt of a consumer request within 10 days and provide information about how and when the business will respond.
- Responses
- A business can decline to respond with specific PI if disclosure would create a substantial, articulable, and unreasonable risk to either the consumer or the business.
- A business must not disclose a consumer’s social security number, driver’s license number or other government identification number, financial account number, health insurance or medical identification number, account password, or account security questions or answers.1
- If a business denies a request, it must explain the basis of its denial.
- In responding to a request to delete, a business need not delete from archived or backup systems (until they actually access or use that system).
- A business must use reasonable security when producing documents.
- Training personnel. A business must train all personnel who handle consumer requests.
- Record-keeping. A business must maintain records of CCPA requests, and how it responded, for at least 24 months.
- Record-keeping for larger businesses. Businesses that annually buy, receive or share for commercial purposes or sell the PI of 4 million or more consumers must also
- compile metrics for each calendar year on the number of each type of consumer requests received and the median number of days within which the business processed it
- disclose the metrics in their privacy policy
- establish and implement a CCPA training policy
Special Rules Regarding Minors
- Minors under 13. A business with actual knowledge that it collects the PI of minors under 13 must establish and document a “reasonable method” to verify the identity of the minor’s parent or guardian who consents to sell the minor’s PI. These methods are primarily offline, such as mailing a consent form signed under penalty of perjury, using a payment card, and having the parent/guardian call or videoconference somebody at the business. The methods must be disclosed in the business’s privacy policy. The consent here is separate from the consent required under the Children’s Online Privacy Protection Act (COPPA).
- Minors ages 13, 14 or 15. A business with actual knowledge that it collects the PI of 3, 14 or 15 year-olds must establish and document a reasonable process for such minors to opt-in to the sale of their PI. This process must be disclosed in the business’s privacy policy.
Nondiscrimination and Valuing Personal Information
The CCPA prohibits a business from “discriminatory” practices like offering financial incentives, charging different prices, or providing different levels of service to a consumer who exercises CCPA rights. However, a business can charge different prices or provide different levels of service if the difference is reasonably related to the value of the PI to the business (and provides the requisite notice of financial incentives).
The business must document and use a reasonable and good faith method to determine the value that consumer PI provides to the business, which may be based on:
- the marginal value of the PI to the business
- the average value of the PI to the business
- the revenue, profit, or expenses related to the PI
- any other practical and reliable method of calculation used in good-faith
Conclusion
The newly-signed amendments generally lighten the compliance effort for most businesses (setting data brokers aside) through exemptions and grace periods.
Conversely, the draft regulations would add to the already significant compliance burden that businesses face under the CCPA. However, while the draft regulations preview the road ahead and shed light on the AG’s thinking about the CCPA, a business’s inability to comply with them by year-end should not induce panic. After all, draft regulations are not binding.
Moreover, the regulations are just the latest step in the evolution of a new and dynamic legal regime. In addition to the development of these regulations, 2020 will see another flurry of attempts to persuade legislators to amend the CCPA, and a planned November 2020 ballot measure will introduce “CCPA 2.0” if passed. CCPA will be a moving target well beyond the January 1, 2020 deadline, and compliance will be an ongoing and iterative process for some time to come.
Notes
- This information is protected by California’s data security law, and a breach of security affecting this information triggers notification obligations and is actionable under the CCPA’s private right of action for data breaches.