On October 10, 2019, the California Attorney General’s office issued the proposed text of its California Consumer Privacy Act (CCPA) regulations (the Regulations). The Regulations propose detailed rules regarding required notices for consumers, business practices for handling consumer requests, verification of requests, special rules regarding minors, and non-discrimination. Accompanying the Regulations are the Attorney General’s Initial Statement of Reasons, which provide the justifications for each requirement.
Below is an overview of the main components of the Regulations.
Notice to Consumers
As required by §1798.100(b) of the CCPA, a business that collects a consumer’s personal information must give notice at or before the point of collection regarding the categories of personal information to be collected and the purposes for which the categories of personal information will be used. The Regulations, however, supplement the requirements specified in the Act for notice of collection in four ways.
First, while businesses that operate online must conspicuously post a link to the notice on the website homepage or mobile application download page, businesses that operate offline may post prominent signage directing consumers to the website containing the notice, which will likely result in Proposition 65-style notices at California storefronts. The Regulations also permit businesses operating offline to include the notice on printed forms that collect personal information and to provide the consumer with a paper version of the notice.
Third, unlike the Act, which only requires the disclosure of the purposes for which the collected personal information will be used, the Regulations require that the purpose(s) be listed for each category of personal information, making for a cumbersome notice, particularly on mobile devices.
Fourth, §999.305(d) of the Regulations absolves businesses who do not collect information directly from consumers from providing notice at collection; however, before such a business can sell a consumer’s personal information it must provide notice of the sale by either contacting the consumer directly or confirming and receiving an attestation—which must be maintained for two years—that the source of information has provided such notice. Permitting businesses with no direct relationship to consumers to contact consumers directly may open the door for phishing attempts by malicious actors purporting to be businesses indirectly collecting consumer information and providing malicious opt-out links. Further, requiring businesses to retain attestations for two years conflicts with the foundational privacy principle of data minimization and will be a seemingly unnecessary compliance burden, particularly for small businesses reliant on lead generation services.
Opt-Out of Sale
Section 1798.135 of the CCPA requires businesses that sell personal information to provide a clear and conspicuous “Do Not Sell My Personal Information” link (“opt-out notice”) on their Internet homepage and allow consumers to authorize another individual to opt out on the consumer’s behalf. Section 999.306 of the Regulations requires that the opt-out notice contain a webform by which consumers can submit their opt-out requests, including the proof required when authorizing an agent to opt out on their behalf.
§1798.125 of the Act permits businesses to offer financial incentives for the collection, sale, or deletion of personal information, provided notice is given and certain conditions are met. The Regulations provide detail regarding the contents of this notice, including a summary of the financial incentive or price/service difference offered, a description of the material terms (including which categories of personal information are implicated), directions on how to opt in to the incentive, notification of the right to withdraw, and an explanation of why the financial incentive or price/service difference is permissible under the CCPA, which must include a good-faith estimate of the value of the incentive, and the methods used to calculate the value.
Business Practices for Handling Consumer Requests
Article 3 of the Regulations sets forth requirements regarding submitting and responding to consumer requests, handling requests to access or delete household information, the criteria for being considered a service provider under the statute, and associated training and record-keeping requirements.
Requests to Know, Delete, and Opt-Out of Sale
Under the Act, businesses must provide at least two methods by which consumers can submit requests. The Regulation clarifies that businesses are required to provide at least one method for submitting requests that reflects the manner in which the business primarily interacts with consumers. This means that retail businesses and other brick-and-mortar establishments that primarily interact with customers in person must also provide a means for consumers to submit requests to know, delete, or opt out of the sale of their personal information in person.
Further, the Regulations provide details regarding how businesses must respond to consumer requests. For requests to know and delete, businesses must now meet a new deadline, confirming the receipt of requests to consumers within 10 days, in addition to providing a description of the request verification process and when the consumer can expect a response. Requests for deletion cannot be immediately processed; deletion now requires a two-step process, whereby a request must be submitted and then separately confirmed. In addition, businesses are prohibited from providing a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of the information, the consumer’s account, or to the business. Businesses are also prohibited from disclosing certain pieces of specific personal information such as a consumer’s Social Security Number or financial account numbers, even if the request is verified.
If a business cannot verify a request to know or delete, it cannot simply refuse to comply; instead: 1) unverifiable requests for specific pieces of information must be treated as a request for categories of personal information, which must be individualized unless the response is the same for all consumers and 2) unverifiable deletion requests must be treated as an opt-out of sale. In either event, the business must provide the consumer with an explanation for the basis for the denial. The Regulations also place an operational restriction on data use if a business denies a request to delete on the basis of an exception, prohibiting use of the consumer’s personal information for any purpose other than that provided for by the exception.
With respect to opt-out requests, the Regulations add significant obligations not contained in the Act. Most notably, under §999.314(c), businesses collecting information online must “treat user enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out” as a valid request for that browser or device submitted directly from the consumer under §1798.120. The Regulations seem to require businesses to honor any ambiguous mechanisms that “signal” a consumer’s choice to opt out on their browser, potentially including Do Not Track requests, for which a defined operational standard does not exist. The Regulations lack guidance for how these “signals” must be treated if the user changes the control to “signal” an opt-in (or no signal), or whether these settings must be communicated downstream. The Regulations add that when a business receives an opt-out request, it must communicate the request to all third parties to whom it has sold that consumer’s personal information in the ninety days prior to the receipt of the request, and must notify the consumer when this has been completed. Similar to deletion, the Regulations require a two-step process for opting a consumer back into the sale of their information, whereby a request must be submitted and then separately confirmed.
The Regulations provide much-needed guidance surrounding the handling of household information, including a definition of “household.” Unless a consumer has a password-protected account, requests pertaining to household information must be provided in the aggregate. Further, if all consumers in the household jointly request access to specific pieces of household information or deletion of personal information, the business must comply with the request if it can individually verify all members of the household.
The ability of service providers to use collected information for their operational purposes is narrower under the Regulations than under the CCPA’s definition of Service Provider in §1798.140(v). The CCPA arguably permits service providers to use personal information collected in this capacity for their own operational purposes, including product improvement, which ultimately benefits all customers. This use case does not seem to be permitted under the Regulations, however, which prohibit a service provider from using personal information from an entity it services or from a consumer’s direct interaction with the service provider for the purpose of providing services to another entity, except as necessary for detecting data security incidents or protecting against fraudulent or illegal activity.
Training and Record-Keeping
The Regulations make clear that individuals handling consumer requests and inquiries must be informed of the CCPA’s and the Regulations’ requirements. Further, the Regulations impose new record-keeping obligations for all businesses. Regardless of size, businesses must maintain records of consumer requests and the business’s response for at least twenty-four months. A notable mandate not included in the CCPA is the record-keeping requirement imposed on a business that alone, or in combination, annually buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of four million or more consumers. Such businesses must compile and disclose annual metrics, such as the number of requests received. The Regulations lack clarity on the meaning of “alone or in combination,” and give no additional compliance buffer for businesses on the cusp of the threshold. Businesses using manual systems to track requests will be at a compliance disadvantage with such rigorous requirements.
Verification of Requests
Article 4 of the Regulations provide guidance for verifying requests, including the collection of sensitive information for verification, how to verify various types of accountholders, and security requirements for verification.
Businesses who have become accustomed to collecting government IDs as a form of verification under the General Data Protection Regulation (GDPR) are discouraged from doing so under the Regulations. The Regulations treat personal information identified in California’s data breach law as presumptively sensitive and discourage businesses from collecting this information for the purposes of verification, unless necessary. The passage of AB 1130, which revises the definition of personal information under California’s data breach law to include any “unique identification number issued on a government document commonly used to verify the identity of a specific individual,” will make it particularly challenging to collect any form of government identification for verification purposes.
If a business cannot verify a consumer through a password-protected account, the Regulations clarify that the business can request additional pieces of information already maintained by the business. The Regulations make a distinction between the level of certainty needed to verify sensitive and non-sensitive information, as well as the level of verification needed for each request. The request to know the categories of information collected requires verification “to a reasonable degree of certainty,” which includes matching at least two data points provided by the consumer with data maintained by the business. The request to know specific pieces of information requires verification “to a reasonably high degree of certainty,” which includes matching three pieces of personal information provided and a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request (which the business must maintain as part of its record-keeping obligations). Finally, the level of verification required for a deletion request will depend on the sensitivity of information to which the deletion request pertains; less sensitive information, such as browsing history, requires a reasonable degree of certainty, while more sensitive information, such as family photographs, requires a reasonably high degree of certainty.
Finally, the Regulations add specific security requirements for verifying requests. Under §999.323(d) of the Regulations, businesses are required to implement reasonable security measures to detect fraudulent identity-verification activity and prevent unauthorized access to or deletion of a consumer’s personal information. Further, when verifying password-protected accounts, businesses must require consumers to re-authenticate themselves prior to disclosing or deleting their information. In addition, if a business suspects fraudulent or malicious activity on or from the account, the business is not allowed to comply with the request until the consumer’s identity is further verified.
Special Rules Regarding Minors
Article 5 provides guidance regarding how to obtain affirmative authorization from a parent or guardian of a minor under 13, as well as requirements for obtaining opt-in consent from minors between the ages of 13 and 16 for the sale of their personal information.
For minors under 13, the business must implement a reasonable method for determining that the person providing authorization is truly a parent or guardian. The Regulations specify that the requirement to obtain authorization is in addition to any verifiable consent required under the Children’s Online Privacy Protection Act. For minors between the ages of 13 and 16, the business must establish, document, and comply with a reasonable process that allows minors to opt in to the sale of their personal information. In either case, the business must inform the parent or minor of their right to opt out at a later date and how this can be effectuated.
The Regulations clarify that businesses that are exclusively targeted at consumers under the age of 16 and do not sell personal information of minors without affirmative authorization are not required to provide the opt-out notice.
Article 6 seeks to clarify the CCPA’s antidiscrimination provisions, setting forth examples and providing guidance on how to calculate the value of a consumer’s data when offering a financial incentive.
Businesses offering a financial incentive or price/service differences must document the methods used to calculate the value of the consumer’s data. The Regulations provide seven methods businesses may use when calculating this value, and also permits the use of any other practical and reliable method of calculation, provided it is used in good faith.
As of the time of publication of this article, we are in the midst of a mandatory 45-day public comment period, ending on December 6, 2019.
Depending on the materiality of the changes made to the Regulations, the Attorney General may be required to open another 15-day comment period. After finalizing the Regulations, the California Office of Administrative Law has 30 business days to review the rulemaking record to ensure the rulemaking requirements have been met and must either approve or disapprove the Regulations. Given this timeline, it is unlikely that a final version of the Regulations will issue before Spring 2020. The Regulations must be finalized by and will take effect on July 1, 2020.
While the Act becomes operative on January 1, 2020, the Attorney General cannot enforce the Act until July 1, 2020. As such, between January 1, 2020 and July 1, 2020, only the private right of action for certain data breaches can be enforced. After July 1, 2020, the Attorney General can begin enforcing both the Act and the Regulations, including statutory violations that date back to January 1, 2020.
We urge businesses affected by the Regulations to submit comments to the Attorney General and welcome any requests to assist with such submissions. WSGR will continue to monitor further CCPA developments. For more information or to submit a public comment please contact Chris Olsen, Eddie Holman, Mariam Abdel-Malek, or another member of the firm’s privacy and cybersecurity practice.