The California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, aims to provide California residents with greater transparency and control over how businesses collect and use their personal information. Organizations have been waiting for the California Attorney General (AG), Xavier Becerra, to adopt regulations to clarify and further the purpose and intent of the CCPA. On October 10, 2019, the California AG released a draft of the proposed regulations (“Draft Regulations”) and is calling on all interested parties to submit comments at the scheduled public hearings, by mail, or by email. The deadline to submit comments is December 6, 2019 at 5:00 p.m. (PST). It is important to note that the Draft Regulations are subject to change as the proposed regulations are still in draft form and the AG is currently soliciting comments.
Background
The CCPA requires the AG to adopt regulations to further the purpose of the CCPA, including, but not limited to, the following areas:
- Updating the definition of “personal information” and “unique identifiers” in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
- Establishing any exceptions necessary to comply with state or federal law.
- Establishing rules and procedures to facilitate and govern the submission of a request to opt-out of the sale of personal information.
- Establishing rules and procedures to ensure that notices and disclosures are provided in a manner that may be easily understood by the average consumer and are accessible to consumers with disabilities.
- Establishing rules and procedures to facilitate a consumer’s ability to obtain information pursuant to the “Request to Know” sections (i.e., §§ 1798.100, 1798.110, and 1798.115).
- Establishing rules and procedures to govern a business’s determination that a request for information received by a consumer is a verifiable request.
What Do the Draft Regulations Provide?
The Draft Regulations are broken down into seven (7) articles. We provide below a high-level overview of each article with our inserted comments, general considerations and points for discussion. The guidance within the Draft Regulations are specific to: (a) the notices businesses must provide to consumers; (b) practices for handling consumer requests; (c) practices for verifying the identity of consumers making those requests; (d) practices regarding the personal information of minors; and (e) the offering of financial incentives.
It is apparent that the AG took into consideration many of the issues raised at the initial public forums and in the written comments submitted earlier this year. Nonetheless, the Draft Regulations will likely result in more compliance confusion rather than providing the clarification that most industries and organizations are desperately seeking.
Article 1 – General Provisions
- Defines “categories of sources” to mean the “types of entities from which a business collects personal information about consumer, including but not limited to the consumer directly, government entities from which public records are obtained, and consumer data resellers.” Notably, the CCPA excludes from the definition of “personal information” records that are made available from federal, state, or local government records, so why “government entities” are included as a source of “personal information” will likely be addressed or at least reviewed during the comment period.
- Defines “categories of third parties” to mean the “types of entities that do not collect personal information directly from consumers, including but not limited to advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks and consumer data resellers.” This definition is one of the first examples in the Draft Regulations that reflect the misunderstanding of technology that has continued to fuel the CCPA and has resulted in the compliance obstacles inherently within.
- Identifies the rights afforded to consumers as the “Request to Know,” “Request to Delete,” “Request to Opt-Out,” and the “Request to Opt-In.”
Article 2 – Notices to Consumers
- Clarifies that a business that does not collect information directly from consumers does not need to provide the notice required by Section 1798.105(b), provided that before the business can sell the consumers’ personal information, it must comply with certain additional obligations that may include, for example, contacting the source of the personal information to obtain a signed attestation describing how the source gave the consumer notice at the time of collection and including an example of such notice. This clarification would resolve a key concern for many businesses, namely how a business can provide consumers with notice “before or at the point of collection” if the business does not maintain a direct relationship with the consumers. While the clarification is likely welcomed by many organizations struggling to comply with Section 1798.105(b)’s requirements, the proposed signed attestation requirement may result in its own compliance obstacles.
- Requires businesses that substantially interact with consumers offline to provide notice to consumers by an offline method that facilitates consumer awareness of their right to opt-out.
- With respect to financial incentives, requires businesses to provide a “good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference” along with a description of the method used to calculate the value of the consumer’s data.
- Clarifies that online privacy policies do not need to be personalized for each consumer. While the clarification is certainly welcome, this issue will likely be addressed separately through amendment as well.
- Requires online privacy policies to describe the process the business will use to verify the consumer request, including any information the consumer must provide.
- Requires that, with respect to an online privacy policy, businesses must “for each category of personal information collected, provide the categories of sources from which that information was collected, the business or commercial purpose(s) for which the information was collected, and the categories of third parties with whom the business shares personal information.” While seemingly straightforward, these requirements may actually conflict with what is currently required by the statute and thus may be ineffective as a result of Article 7 of the Draft Regulations (see our comments relating to Article 7 below). Indeed, the CCPA likely does not require the above information to be disclosed “for each category of personal information collected.” Rather, it is arguable that such information can be disclosed in a more general format.
Article 3 – Business Practices for Handling Consumer Requests
- Requires a business to consider the methods by which it interacts with consumers when determining which methods to provide for submitting Requests to Know and Requests to Delete. Practically speaking, a business that interacts with consumers substantially offline may have to create a method to accept requests in person.
- With respect to deletion requests, gives businesses the flexibility to confirm with the consumer what information he or she would like deleted, provided that a global option to delete all personal information is also offered, and more prominently presented than the other choices.
- Upon receipt of a Request to Know or Request to Delete, requires businesses to confirm receipt of the request within 10 days.
- Prohibits businesses from disclosing, at any time, a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers. This likely was added to mitigate concerns relating to fraud and identity theft resulting from the requirement that businesses disclose the specific pieces of personal information upon request.
- Provides that if a service provider receives a Request to Know or a Request to Delete and the service provider does not comply with the request, it shall explain the basis for the denial. The service provider is also required to redirect the consumer to the business on whose behalf the service provider processes information.
- Requires businesses to comply with a Request to Opt-Out no later than 15 days from the date the business receives the request. This is notable as the statute appears to be silent on this issue and the time to comply is considerably less than that what is afforded to Requests to Know and Requests to Delete.
- Requires businesses to notify all third parties to whom it sold personal information of the consumer within the last 90 days prior to the business’s receipt of the consumer’s request that the consumer has exercised their right to opt-out and instruct them not to further sell the information.
- Requires certain businesses to compile certain metrics relating to the numbers of requests received, compiled with in whole or in part, and denied.
Article 4 – Verification of Requests
- When establishing processes to verify a consumer’s identity, requires businesses to consider the risk of harm to the consumer if a fraudulent request is submitted. The higher the likelihood, the more stringent verification processes should be.
- Requires businesses to implement reasonable security measures to detect fraudulent identity-verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information. While the Draft Regulations do not elaborate on what such measures should consist of, it may be wise for organizations to look to the Red Flags Rule for instruction.
- Creates required levels of degrees of certainty in terms of verifying consumer identities. For example, a business’ compliance with a Request to Know categories of personal information requires the business to verify the identity of the consumer to a reasonable degree of certainty. In contrast, a business’ compliance with a Request to Know specific pieces of personal information requires the business to verify the identity of the consumer to a reasonably high degree of certainty.
Article 5 – Special Rules Regarding Minors
- Provides that when a business receives an “affirmative authorization” that authorizes the sale of personal information about a child, the business must inform the parent or guardian, or the minor if between 13 to 16 years of age, of the right to opt-out at a later date and the process for doing so. The statute, as currently written, does not expressly require this opt-out notice.
Article 6 – Non-Discrimination
- Proposes methods to calculate the “value of the consumer’s data,” which includes any “practical and reliable method of calculation used in good-faith.”
Article 7 – Severability
- Provides that if any section of the Draft Regulations is found to be unconstitutional or contrary to the statute, such decision will not affect the validity of the remaining portions of the Draft Regulations. This language is crucial for businesses attempting to comply with the CCPA where the Draft Regulations seem to impose obligations different or contrary to the statute itself.