The California attorney general’s office on Oct. 10 released the long-awaited proposed regulations to the California Consumer Privacy Act. As noted in the statement of reasons, these regulations are intended to “operationalize the CCPA and provide clarity and specificity to assist in the implementation of the law.”
- While the proposed regulations certainly offer more details on the Attorney General’s expectations for how the California Consumer Privacy Act will be operationalized — often in the form of additional obligation on businesses — businesses hoping for complete clarity on how to verify consumers or how to structure their financial incentives may be left with more questions than answers.
- The regulations add new record-keeping obligations that were not included in the CCPA, including the obligation to maintain and disclose metrics on the number of requests received and the business’s response time (for those that touch data of more than 4 million consumers). These obligations may create a costly administrative burden for companies that aren’t set up to track this data. Additionally, businesses offering financial incentives will have to provide a “good faith estimate” of the value of the consumer’s data to the business and a description of how that value is calculated. Companies who offer loyalty programs should pay close attention to how these requirements impact their programs.
- For companies that “sell” personal information, the regulations impose notification obligations that are not contemplated in the statute. Upon receiving a do-not-sell request, a business must notify all third parties it sold data to in the past 90 days that the consumer has opted out of the sale, and must notify the consumer when those notification are complete.
We don’t expect that these regulations will be completely re-written following the comment period, but there are certainly areas where we can suggest changes or flag significant compliance challenges. Written comments can be submitted by mail or email or in person at four public hearings scheduled throughout California during the first week of December. The deadline to submit written comments is Dec. 6, 2019, at 5 p.m. (PST). Please reach out to a member of Loeb & Loeb’s Privacy, Security & Data Innovations team if you would like to discuss the best approach to the submissions process.
The Proposed CCPA Regulations
While the regulations provide some clarity and give additional color to the verification obligations and placement of the do-not-sell button, they create additional ambiguity in a number of areas and impose on businesses new requirements that do not exist in the CCPA. That said, they are the clearest indication of what the Attorney General will be looking for in July when the enforcement period begins and he starts to evaluate whether or not companies are in compliance.
Below we walk you through the key provisions of the regulations. Final comments are due on Dec. 6, and a series of public forums will be held that week to allow comments to be delivered in person. We encourage all companies to read these regulations closely to understand the impact on your business. We hope a robust comment period will help push these regulations to a form that gives businesses the guidance needed to comply with the CCPA.
Notice of Information Collection
- Notably, businesses that do not collect information directly from consumers do not have to provide a notice at the point of collection; but before the data can be sold, the business must contact the consumer directly and provide a notice of the right to opt out, or they must contact the source of the data to confirm that notice was provided, and obtain a signed attestation describing the notice and an example of the notice. The attestations must be retained for two years and be provided to consumers upon request (it’s unclear whether this right has to be disclosed to the consumer).
Notice of the Right to Opt Out of a Sale of Personal Information
- The regulations have a placeholder indicating that they are developing an opt-out logo, but the logo is in addition to, not in lieu of, the do-not-sell link, begging the question of what purpose it would serve. It’s hard to understand why a business would add another task to its development list unless it would replace the do-not-sell link.
Notice of Financial Incentives
- A business that plans to offer a financial incentive to induce consumers not to opt out of sales must include a summary of services offered; the material terms, including the categories of personal information implicated; and a mechanism to opt out of the incentive and a notification of the right to withdraw.
- Businesses must also disclose a good-faith estimate of the value of the consumer’s data to the business and a description of the methods used to calculate that value.
- A list of the CCPA consumer privacy rights: the right to request that the business disclose what personal information it collects, uses, discloses and sells; the right to request deletion; the right to opt out of a sale of personal information; and the right to nondiscrimination for exercising consumer privacy rights.
- Instructions for submitting a verifiable consumer request and a description of the process used to verify requests.
- The categories of personal information collected about consumers in the previous 12 months (this is for all consumers, not specific to one consumer) and for each category of information: 1) the categories of sources from which that information was collected, 2) the business and commercial purposes for which it was collected, and 3) the categories of third parties it is shared with.
- Explanation of how a consumer can designate an authorized agent to make a request under the CCPA on the consumer’s behalf.
- Metrics about the number of requests received in the previous year, including the median response time.
- Contact information.
Verification of Consumer Requests
Businesses need to have a reasonable method to verify that the person making a request matches the consumer whose information was collected, taking into consideration the sensitivity and value of the information and the risk of fraud.
Notably, the Attorney General clarified that sensitive information, such as financial account numbers, government identification numbers, Social Security numbers, driver’s license numbers, medical and insurance information, passwords, and security questions cannot be disclosed in connection with requests for specific pieces of information. This will be helpful to those companies concerned that a false verification request could put it in the crosshairs of certain state security breach notification laws.
Opt-outs do not require verification. With requests to delete that cannot be verified, the information will not be deleted, but rather the request will be treated as an opt-out. A business can deny the request only if it has a good-faith, reasonable and documented belief that the request is fraudulent.
With a request to opt out or delete, a business may give the consumer a choice to opt out or delete only portions of personal information, but only if a global option is given and is more prominently displayed.
Verification for Password-Protected Accounts
Where a consumer has a password-protected account with the business, the business may use the authentication process for the account to verify the consumer’s identity.
Verification for Non-Account Holders
If a consumer does not have a password-protected account with the business, the regulations provide this guidance:
- Where categories of personal information are requested, the consumer’s identity must be verified to a reasonable degree of certainty. This may include matching at least two data points from the consumer with data points in the information maintained by the business.
- Where specific pieces of information are requested, the consumer’s identity must be verified to a reasonably high degree of certainty. This may include matching at least three data points and a signed declaration from the consumer stating that the requestor is the consumer. These declarations must be kept by the business.
- Verify the identity of the consumer to a reasonable or a reasonably high degree of certainty for a request to delete information. The more sensitive the information and the greater the risk to the consumer that deleting the information creates, the higher the degree of certainty needed.
The business must also explain why it has no way to reasonably verify the requestor’s identity and evaluate yearly whether it can establish such a method for verification.
We wanted guidance, but — as usual — be careful what you ask for.