On October 10, 2019, California Attorney General Xavier Becerra announced a long-awaited notice of proposed rulemaking and draft regulations for the California Consumer Privacy Act (CCPA), California’s new consumer privacy law, which we have analyzed here and here.
In this first part of our multi-part series on the CCPA regulations, we will focus on how the draft regulations affect businesses’ notice obligations under the CCPA. As discussed below, the new regulations provide detailed guidance that will have important ramifications for businesses, in particular those that sell or otherwise monetize consumer information.
The CCPA, signed into law in 2018 and taking effect on January 1, 2020, grants consumers new rights with respect to the collection and use of their personal information. CCPA requires the California Attorney General to provide implementing regulations on key areas of the law, and also grants the AG’s office authority to “adopt additional regulations as necessary to further the purposes of [CCPA].” Cal. Civ. Code § 1798.185(b).
The proposed regulations provide guidance in a number of key areas of the CCPA. Violations of the regulations will be treated the same as violations of the Act itself, with the same penalties.
Before final regulations are approved, interested parties will have until December 6, 2019 to submit written comments, or participate in town hall meetings hosted by the Attorney General’s Office in Sacramento, San Francisco, Los Angeles, and Fresno.
Representatives of the Attorney General’s office have indicated that July 1, 2020 is the anticipated date for CCPA enforcement to begin, but reiterated that the law takes effect on January 1, 2020.
Article 2: Notices businesses must provide to consumers under CCPA:
The new proposed regulations establish four types of CCPA notice that must be provided to consumers and examples of the information that must be included in each. The four types of notice are:
- Notice at or before collection of personal information.
- Notice of the right to opt-out of sale of personal information1.
- Notice of financial incentive.
Notable new developments for each type of notice are described below. Initial notice to consumers “at or before the point of collection” of personal information is often the most critical.
All forms of notice must:
- Use plain or straightforward language, and avoid technical or legal jargon.
- Use a format that draws users’ attention to the notice and makes the notice readable, including on smaller screens.
- Be accessible to consumers with disabilities, with at least information on how a consumer with a disability may access an alternative format of the notice.
- Finally, and notably, a business that uses multiple languages to interact with California residents must make each of the four notices available “in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers.”
Notice at or before collection of personal information must:
- Disclose the categories of personal information collected and the business or commercial purposes for which each category of information will be used.
- Be visible or accessible where consumers will see the notice before any personal information is collected.
- Online, a business “may conspicuously post a link to the notice on the business’ website homepage or a mobile app’s download page, or on all webpages where personal information is collected.”
- Offline, a business may include the notice on printed forms that collect personal information, provide a paper version, or post prominent signage directing consumers to the web address where the notice may be found.
- Businesses must give direct notice if they collect any new categories of information or engage in any new uses of previously-collected information.
Under the proposed regulations, if a business does not give notice at or before the point of collection, it shall not collect personal information. Similarly, a business shall not use personal information for any purposes other than those disclosed at collection without notice and explicit consent. Additionally, the requirement that businesses specify in the notice the business or commercial use of each category of personal information collected may result in changes to the “standard” structure of privacy notices that many businesses employ currently.
Another critical development in the draft regulations pertains to businesses that do not collect information directly from consumers. They do not need to provide notice to the consumer at the point of collection, but before selling a consumer’s information, businesses that indirectly collect consumer information (i.e., data brokers or other purchasers of consumer data) must either:
- Contact the consumer directly to provide notice of the sale and the consumer’s right to opt-out; or
- Contact the source of the personal information to (i) confirm proper notice was provided at collection; and (ii) obtain a signed attestation from the source describing how notice was given and including an example of that notice. The business must retain the attestations for at least two years, and make them available to consumers on request.
This is a key change for many businesses that rely on consumer information collected by third parties and/or aggregate consumer information from a variety of sources, particularly data brokers, advertisers, and entities engaged in lead generation and affiliate marketing. The proposed requirement that businesses who are recipients of personal information either contact the consumer and provide notice and opt-out, or obtain a signed attestation from the source and an example of the notice given to consumers is a major new obligation and does not appear to be satisfied by a mere contractual representation from each source that all data provided was acquired lawfully and that consumers received notice and gave consent to share with third parties.
Notice of the right to opt-out of the sale of personal information must include:
- Instructions for any methods of opting out, including the webform through which such requests can be submitted (if online); and
In addition to posting the notice of right to opt-out, an opt-out button or logo may be used and linked to a webpage or online location containing required disclosures about the right to opt-out.
Notice of financial incentives or service differences in exchange for consumers’ personal information must:
- Be available online or in other physical locations where consumers will see it before opting in to the financial incentive or price or service difference.
- Include in the notice of financial incentive:
- A “succinct summary of the financial incentive or price or service difference offered”;
- A description of the material terms of such programs, as well as the categories of personal information that are implicated by the programs;
- How the consumer may opt-in to the program;
- Notification of the consumer’s right to withdraw from the program at any time and how to exercise that right; and
- An explanation of why the financial incentive or price or service difference is permitted under the CCPA, including (1) a good faith estimate of the consumer’s data that forms the basis for offering the incentive; and (2) a description of the method used to calculate the value of the consumer’s data.
Business privacy policies must:
- Provide a description of online and offline practices regarding the collection use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information.
- Be included in any California-specific description of consumer’s privacy rights on its website.
- Include a description of California rights as detailed in the proposed regulation, and describe the process used by a business to verify consumer requests, including the following:
- Right to know about personal information collected, disclosed or sold;
- Right to request deletion of personal information;
- Right to opt-out of the sale of personal information;
- Right to non-discrimination based on the exercise of a consumer’s privacy rights;
- How to designate an authorized agent to make a request under the CCPA on the consumer’s behalf;
- A contact for questions or concerns “using a method reflecting the manner in which the business primarily interacts with the consumer”;
- For businesses subject to record keeping requirements set forth in section 999.317(g) because they process the personal information of 4,000,000 or more consumers, the information compiled under that regulation or a link to it.
- Include, by category of personal information collected, a description of the categories of sources from which that information was collected, the business or commercial purpose for collecting that information, and the categories of third parties with whom the business shares personal information. This notice “shall be written in a manner that provides consumers a meaningful understanding of the categories listed.”
* * *
Overall, the draft regulations offer substantial information on how to comply with CCPA obligations, and offer stakeholders an opportunity to weigh in before the regulations are finalized. The Attorney General’s office will accept comments through December 6, 2019. We will soon be posting additional analysis for Article 3 of the proposed regulations, regarding requirements for responding to requests from consumers.