On October 10, 2019, with no prior notice, the California Attorney General held a press conference announcing the publication of his office’s proposed regulations  (set forth at §§ 999.300-999.341 of Title 11, Division 1, Chapter 20 of the California Code of Regulations) to implement the California Consumer Privacy Protection Act or the CCPA (the “Regulations”).  The following day, the California Governor signed all five of the legislature’s proposed CCPA amendments and squeezed in sign-off of an amendment to California’s data breach law (expanding the definition of “personal information” to include biometric data, tax ID, passport and other government-issued ID numbers).  The Regulations are open to public comment until December 6, 2019 and therefore subject to further changes just weeks before the CCPA goes into effect January 1, 2020.  Although the Attorney General stated that his office will not begin CCPA enforcement until July 2020, the CCPA includes a 12-month lookback period.  Therefore, while businesses now have freshly inked CCPA amendments to consider final, the Regulations are still to be determined.  Nonetheless, businesses should use the remaining 69 days to continue implementing compliance mechanisms and the Regulations do give perspective as to the general interpretation of the CCPA from the office responsible for enforcing the new law.  

Explore the sections below to learn more.

NOTICES TO CONSUMERS

The Regulations include examples and additional details on how businesses must notify consumers of their data rights, acceptable methods for consumers to submit their requests, and requirements for businesses to respond to those requests, including new timelines to give consumers notice that the business received their request.

Right to Know Requests

Consumers have the right to request to know information about any or all of the following business practices applicable to the 12-month period prior to the request:

  • Categories of personal information collected about them (i.e., what is collected)
  • The business or commercial purpose for which it was collected (i.e., how it will be used)
  • Categories of sources from which the information was collected (i.e., where was it collected)
  • Categories of personal information sold or disclosed for a business purpose about them (i.e., what is disclosed)
  • Categories of third parties to whom the personal information was sold or disclosed (i.e., to whom is it disclosed)
  • The business or commercial purpose for which it was sold or disclosed (i.e., why it was used)

When honoring these requests, a business must prepare an individualized response to the consumer and must not refer to the business’s general practices outlined in the privacy policy unless the response would be the same for all consumers. The 12-month period covered by a request runs from the date the business receives the request (regardless of the time required to verify).

Under the Regulations, businesses have 10 days to acknowledge receipt of a right to know request and to give more information about how the business will process the request, including a description of the verification process. Businesses have 45 days to respond to a right to know request (regardless of how long it takes to verify), and may extend that period by 45 days if it gives the individual notice of the extension and an explanation for the delay. A business is only required to honor a “verifiable consumer request.” If a business cannot verify the identity of a requestor, the business cannot deny the request. The business must inform the requestor that the business could not verify their identity.

Right to Access (or Copy)

Consumers have the right to request a copy of their personal information held by a business. Upon verifiable consumer request, the business must deliver, by mail or electronically, free of charge, the categories and specific pieces of personal information collected on the consumer covering the 12-month period preceding the request.

A business must use reasonable security measures when transmitting personal information to the consumer. If a business maintains a password-protected account with the consumer, it may use a secure self-service portal for consumers to access, view, and receive a portable copy of their personal information if the portal fully discloses the personal information that the consumer is entitled to, uses reasonable data security controls, and complies with the verification requirements in the Regulations (see Verifiable Requests section below).

Businesses can limit their responses to these requests to address risk of fraud or risk of security. Specifically, the Regulations prohibit businesses from providing a consumer with specific pieces of information if the disclosure creates substantial, articulable and unreasonable risk to the security of the personal information, the consumer’s account with the business or the security of the business’s systems or networks. Further, the business must not provide the Social Security number, driver license number or any government ID, financial account number, health insurance or medical ID number, account passwords, and security questions and answers in response to a request for specific pieces of information.

Under the Regulations, businesses have 10 days to acknowledge receipt of a right of access request and to give more information about how the business will process the request, including a description of the verification process. Businesses have 45 days to respond to a right of access request (regardless of how long it takes to verify), and may extend that period by 45 days if it gives the individual notice of the extension and an explanation for the delay.

If a business denies a request to access specific pieces of information, in whole or in part, because of a conflict with applicable law or an exception to the CCPA, the business must inform the requestor and explain the basis for the denial. If a business cannot verify the identity of a requestor, the business cannot deny the request. The business must inform the requestor that the business could not verify their identity.

Right to Deletion

Businesses must honor verifiable consumer requests to delete the consumer’s personal information from its records and direct all of its service providers to do the same, subject to several exceptions. Businesses must provide instructions for submitting a verifiable consumer request to delete and provide links to an online request form or portal for making the request. Businesses must also describe the process the business will use to verify the consumer request, including the information the consumer needs to provide.

The Regulations require businesses to provide two or more designated methods for submitting requests to delete. Acceptable methods explicitly mentioned in the Regulations include a toll-free phone number, a link or form available online through a business’s website, a designated e-mail address, a form submitted in person, and a form submitted through the mail. At least one of the methods used to receive right to delete requests must reflect the manner in which the business primarily interacts with the consumer. The Regulations provide the example of a business that has a website but primarily interacts with customers in person at the business’s retail location which should provide a form that can be submitted in person at a retail location. Under the Regulations, businesses have 10 days to acknowledge receipt of right to delete request and to give more information about how the business will process the request, including a description of the verification process. Businesses have 45 days to respond to a right to delete request (regardless of how long it takes to verify), and may extend that period by 45 days if it gives the individual notice of the extension and an explanation for the delay.

Consumer requests made through a password-protected account may be verified through the business’s existing authentication practices for the consumer’s account. However, the consumer must re-authenticate themselves before their personal information is deleted. When a consumer does not hold an account, the Regulations provide a risk-based scale for verification of the consumer in a right to delete request of either a reasonable degree of certainty or a reasonably high degree of certainty. The sliding scale is based on a business’s good faith assessment of the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion. If a business is unable to verify the individual, the business must treat the request as an opt-out request instead of a deletion request.

A verified request to delete may be satisfied by permanently erasing personal information on a business’s systems with exception for backup systems, or by de-identifying or aggregating the consumer’s personal information. Personal information is considered de-identified when it cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer. Information that has been aggregated are data that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including using a device.

When responding to the consumer, businesses must disclose the method by which it complied with the consumer request. If consumers submit a deficient request to delete, the business can treat the request as if it was correct in form or the consumer can be provided additional direction and an opportunity to cure the defect.

When a business denies a deletion request, it must notify the consumer and provide the basis for rejecting the request. There are several exceptions to the right to deletion, including several scenarios where a business needs the consumer’s personal information for valid reasons such as:

(1) providing goods or services to the consumer

(2) identifying/resolving functionality or security issues

(3) complying with other legal obligations

(4) conducting legitimate research in the public interest

(5) protecting the exercise of free speech or another’s exercise of free speech

(6) using the information for internal purposes that the consumer should expect

Right to Opt-Out of Sale

As should be clear from the preceding section on Notices to Consumers, the CCPA model is largely one of opt-out rights, as opposed to mandating that everything from browser cookies onward requires an opt-in. Nonetheless, there are some ins and outs that can be more complicated.

Opting Out

The CCPA grants consumers the right to opt-out of having their personal information “sold” by a business and direct each covered business to include a clear statement of the right to opt out in the privacy notice presented to the consumer when personal information is being collected. The Regulations require businesses to give a “notice of right to opt-out”. The request to opt-out does not apply with respect to how an individual business uses the consumer’s information but rather whether that business will be permitted to “sell” the consumer’s information to third parties for that recipient’s own use and benefit.

The privacy policy content required by the Regulations mandates that each business selling personal information provide a hyperlink titled “Do Not Sell My Personal Information” or “Do Not Sell My Info”. In the future, the AG’s office anticipates presenting a presumably standardized opt-out button or logo in lieu of the quoted wording above.

To exercise an opt-out request, a consumer would click the linked words, button, or logo that businesses must present either within their privacy policy or on a separate landing page (whether for website or mobile app), explaining how an individual may exercise an opt-out request. Beyond the clearly visible and ADA-accessible requirements of the privacy notice generally, the opt-out instructions must:

  • Explain the consumer’s opt-out right;
  • Present a webform for online requests or the offline method available from those businesses that do not operate a website;
  • Instruct on any alternative methods to submit the request;
  • Explain the proof required when a consumer request is submitted by an authorized agent; and
  • Link to or provide the URL of the business’s main privacy policy.

Businesses are not required to provide the opt-out link if they do not sell or intend to sell consumer information and include a statement to that express effect in the privacy policy.

Opting In (or Back In)

Opt-in applies in two circumstances. First, when the business has actual knowledge that it collects or maintains the personal information of children under the age of 16, and second, when a consumer is opting in after previously having opted out. For the former, the opt-in applies with respect to the business’s intention to sell the minor’s personal information as further described below in the Special Rules for Minors section  . Similarly, if the business targets consumers under 16 but has no intention of selling this information, there is no need to provide any subsequent opt-out notice. Finally, a consumer who has previously opted-out from the sale of their information or has previously not opted-in (such as those under 16 or their parent/legal guardian) has the right to communicate a request to opt-in.

VERIFIABLE REQUESTS

Businesses must only honor verifiable consumer requests for the right to know, right to access, and right to delete. A “verifiable consumer request” is “a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify.”

Businesses must establish, document, and comply with a reasonable method for verifying that the person making a request is the consumer about whom the business has collected information. The Regulations state that businesses should match consumer-provided identifying information to the personal information maintained by the business or use a third-party identity verification service.

In defining its reasonable methods for verification, businesses should take into account the:

  • Ability to match identifying information provided by the consumer with personal information held by the business
  • Sensitivity of the personal information covered by the request
  • Particular risk of harm from unauthorized access or deletion
  • Likelihood that requests are made by fraudulent or malicious actors, or are spoofed or fabricated
  • Context of the business’s relationship with the customer

Businesses should avoid collecting new or additional personal information from the consumer for purposes of verification.

Businesses have different verification requirements when consumers use a password-protected account versus when consumers call a toll-free number or complete a publicly-available website form. If a business maintains a password-protected account with the consumer, the entity may verify the consumer’s identity through the existing authentication practices for the account. However, even those consumers must be re-authenticated before a business can disclose information or delete their information.

For non-account holders, the Regulations set standards depending on the type of request exercised. When a consumer exercises a right to know request about the categories of personal information collected about them, businesses must verify the identity of the consumer to a “ reasonable degree of certainty.” The Regulations suggest businesses match at least two consumer-provided data points with business-maintained data points. When a consumer requests to know specific pieces of personal information, businesses will have to verify the identity of the consumer to a “reasonably high degree of certainty,”---a stricter bar. A “reasonably high degree of certainty” would be met if the business: (i) matches at least three consumer-provided data points with three business-maintained data points, and (ii) gets a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. These declarations should be maintained as part of a business’ record keeping obligations (see Training and Record Keeping section below).

The CCPA and the Regulations also create a sliding-scale standard for verifying consumers who exercise their right to delete. Businesses must use good faith to either verify the identity of the consumer to a reasonable degree or a reasonably high degree of certainty, depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion. The Regulations provide the example of deleting photographs and documents to require a reasonably high degree of certainty, while deleting browser history requires only a reasonable degree of certainty.

The Regulations also state that when consumers use an authorized agent (with written permission) to submit a request to know or a request to delete, the business may require the consumer to verify their own identity directly with the business. This suggests businesses should take steps to verify the identity of the consumer and that the agent has authority to act as the consumer’s agent.

Authorized agents can submit requests to opt-out on behalf of consumers, but consumers must give written permission to the authorized agent. A request to opt-out is not subject to scrutiny as a verifiable consumer request. This means that requests to opt-out are not subject to either the reasonable degree of certainty or the reasonably high degree of certainty standards. However, if the business has a “good faith, reasonable, and documented belief” that an opt-out request is fraudulent, the business may deny the request. If a business makes the good faith, reasonable and documented belief that the opt-out request is fraudulent, the business must notify the requestor that the business will not comply with the request and explain why the request is believed to be fraudulent.

The Regulations instruct businesses what to do when businesses cannot verify consumers. When businesses cannot verify requests for specific pieces of information, the business must treat the request as if it is seeking the disclosure of categories of personal information about the consumer instead. Businesses should direct consumers to the privacy policy if they cannot verify right to know requests about categories of personal information collected. For deletion requests, an unverifiable request must be treated an opt-out of sale.

SERVICE PROVIDERS

The Regulations attempt to clarify who is and is not a service provider and indicate that the definition of “service providers” includes vendors that provide services to a person or organization not considered a “business” subject to the CCPA (e.g., non-profits and government entities) but which otherwise meet the “service provider” definition. Therefore, while the recipient of services may not be subject to the CCPA, the CCPA may apply to their service provider as a service provider under the CCPA. The original “service provider” definition contemplated that the service provider will receive personal information from the business it serves (and not that it could also directly collect information on behalf of the business). The Regulations clarify that a vendor that collects personal information directly from consumers and meets all other requirements of a “service provider” under the CCPA will be defined as a service provider for purposes of the CCPA.

The Regulations also clarify the following matters with regard to service providers:

  • Service provider are prohibited from using the personal information they collect from or for one of its customers to serve another customer, except for data security purposes or to protect against fraud or illegal activity. It is unclear how this exception will play out but may be helpful for service provides that typically compile data across customers to enhance the ability to detect and prevent fraud (e.g., financial services vendors that prevent credit card fraud).
  • A vendor that considers itself both a business subject to the CCPA and a service provider under the CCPA must comply with the CCPA and the Regulations concerning any personal information it collects, maintains, or sells outside of its role as a service provider.
  • If a service provider receives a consumer request to know or delete personal information the service provider collects, maintains or sells on behalf of its customer and does not comply with the request, the service provider will explain why the request was denied and inform the consumer to contact the service provider’s customer directly.

TRAINING AND RECORD KEEPING

The Regulations also emphasize the importance of properly training employees responsible for CCPA implementation and compliance, as well as those responsible for receiving and responding to consumer questions and requests. All employees responsible for any of the activities required by the CCPA should be trained on how to respond to consumer inquiries and requests, how to document requests and responses, procedures for validating requests, how to instruct consumers on exercising their rights, and other requirements of the CCPA and the Regulations. While many commercial training products will likely result from this requirement, it is important for businesses to ensure employees are also trained on policies and procedures specific to the business and that training completion is tracked and documented.

Businesses must also maintain (for at least two years) records of consumer requests received pursuant to CCPA requirements and how the business responded to the requests. Under the Regulations, businesses can use ticketing systems or more manual logs to track these activities as long as the records include the: (i) date and manner of request, (ii) date and nature of the business’s response, and (iii) the basis for denial (as applicable). The Regulations also clarify that a business is not required to maintain personal information just to fulfill consumer requests and that information maintained for compliance with the record-keeping requirements will not violate the CCPA or its regulations if only used for such record-keeping purposes. This means businesses should still only retain personal information as long as necessary to fulfill the intended, permissible purpose (data minimization) but can retain certain personal information as necessary to demonstrate its response to consumer requests.

TRANSPARENCY AND METRICS FOR BIG DATA BROKERS

In addition to the record-keeping requirements, the Regulations also impose requirements that apply only to businesses that (on an annual basis) buy, receive, sell, or share the personal information of 4 million or more California consumers for commercial purposes. Such businesses must compile metrics related to data processing for the previous calendar year and post it in the business’s privacy policy or on another website page that is linked from the privacy policy. The metrics must include:

  • The number of requests related to the right to know, right to delete, and right to opt-out (separate numbers per category) the business received, complied with (in whole or in part) or denied in the last 12 months
  • The median number of days it took the business to resolve the requests (not just respond to acknowledge receipt) over the last 12 months

Businesses subject to these requirements must also document a training policy to ensure employees responsible for handling such requests or the business’s compliance with the CCPA are appropriately aware of and trained on the CCPA and the Regulations.

SPECIAL RULES FOR MINORS

Under the CCPA, minors under age 13 must have a parent or legal guardian opt-in or consent to the sale of the minor’s personal information. Minors between 13 and 15 years of age are required to opt-in themselves, in order for their personal information to be lawfully sold. For the under 13 age group, the Regulations require businesses with actual knowledge that they collect or maintain information from children under 13 that intend to sell that data to a third party, to establish, document, and use a reasonable method to determine if the consenting individual is indeed the child’s parent/legal guardian. The Regulations propose several methods that “are reasonably calculated to ensure” verification of the parent/legal guardian consent, but offer no safe harbor or enforcement exemption if an enumerated method fails to ensure verification. The methods have a lot in common with methods used to verify parent/legal guardian consent under the Children’s Online Privacy Protection Act (“COPPA”). However, the Regulations state that the consent required for CCPA purposes should be considered in addition to consent required under the COPPA. This could perhaps result in using the same method to obtain consent under both statutes, subject to making sure that the parent/legal guardian affirmatively gives a tailored consent for both COPPA and CCPA purposes rather than giving a generic or blanket consent. For the 13 to 15 age group, the Regulations only require that businesses intending to sell children’s data to establish a reasonable process for such minors to opt-in to the sale of their personal information (using a two-step process where the minor opts-in and confirms their choice to opt-in) and provide details on how they may exercise the right to opt-out. The Regulations require businesses to describe how minors or their parents/legal guardians may opt-in to the sale of their personal information in the business’s privacy policy.