As businesses and privacy professionals were holding their breath awaiting the California Governor’s signature on pending amendments to the much anticipated California Consumer Privacy Act (“CCPA”), California’s Attorney General took the spotlight yesterday by releasing the similarly anticipated CCPA Regulations, Cal. Code Regs. tit. 11, .§999.300, et seq. (“Regulations”). Since the passage of the CCPA in June 2018, the regulations to accompany the CCPA have been touted as “guidance” on how to comply with the CCPA. Although only in draft form, some may argue that the newly released regulations increase the CCPA compliance burden, while others may argue the Regulations merely provide much needed detail on how to comply with the CCPA.
On October 10, 2019, California’s Office of the Attorney General released a notice of proposed rulemaking action, text of the proposed regulations, initial statement of reasons, and economic impact statement. The deadline to provide comments is December 6, 2019.
The proposed regulations are divided into seven articles. The highlights of the substantive Articles are discussed below:
- Article 2. Notices to Consumers. Provides the details necessary to included in updated notices to comply with CCPA. The most notable items are:
- Requiring businesses to specify the commercial purpose for each category of personal information collected and to “obtain explicit consent” for any new purposes not previously disclosed.
- Requiring businesses who do not directly collect personal information to directly provide the consumer with notice that it sells personal information or request a signed attestation from the source of the personal information confirming that proper notice was provided upon collection.
- Notices of financial incentives must include an estimate of the value of personal information and a description of the method used to calculate the value.
- Article 3. Business Practices for Handling Consumer Requests. Although there is currently an amendment awaiting the Governor’s signature removing the requirement for a toll-free number, the Regulations were drafted based on the language in the pre-amendment version of the CCPA. The Regulations reiterate the requirement of having at least two methods, including a toll-free number, for an individual to submit verified consumer requests. The most notable items are:
- With respect to requests for deletion, the Regulations require such requests go through a two-step process whereby the individual confirms the request for deletion. The Regulations clarify that the obligation to delete does not extend to archived or backup systems, unless those systems are later accessed.
- The Regulations require businesses to acknowledge verified consumer requests within 10 days of receipt. Businesses with the personal information of more than 4,000,000 consumers must compile metrics related to the verified consumer requests it receives and include those metrics in its privacy notice.
- With respect to requests for access, the Regulations prohibit the disclosure of a social security number, driver’s license number, government-issue identification number, financial account number, account passwords or security questions and answers, and health insurance and medical identification number.
- Article 4. Verification of Requests. When data subject requests were introduced by the European Union’s General Data Protection Regulation (“GDPR”) a question left open was exactly how businesses were to verify individuals submitting requests. The Regulations fill in many of those gaps for the CCPA. Significantly, the Regulations:
- Suggests that businesses use a third-party service to verify the identity of requestors.
- Provides six factors to consider in creating a verification process and the additional information requested for purposes of verification.
- If businesses do not interact with a consumer through a password-protected account, the Regulations set various levels of degrees of certainty the business must have in the identity of the requestor prior to fulfilling a request.
- Article 5. Special Rules Regarding Minors. The CCPA requirements for minors has been clear. The Regulations reiterate the affirmative consent required for minors under 13 and makes explicit that any affirmative authorization sought under the CCPA is in addition to consent required under the federal Children’s Online Privacy Protection Act.
- Article 6. Non-Discrimination. The right to non-discrimination is one of the more novel rights introduced in CCPA, but receives the smallest amount of attention in the Regulations. The Regulations do provide guidance on how to calculate the value of consumer data and examples to illustrate where it may be appropriate to offer different prices to consumers based on receipt of their personal information.
From a compliance perspective, the Regulations provide needed guidance from the Attorney General, but also introduce unanticipated and additional requirements increasing the CCPA compliance burden, particularly given the CCPA’s January 1, 2020 effective date. For companies that are GDPR compliant, the Impact Assessment dispels any notion that GDPR compliance equals CCPA compliance, “the privacy regulations and statutes are different enough that an [GDPR] exemption would not ensure that all consumer rights under the CCPA are properly accommodated.” The Regulations highlight the need for business facing CCPA compliance, directly or indirectly, to take an individualized look at its privacy program to ensure it has the capability and capacity to address what will be the ever evolving Regulations that accompany the CCPA.
While the regulations (and certain amendments that are pending approval) have addressed some of the issues raised at the initial set of public forums that we covered earlier this year, the regulations failed to address certain other considerations of interest to businesses conducting business in California. As an initial matter, the regulations fail to address a threshold question of whether the $25 million gross revenue threshold includes in-state, U.S.-based, or all revenue, including international revenue. The regulations also failed to provide further clarification about what precisely constitutes the “sale” of personal information under the CCPA. This question is of critical concern to businesses who do not engage in the sale of personal data as a product, but do transfer personal data in connection with other sales or transactions (such as the transfer of a loan portfolio).
Public comments on the draft regulations are due on December 6, 2019. During the public comment period, the Attorney General will hold the following public hearings: December 2, 2019–Sacramento, December 3, 2019–Los Angeles, December 4, 2019–San Francisco, and December 5, 2019–Fresno. These sessions will likely be very similar in format to the six public forums that the California Attorney General’s Office held earlier this year.