Scenario:

A retailer sells its products both at a physical store in San Francisco and via its website. The retailer is in the process of updating its privacy and data retention policies. The retailer’s general counsel wants to make sure that preservation of data for litigation purposes is incorporated into these policies.

California Consumer Privacy Act of 2018 and Its Proposed Regulations

California Attorney General Xavier Becerra recently released proposed regulations for the California Consumer Privacy Act of 2018 (“CCPA”), which expand on and provide further details on the rights and obligations created by the CCPA. The CCPA requires the attorney general to adopt regulations to further the CCPA’s purposes and provide guidance to businesses on how to comply. In a recent press conference, Attorney General Becerra described the regulations as reflecting the most recent amendments1 and the feedback received from the public over the past year.

The proposed regulations address how businesses can comply with various aspects of the CCPA, including 1) notifying consumers of their rights under the CCPA, 2) handling consumer requests regarding personal information, 3) verifying consumer requests, 4) protecting personal information of minors under 16 years of age and 5) adhering to the specifics regarding the anti-discrimination provisions. A violation of these regulations will constitute a violation of the CCPA and may be subject to the remedies provided therein.

Included in the regulations are the following topics of note:

Expanded Disclosure Obligations. Importantly, the regulations generally increase disclosure obligations on covered businesses. For instance, businesses that substantially interact with consumers offline must notify them of their right to opt out of the sale of personal information by offline methods. Businesses must disclose to consumers a good-faith estimate of, and the method to calculate, “the value of the consumer’s data” in the event businesses wish to provide a financial incentive or price or service difference in exchange for the retention or sale of personal information. The regulations provide eight different methods businesses can use to estimate “the value of the consumer’s data,” including the revenue or profit to the business generated from the data’s sale.

Additional Privacy Policy Requirements. The regulations require that covered businesses address additional topics within their privacy policies, including 1) the categories of the personal information collected, the purposes for which that personal data is collected, as well as the sources from which that personal data is collected; 2) the rights afforded to consumers under the CCPA, including the rights to know, delete and opt out of the sale of their personal information, as well as the right to non-discrimination; 3) instructions on how to submit a verifiable consumer request; 4) the processes used to verify consumer requests; 5) whether personal information is disclosed or sold to third parties and, if so, the categories of those third parties; and 6) how to designate an unauthorized agent to make a request on the consumer’s behalf.

Format of Disclosures. Furthermore, the regulations generally require information communicated to the consumer pursuant to the CCPA to be readable, understandable and presented in a format that draws the consumer’s attention, including on smaller screens, if applicable. It also must be accessible to consumers with disabilities and be available in the languages in which the business otherwise communicates with consumers.

Verification Procedures. The regulations also impose specific obligations on the process a business should use to respond to and verify consumers who submit a “request to know” or “request to delete” pursuant to the CCPA. The regulations make clear that the time the business has to respond to such a consumer request—45 days under the CCPA, with a right to extend—starts to toll upon the business’s receipt of the request. Additionally, the business is required to confirm receipt to the consumer within 10 days as well as provide information about how the business will process the request. To the extent a consumer did not submit his or her request through the proper channels provided by the business, then the business must either treat the request as if it had been properly submitted or provide the consumer with specific directions on how to re-submit the request. Furthermore, businesses that collect the personal information of 4,000,000 or more consumers must identify and record the number of requests (to know, delete and opt out) received, fulfilled and denied, as well as the median number of days the business took to respond. Finally, businesses must retain the records of consumer requests they receive as well as how they responded to those requests for at least 24 months.

Summary

Even though the regulations are not yet final, companies are well advised to begin considering updates to their policies to ensure compliance with the CCPA. The consumer’s right to deletion seems particularly complicated for litigation matters, and companies will want to carefully consider how to weigh the tension between preservation for litigation purposes and a request for deletion. Also, companies can consider including indemnification provisions covering any data breach into vendor agreements, given the new private right of action for breaches.