California Civil Code Section 1798.185, part of the California Consumer Privacy Act of 2018 (the “CCPA”), requires the California Attorney General to issue final regulations regarding a number of subjects covered by the CCPA no later than July 1, 2019. On October 11, 2019, the California Department of Justice issued its long-awaited draft regulations by issuing a Notice of Proposed Rulemaking Action. The proposed regulations would add new Sections 999.300 through 999.341 to Title 11 of Division 1 of Chapter 20 of the California Code of Regulations, and would clarify and, in some instances, significantly add to or alter, the requirements of the CCPA.
The Attorney General will hold four public hearings from December 2, 2019 through December 5, 2019, in Sacramento, Los Angeles, San Francisco and Fresno. At these hearings, any member of the public may submit comments on the draft regulations, either orally or in writing. In addition, any member of the public may submit written comments to the Attorney General until 5:00 p.m. on December 6, 2019.
Text of Proposed Regulations
The regulations that were proposed by the Attorney General track, in some ways, the topics about which the CCPA requires the Attorney General to issue regulations in California Civil Code Section 1798.185. In other ways, however, the regulations seek to impose obligations on businesses that are far different from those imposed by the CCPA. If the proposed regulations are ultimately adopted by the Attorney General without significant revision, they may be the subject of protracted litigation regarding their validity.
a. Regulations Relating to Notices Under the CCPA
Businesses had been hoping that the Attorney General’s regulations would provide details regarding how a business should make the various disclosures that are required to be made under the CCPA (for example, disclosures of the various rights that the CCPA provides to consumers). Unfortunately, the proposed regulations do not provide a large amount of detail regarding how businesses should word these disclosures. For example, the regulations do not contain sample (or “safe harbor”) language that businesses can use to be confident that they are in compliance with the CCPA’s disclosure requirements. Nor do the proposed regulations reference any objective metric for determining whether a business’s disclosures comply with the CCPA, including, for example, the Flesch Reading Ease Score or another quantitative metric for determining readability.
Instead, the proposed regulations provide only generalized guidance regarding disclosures, including that the disclosures of a consumer’s rights under the CCPA must use “plain, straightforward language” and avoid “technical or legal jargon.” The proposed regulations also require that the notices be made available in the language in which the business usually communicates with the business – a requirement not present in the statute itself that will likely increase the cost of compliance with the CCPA as businesses are forced to translate their CCPA disclosures into multiple languages.
b. Regulations Relating to the Collection and Maintenance of Personal Information
The proposed regulations also include a number of restrictions, not present in the CCPA and of questionable legality, relating to what businesses may do with personal information that they collect. For example, the proposed regulations prohibit a business from using a consumer’s personal information for any purpose not previously disclosed to the consumer without first obtaining the consumer’s opt-in consent to that use. This requirement goes far beyond the statutory language of the CCPA, and may not pass legal muster. In the meantime, such a regulation would severely limit business’s use of personal information that has been collected about consumers, and raises the question of how businesses may use personal information that was collected before the CCPA’s effective date (no disclosures were associated with the collection of that personal information at all).
c. Regulations Relating to the Right to Opt-Out
The proposed regulations contain detailed requirements relating to the right to opt-out. With respect to the language relating to the disclosure of the right of opt-out, as with the disclosures of the other rights, the proposed regulations do not provide much guidance regarding how businesses should word the disclosure, other than to require the disclosure to be in “plain, straightforward language” and avoid “technical or legal jargon.” Businesses that interact with consumers primarily offline must provide notice to those consumers by an offline method. The proposed regulations do clarify what many businesses have been wondering (or perhaps assuming) since the passage of the CCPA – businesses that do not, and will not, sell consumers’ personal information need not include the “Do Not Sell My Personal Information” button on their websites and privacy policies.
In a very significant and burdensome expansion of the statutory language that was passed by the Legislature, the proposed regulations require businesses treat a user-enabled privacy control, including a browser plugin or privacy setting, as a valid verifiable consumer request. Operationalizing this requirement, if it is ultimately adopted by the Attorney General, will likely be an expensive technological and compliance challenge.
d. Regulations Related to the Submission of Verifiable Consumer Requests
The proposed regulations contain some detail regarding how consumers may submit verifiable consumer requests to businesses. The regulations make clear that a designated email address, a form submitted in person and a form submitted via the mail are all permitted methods for permitting consumers to make verifiable consumer requests (but the proposed regulations do not specify what information may be requested in these forms). The regulations, however, require businesses to “consider methods by which [they] interact with consumers” when determining which methods to make available. This, again, is a requirement that is not present in the CCPA, and it is not clear how (or whether) the Attorney General could enforce this requirement. With respect to verifiable consumer requests seeking deletion of the consumer’s personal information, the proposed regulations require the business to use a two-step process where the consumer first makes the deletion request, and then confirms the request. Again going beyond the language of the statute, the proposed regulations also require businesses to notify consumers who make invalid verifiable consumer requests, and to either treat the request as valid or provide the consumer with instructions for remedying the deficiency. e. Regulations Relating to Extensions of the Time to Respond to Verifiable Consumer Requests
The proposed regulations do clarify an ambiguity in the CCPA – they make clear that a business is permitted to take one extension of 45-days to the time that the business has to respond to a verifiable consumer request. However, because the statute expressly permits both a 45-day and a 90-day extension of the time to respond to a verifiable consumer request, there likely will be litigation over this portion of the proposed regulations, which contradict the express language of the CCPA.
f. Regulations Relating to Disclosures of Actual Personal Information
The proposed regulations contain detailed requirements and restrictions of questionable legality relating to the disclosure of the actual pieces of personal information that businesses have collected about consumers. For example, the regulations specify that a business may not disclose personal information to a consumer if disclosure creates a “substantial, articulable and unreasonable risk to the security of the personal information,” the consumer’s account or the security of the business’s systems or networks.
The proposed regulations also specifically prohibit businesses from disclosing certain pieces of personal information about consumers in response to a verifiable consumer request, including a consumer’s social security number, driver’s license, financial account, health insurance or medical identification number, password or security questions and answers. While these restrictions are certainly designed to minimize the risk of sensitive information falling into the wrong hands, consumers technically have a right to the disclosure of that information under the CCPA, and may have a valid challenge to the those portions of the regulations when businesses refuse to release those items of personal information.
g. Regulations Relating to Requests to Delete Personal Information
The proposed regulations contain some detail regarding responding to verifiable consumer requests to delete personal information that a business has collected from a consumer. Specifically, the proposed regulations require the business to either “permanently and completely eras[e]” the personal information, deidentify the personal information or aggregate the personal information in response to a CCPA deletion request. The proposed regulations also make clear that a business must delete personal information contained on archived or backup systems, but the business may delay that deletion until the next time that the archived or backup system is accessed or used by the business.
h. Regulations Related to Verifying Verifiable Consumer Requests
Perhaps the most long-awaited portion of the proposed regulations relates to methods businesses must use to verify verifiable consumer requests under the CCPA. The proposed regulations specify that a business should, where possible, verify a request by “match[ing] the identifying information provided by the consumer to the personal information of the consumer already maintained by the business.” If a consumer maintains a password protected account with a consumer, the proposed regulations permit the business to use that method to authenticate the verifiable consumer request. The proposed regulations require businesses to avoid requesting additional personal information in order to verify verifiable consumer requests unless necessary.
The proposed regulations also provide a number of factors that businesses must consider in verifying verifiable consumer requests, including, for example, the sensitivity or value of the personal information involved, the risk of harm from unauthorized disclosure or deletion, the likelihood that fraudulent actors would seek personal information and how robust the information provided by the consumer to verify their identity is. Finally, the proposed regulations contain a number of specific requirements for verifying different types of consumer requests (for example, a business must verify at least two data points provided by a consumer with respect to a request to know categories of personal information collected by the business).
The proposed regulations provide some, but not all, of the clarity that businesses were seeking in the Attorney General’s CCPA regulations. However, the proposed regulations also go significantly beyond the statute and impose obligations – some of which will be costly and time-consuming – on businesses that are not present in the CCPA. The California Attorney General is sure to receive detailed and voluminous comments on the proposed regulations during the comment period, and it is possible that the regulations may be significantly revised before implementation. If the proposed regulations are not revised to harmonize them with the language and requirements of the CCPA, it is possible that the validity of the proposed regulations may be the subject of litigation for the foreseeable future.