While the California attorney general’s proposed regulations do not address all provisions of the California Consumer Privacy Act, they do include new procedures and deadlines and cover compliance issues for businesses not covered by the statute. For example, there are new obligations concerning service providers, training and recordkeeping, and standards for certain businesses maintaining the personal information of 4 million or more consumers for commercial purposes, like data brokers.
The California Office of the Attorney General on October 10 released the highly anticipated proposed regulations implementing the landmark California Consumer Privacy Act (CCPA), which takes effect January 1, 2020. The public comment period for the proposed regulations ends on Friday, December 6, 2019.
The proposed regulations set forth procedures and specific deadlines and address certain compliance issues for businesses covered under the CCPA, including some new obligations that were not in the statute. While the list below is not exhaustive, this summary highlights notable areas and topics in the proposed CCPA regulations, particularly focused on those areas where new obligations are imposed. Future LawFlashes will review other aspects of the proposed regulations.
Responding to Consumer Requests to Know, Delete, or Opt Out
The proposed regulations establish specific procedures for businesses to follow when handling consumer requests to know, requests to delete, and requests to opt out of the sale of the consumers’ personal information. As a general summary, the proposed regulations require that a business provide a consumer with two or more methods to exercise these rights. The proposed rules clarify that businesses are required to confirm receipt of consumer requests within 10 days and must respond to requests within 45 days of receipt. An additional 45 days may be taken if necessary as long as the consumer receives “notice and an explanation of the reason” for the extended time.
The CCPA allows a business to provide two or more designated methods for consumers to submit requests. Under the proposed regulations, requests that are submitted to the business by consumers through a nondesignated method must be treated by the business as correctly received or the business must provide to the consumers instructions on how to remedy the deficiencies to resubmit their requests. The proposed regulations also require businesses to treat user-enabled privacy controls, such as browser plugins or privacy settings, as a method by which a consumer may opt out of the sale of personal information. An opt-out by a consumer is no longer an “all or nothing” concept, as the proposed regulations state that a business may inform a consumer who has opted out when a transaction requires the sale of their personal information as a condition of completing the transaction.
Additionally, the proposed regulations incorporate the new concept of a consumer’s “authorized agent” who may exercise the consumer’s privacy rights on the consumer’s behalf. If a business transmits personal information to a consumer it must “use reasonable security measures.” Consult with counsel on additional requirements that may apply under the proposed regulations to your business practices.
On the right to opt out of the sale of personal information, the regulations also note that in the future an opt-out button or logo will be issued in a “modified version of the regulations and made available for public comment.”
The proposed regulations require a business to establish a reasonable method for verifying the identity of consumers making requests to a “reasonable degree of certainty.” For example, this may “include matching at least two data points provided by the consumer with data points maintained by the business, which the business has determined to be reliable for the purpose of verifying the consumer.” While this “reasonable degree of certainty” standard applies to requests to know, with respect to requests to delete, “a reasonably high degree of certainty” would apply based on “the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion.” The “reasonable degree of certainty” standard would still apply to less sensitive information.
The proposed regulations permit businesses that maintain password-protected consumer accounts to use established authentication procedures. The proposed regulations require businesses that must verify non-accountholders to match a certain number of verification data points depending on the type of request. For a consumer to use an authorized agent to exercise privacy rights on their behalf, the proposed rules provide that a business may require a consumer to provide the authorized agent written permission to do so and to verify their own identity directly with the business, unless the consumer has provided a power of attorney.
If a business is unable to verify a request, it may deny the request, but must comply with the request to the greatest extent it can. For example, the business must treat a request to delete as a request to opt out.
Notice of Financial Incentive; Calculating the Value of Consumer Data
Under the right to nondiscrimination for the exercise of a consumer’s privacy rights, the proposed regulations add additional information regarding nondiscrimination to be disclosed to consumers and define the terms “financial incentive” and “price or service difference.” Businesses that may offer financial incentives or a price or service difference must provide notice and an explanation to consumers of these potential offerings. The proposed regulations create an exemption for a price or service difference that is “reasonably related to the value of the consumer’s data.” The regulations provide broad guidance as to how to calculate the value of consumer data in connection with financial incentive offerings.
Businesses That Maintain Personal Information of 4 Million or More Consumers
The proposed regulations impose new obligations on service providers, which process personal information on behalf of a business. The proposed regulations state that a consumer may make certain requests directly to a service provider, and the service provider can either comply with the request or deny it and inform the consumer to submit the request directly to the business. Moreover, the proposed regulations state that a service provider shall not use personal information received from a consumer or a business it services for the purpose of providing services to another person or entity. However, there is an exception that allows the service provider to combine personal information to detect data security incidents or protect against fraudulent or illegal activity.
Training and Recordkeeping
The proposed regulations include new requirements on training and recordkeeping. They require that all individuals responsible for handling consumer inquiries about a business’s privacy practices or the business’s compliance with the CCPA receive training about the CCPA, including how to direct consumers to exercise their rights under the CCPA.
The proposed regulations also require businesses to maintain records of CCPA consumer requests for at least 24 months. These records may be maintained in a ticket or log format and must include the date of the request, the nature of the request, the manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of any request that is denied.
What the Regulations Do Not Modify or Address
It is worth noting that the 24-page proposed regulations do not modify or address all of the provisions of the CCPA. For example, the regulations do not address a consumer’s private right of action with respect to security breaches, CCPA exceptions, or the attorney general’s enforcement standards.
The proposed regulations also do not address any of the amendments signed by Governor Gavin Newsom on October 11, 2019. Those amendments address the one-year exemption for employee data and business-to-business communications and methods to submit a verifiable consumer request.
No Safe Harbor for GDPR Compliance
The attorney general’s Initial Statement of Reasons, issued with the proposed regulations, states that the office “considered and rejected” the creation of a safe harbor exemption from the CCPA for businesses that are compliant with the EU General Data Protection Regulation (GDPR). The attorney general reasoned that the “CCPA and GDPR have different requirements, different definitions, and different scopes,” highlighting that (1) the CCPA does not prohibit the collection of personal information without express consent; (2) the GDPR does not have a right to opt out of a sale, which is a “core right” of the CCPA; and (3) the GDPR applies to both public and private sector entities, whereas the CCPA only applies to specific types of businesses. The attorney general, therefore, determined that a GDPR safe harbor would not further the purposes of the CCPA.
Before the draft regulations are finalized, interested parties may submit written comments about the proposed CCPA regulations by mail or email, or at four scheduled public hearings held on the following dates in California:
- December 2 in Sacramento
- December 3 in Los Angeles
- December 4 in San Francisco
- December 5 in Fresno
The deadline to submit written comments is December 6, 2019, at 5:00 pm PT. The attorney general has stated that the expected date of final regulations and enforcement is July 1, 2020.
On September 25, at an International Association of Privacy Professional Conference, businessman Alastair Mactaggart, the primary sponsor of the California ballot initiative that was the impetus for the CCPA, announced the filing of the California Privacy Rights and Enforcement Act, a new proposed ballot initiative that is intended to further strengthen the CCPA’s privacy protections. Mr. Mactaggart hopes the initiative will garner enough votes to appear on the California ballot in the November 2020 election.
With the CCPA’s January 1, 2020, effective date in sight, there are a number of steps businesses can consider taking if they have not already done so:
- Assess what “personal information” is collected based on the broad definition under the CCPA.
- Review and update privacy policies.
- Revise website home pages.
- Prepare consumer notifications.
- Consider how to verify consumer requests.
- Consider safeguarding personal information including by encryption and redaction.
- Review and assess “reasonable security procedures” in place to protect personal information.
- Comply with training requirements.
- Review recordkeeping policies and requirements.
- If a business collects personal information of minors, special rules apply.
- Review nondiscrimination issues to provide consumers with the right to equal service and price.
- Review and update incident response plans.
- Prepare employee notifications, if applicable.
Our privacy and cybersecurity team will be issuing a series of LawFlashes with more detailed analysis on the following topics addressed in the proposed regulations:
- Receiving consumer requests
- Verifying consumer requests
- Responding to requests to know
- Responding to requests to delete
- Responding to requests to opt out
- Loyalty programs and value of consumer information
- CCPA obligations regarding minors
- CCPA and the consumer products industry
- CCPA and the retail industry
- CCPA and the healthcare industry
- CCPA obligations for employers
- CCPA obligations for service providers