As we recently reported on this blog, the California Attorney General (AG) released long-awaited draft regulations to the California Consumer Privacy Act (CCPA). This is the second installment in a series of posts discussing the regulations most relevant to companies as they determine whether they are covered under the law and how to comply. This post discusses business practices for receiving and verifying consumer requests to delete or opt-out, and for disclosure of specific information, referred to in the regulations as “requests to know.”

The regulations recognize and potentially resolve one of the biggest concerns facing companies who will receive requests for disclosure of consumer personal information: how to verify the identity of the consumer sufficiently to disclose sensitive information such as personally identifiable information (PII)? To alleviate this concern, the AG regulations bar companies from ever disclosing a consumer’s Social Security number, driver’s license number, or any other government-issued ID number, financial account number, health insurance or medical identification numbers, account password, or security questions and answers. The AG regulations also restrict businesses from disclosing specific personal information if the disclosure creates a “substantial, articulable, and unreasonable risk to the security” of the personal information, the consumer’s account with the business, or the business’s systems or networks.

The regulations also clarify that companies acting as service providers for non-profits (and other entities who are excluded from the law) will not be covered by the law. Specifically, the transfer of personal information from a non-profit company to a service provider is not considered a sale and the service provider in that situation will also be exempt from having to respond to consumer requests.

Methods for Submitting Requests to Know, Delete, or Opt-Out

Businesses must provide consumers at least two methods for submitting requests to know, delete, or opt-out. One method must be a toll-free phone number. Online businesses must also provide an interactive webform. In addition, all businesses must offer at least one method that corresponds with how they primarily interact with their consumers. For example, a business that primarily interacts with its consumers at a retail location must offer a method to submit requests in person at the retail location.

However, businesses must still respond to requests received outside the designated channels or that are otherwise deficient. The regulations require businesses who receive such requests to either treat them as properly submitted or provide the consumer with specific direction on how to properly submit the request or remedy the deficiencies.

Responding to Requests to Know, Delete, or Opt-Out

Receipt of a request to know or delete imposes two response obligations on a business: a confirmation response and a substantive response. The confirmation response is due within 10 days of receipt of the request and must describe both the business’s verification process and when the consumer should expect a response. The substantive response is due within 45 days of receipt of the request regardless of the time it takes to verify the request. A business may extend the response period another 45 days but it must provide notice and an explanation to the consumer for why the business needs the extension.

Requests to Know

A business’s response to a request to know depends on the type of request—for specific information or categories of information—and the ability to verify the identity of the requestor. (We will discuss the verification standards in more depth in our next post.) The regulations prohibit businesses from sharing specific pieces of information if they cannot verify the requestor’s identity, in which case the business must treat the request as one for categories of information—which has a lower standard of verification. If a business still cannot verify the identity of the requestor, the regulations allow the business to decide whether to share the categories of information. At a minimum, a business must direct the requestor to the section of its privacy policy regarding collection of personal information. If a business cannot verify either type of request, it must also inform the requestor that it cannot verify the requestor’s identity. Even if the business verifies the request, it may deny it, but the business is still obligated to inform the consumer of the basis for the denial, including citing to a statutory or regulatory exception.

Requests to Delete

For requests to delete, if the business is able to verify the request, deletion can occur one of three ways: (1) erasing the information from the existing system (except for back-ups); (2) de-identifying the information; or (3) aggregating the personal information. The business must tell the consumer how it deleted the information.

Even if the business denies the request to delete, the business is still obligated to inform the consumer of the basis for the denial, including citing to a statutory or regulatory exception. Any personal information not subject to the cited exception must be deleted. And information that is retained cannot be used for any other purpose than that provided by the exception.

If the business cannot verify the identity of the requestor, it may deny the request, but is still required to treat the request as one to opt-out of the sale of that personal information.

Requests to Opt-Out

The threshold for a valid request to opt-out is more lenient than the threshold for a valid request to know or delete. The request need not be a “verifiable consumer request.” In fact, businesses that collect personal information online must treat user-enabled privacy controls or privacy settings as a valid request to opt-out.

The regulations require businesses to act upon a request to opt-out “as soon as feasibly possible, but no later than 15 days” from receipt of the request. In addition, a business that receives a request to opt-out must notify all third parties to whom it sold the personal information of the request within 90 days of receipt of the request and instruct them not to further sell the information. After providing these notifications, the business must notify the consumer that it has done so. After a consumer opts out, the business must receive both a request to opt-in and a separate confirmation before selling the information again.

Training and Record Keeping

Businesses must maintain records of consumer requests and the businesses’ responses to those requests for at least 24 months. The records must include:

  • Date and nature of response; and
  • Basis for denial, if applicable.

The regulations also place additional report and disclosure obligations on businesses that annually transact or receive the personal information of more than 4 million consumers. The reporting obligation requires a qualifying business to annually report the number of requests for disclosure, deletion, or opt-out, whether the business complied or denied the request, and the median number of days for substantively responding to each type of request. The regulations also require businesses to establish and publish a training policy that ensures the individuals tasked with handling the consumers’ requests and the business’s CCPA compliance are informed of the CCPA’s regulations.