The California State Attorney General (AG) has released proposed regulations relating to the January 1, 2020 implementation of the sweeping California Consumer Privacy Act (CCPA), as we’ve reported. While the AG is soliciting public comment before finalizing the regulations, he’s made it clear that the gap between effectiveness and enforceability is not a safe harbor. Thus, companies doing business in California or with California customers should treat these regulations as an enforceable extension of the CCPA.
There are four key areas of particular interest in these proposed regulations related to notice requirements:
Notice at Collection
Importantly, the proposed regulations provide that a business may not use a consumer’s personal information for any purpose other than those disclosed in the notice at collection. If that purpose changes, direct notification to the consumer of the new use and “explicit consent” would be required. If the type of information to be collected changes, a new notice of collection is required. The notice of collection must also include a “Do Not Sell My Personal Information” link if the business sells personal information. Offline notices must include a web address for the webpage.
Businesses that do not collect information directly from consumers do not need to provide notices of collection. However, businesses that obtain and sell personal information obtained from others must obtain consent from the data subject or a statement from the source that notice at collection was given, as well as a copy of the notice.
Notice of Opt-Out and Response Methods
The opt-out notice itself must provide specific information including: a description of the consumer’s right to opt-out; a webform to submit the request or an offline method; and a description of other ways a consumer can submit the request. Any consumer whose personal information is collected without a notice of opt-out being posted is deemed to have validly opted out.
The proposed regulations also clarified the timelines for responses, which were not included in the CCPA. Businesses must act upon the request as soon as feasible, and no later than 15 days from receipt of the request. The business must also notify third parties to whom the consumer information has been sold within the past 90 days of the consumer’s request to opt-out, and must instruct the third party not to sell further information. Once this is completed the business must notify the consumer. The proposed regulations also provide for the use of authorized agents under specified circumstances, and address how a business may deal with fraudulent opt-out requests.
Additional requirements are imposed by the proposed regulations on businesses that annually purchase or receive personal information for 4 million or more consumers. Such businesses must compile data on the requests to know, delete and opt out, including whether they were denied or complied with in whole or in part and the median time period for the business’s response.
Requests to Know and Delete
Under the CCPA, consumers can request to know what information a business has collected about the consumer and can make requests to businesses to delete their personal information. The proposed regulations clarify and make specific how businesses must handle such requests, including requests concerning “household” information. Businesses must provide two or more methods to consumers for making such requests, including at a minimum, a toll-free telephone number, and an interactive webform, if the company operates a website. A two-step process is mandated for requests to delete: a first submission of the request and a second separate confirmation. Where a request is not submitted in the proper manner, the business may treat the request as if submitted properly or provide the consumer with specific directions on how to remedy any deficiencies.
Again the proposed regulations provide time frames for responses. Businesses must confirm receipt of the request to know or delete within 10 days of receipt, including a description of the business verification process and when the consumer may expect a response. The proposed regulations clarify the conflicting CCPA provisions regarding responses, indicating that business will have 45 days to respond to the request to know or delete, starting from the date of receipt, unless the business provides a notice and explanation of reasons why it will take more than 45 days to respond, in which case the business may have up to 90 days to respond.
Businesses can respond to a request to delete by presenting a choice to the consumer to delete all or selected information. A business must respond to a request to delete by “permanently and completely” erasing personal information on existing systems. There is no obligation to delete from archived or back-up systems until the same are accessed or used. Businesses can also respond to a request to delete by de-identifying or aggregating personal information. Further requirements are proposed for recordkeeping as to consumer requests.
Verification & Security
The proposed regulations address concerns raised in the rulemaking process concerning identity theft including the requirements for verification of the requestor’s identity and data security. Alternative verification procedures are detailed depending upon whether the consumer maintains a password protected account. Businesses must establish reasonable measures to detect fraudulent activity and prevent unauthorized access.
In response to a request to know, businesses cannot disclose certain categories of highly sensitive personal information at all, and are prohibited from disclosing personal information if doing so creates an unreasonable risk to the security of the personal information. Where the identity of the requestor cannot be verified as required by the proposed regulations, the business can deny the request and must also provide information to the consumer regarding general business practices concerning collection of personal information. In addition, the business must inform the consumer of the denial, and explain the basis for the denial. If a request to delete cannot be verified, it must be treated as a request to opt-out of sale.
The proposed regulations may change prior to finalization on July 1, 2020. Businesses must prepare for implementation by the January 1, 2020 effective date, and will likely have to revisit certain issues once the regulations are finalized.