The California State Attorney General (AG) has released proposed regulations relating to the January 1, 2020 implementation of the sweeping California Consumer Privacy Act (CCPA), as we’ve reported. While the AG is soliciting public comment before finalizing the regulations, he’s made it clear that the gap between effectiveness and enforceability is not a safe harbor. Thus, companies doing business in California or with California customers should treat these regulations as an enforceable extension of the CCPA.

There are four key areas of particular interest in these proposed regulations related to notice requirements:

Notice at Collection

Before consumer personal information can be collected, the CCPA requires notice of collection. The proposed regulations clarify the purpose and provide guidance on the notice of collection. The notice of collection should be designed to advise consumers of the collection of a consumer’s personal information including the categories of personal information being collected and the purpose for which the information is being collected. The proposed regulations also address details regarding language and format, as well as accessibility to consumers with disabilities. If a business collects information online, it may provide a conspicuous link on the website’s homepage or on the mobile application’s download page, or on all webpages where personal information is collected. The notice of collection may be provided through a link to the section of the business’s privacy policy addressing notice of collection.

Importantly, the proposed regulations provide that a business may not use a consumer’s personal information for any purpose other than those disclosed in the notice at collection. If that purpose changes, direct notification to the consumer of the new use and “explicit consent” would be required. If the type of information to be collected changes, a new notice of collection is required. The notice of collection must also include a “Do Not Sell My Personal Information” link if the business sells personal information. Offline notices must include a web address for the webpage.

Businesses that do not collect information directly from consumers do not need to provide notices of collection. However, businesses that obtain and sell personal information obtained from others must obtain consent from the data subject or a statement from the source that notice at collection was given, as well as a copy of the notice.

Notice of Opt-Out and Response Methods

Opt-out notices must be readied prior to the January 1, 2020 effective date and the proposed regulations clarify what must be included in the notice of the right to opt out, and where the notice must be posted. The proposed regulations harmonize the CCPA’s provisions regarding the right to opt-out, and clarify the relationship between the right to opt-out and the “Do Not Sell My Personal Information” link. Businesses that sell or may in the future sell personal information must provide a notice to consumers of the right to opt-out of sale of personal information, to allow consumers to direct that a business stop selling the consumer’s personal information. Two or more methods for submitting opt-out requests are required, such as a designated email address, browser plug-in, toll-free telephone number or user-enabled privacy controls. An opt-out button may be used in addition to (but not in lieu of) the opt-out notice. The opt-out notice must be available after clicking on the “Do Not Sell My Personal Information” link – or there must be a link to the section of the privacy policy which contains the same opt-out notice. The proposed regulations also clarify the exceptions to the requirement that businesses provide consumers with an opt-out notice.

The opt-out notice itself must provide specific information including: a description of the consumer’s right to opt-out; a webform to submit the request or an offline method; and a description of other ways a consumer can submit the request. Any consumer whose personal information is collected without a notice of opt-out being posted is deemed to have validly opted out.

The proposed regulations also clarified the timelines for responses, which were not included in the CCPA. Businesses must act upon the request as soon as feasible, and no later than 15 days from receipt of the request. The business must also notify third parties to whom the consumer information has been sold within the past 90 days of the consumer’s request to opt-out, and must instruct the third party not to sell further information. Once this is completed the business must notify the consumer. The proposed regulations also provide for the use of authorized agents under specified circumstances, and address how a business may deal with fraudulent opt-out requests.

Additional requirements are imposed by the proposed regulations on businesses that annually purchase or receive personal information for 4 million or more consumers. Such businesses must compile data on the requests to know, delete and opt out, including whether they were denied or complied with in whole or in part and the median time period for the business’s response.

Requests to Know and Delete

Under the CCPA, consumers can request to know what information a business has collected about the consumer and can make requests to businesses to delete their personal information. The proposed regulations clarify and make specific how businesses must handle such requests, including requests concerning “household” information. Businesses must provide two or more methods to consumers for making such requests, including at a minimum, a toll-free telephone number, and an interactive webform, if the company operates a website. A two-step process is mandated for requests to delete: a first submission of the request and a second separate confirmation. Where a request is not submitted in the proper manner, the business may treat the request as if submitted properly or provide the consumer with specific directions on how to remedy any deficiencies.

Again the proposed regulations provide time frames for responses. Businesses must confirm receipt of the request to know or delete within 10 days of receipt, including a description of the business verification process and when the consumer may expect a response. The proposed regulations clarify the conflicting CCPA provisions regarding responses, indicating that business will have 45 days to respond to the request to know or delete, starting from the date of receipt, unless the business provides a notice and explanation of reasons why it will take more than 45 days to respond, in which case the business may have up to 90 days to respond.

Businesses must respond to a consumer’s request to know by providing categories of personal information, categories of sources, and/or categories of third parties. The response must be individualized unless the response would be the same for all consumers and the information is disclosed in the business’s privacy policy. Businesses can respond to a request to know through a secure self-service portal that complies with the CCPA, including verification requirements and reasonable security controls.

Businesses can respond to a request to delete by presenting a choice to the consumer to delete all or selected information. A business must respond to a request to delete by “permanently and completely” erasing personal information on existing systems. There is no obligation to delete from archived or back-up systems until the same are accessed or used. Businesses can also respond to a request to delete by de-identifying or aggregating personal information. Further requirements are proposed for recordkeeping as to consumer requests.

Verification & Security

The proposed regulations address concerns raised in the rulemaking process concerning identity theft including the requirements for verification of the requestor’s identity and data security. Alternative verification procedures are detailed depending upon whether the consumer maintains a password protected account. Businesses must establish reasonable measures to detect fraudulent activity and prevent unauthorized access.

In response to a request to know, businesses cannot disclose certain categories of highly sensitive personal information at all, and are prohibited from disclosing personal information if doing so creates an unreasonable risk to the security of the personal information. Where the identity of the requestor cannot be verified as required by the proposed regulations, the business can deny the request and must also provide information to the consumer regarding general business practices concerning collection of personal information. In addition, the business must inform the consumer of the denial, and explain the basis for the denial. If a request to delete cannot be verified, it must be treated as a request to opt-out of sale.

Conclusion

The proposed regulations may change prior to finalization on July 1, 2020. Businesses must prepare for implementation by the January 1, 2020 effective date, and will likely have to revisit certain issues once the regulations are finalized.