On October 10, 2019, the California Attorney General, Xavier Becerra, published proposed regulations (the “Regulations”) designed to clarify the California Consumer Privacy Act (the “CCPA”). At a press conference announcing the Regulations, Becerra stated: “Data is today’s gold. Everyone is rushing to mine data, and California, as you know, is not unfamiliar with gold rushes.” The Regulations are intended to contextualize and potentially strengthen the CCPA. This article provides a brief overview and details on select Regulations.
General Structure of the Regulations
Limiting Household Requests
The Regulations attempt to clarify the effect of an access or deletion request on data pertaining to a household, as opposed to an individual consumer. Under the Regulations, if consumers of a particular household jointly request access to information and the business is able to properly verify each member of the household individually, the business must comply with the joint request to the same extent it must comply with an individual consumer request. However, if the request is made by only one member of the household and the consumer does not have a password-protected account, a business may respond to a request to know or request to delete as it pertains to household personal information by providing aggregate household information.
Calculating the Value of Consumer Data
Under the CCPA, a business can offer a different price or quality of goods or services to a consumer if that difference is “directly related to the value provided to the business by the consumer’s data.” The Regulations mandate that a business must use “one or more of the following” methods to calculate the value of the consumer’s data:
- The marginal value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data;
- The average value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data;
- Revenue or profit generated by the business from separate tiers, categories, or classes of consumers or typical consumers whose data provides differing value;
- Revenue generated by the business from the sale, collection, or retention of consumers’ personal information;
- Expenses related to the sale, collection, or retention of consumers’ personal information;
- Expenses related to the offer, provision, or imposition of any financial incentive or price or service difference;
- Profit generated by the business from the sale, collection, or retention of consumers’ personal information; or
- Any other practical and reliable method of calculation used in good faith.
Advantages of Password-Protected Accounts
Under the Regulations, if a business maintains a password-protected account with the consumer, the business can comply with a “request to know” by way of a self-service portal. Additionally, where a password-protected account exists, a business can verify the consumer’s identity through the business’s existing authentication practices for the consumer’s account. In the absence of a password-protected account, a business is required to verify requests by matching up provided information to “a reasonable degree of certainty.” For example, according to the Regulations, if a business maintains the consumer’s name and credit card number, the business may require the consumer to provide the consumer’s security code and identify a recent purchase to verify a request.
Accessibility of Notices
The Regulations seek to ensure accessibility to individuals with disabilities. Under the Regulations, notices must be made accessible or, at a minimum, notices must provide information on how a consumer with a disability may access the notice in an alternative form. These additional accessibility requirements are notable because they are hard-and-fast requirements rather than mere guidance under the Web Content Accessibility Guidelines (the “ WCAG”). Under the WCAG, web content developers are encouraged to provide content that is “perceivable, operable, understandable, and robust,” but under the Regulations an accessible version or information on an accessible “alternative format” must be made available.
In the process of contextualizing the CCPA, the Regulations have also introduced new uncertainty into the flurry of legislation around the data rush. For example, the threshold separating effective verification from ineffective verification remains unclear. And, although the Regulations provide a few illustrative scenarios for matters like non-discriminatory practices, the examples are necessarily incomplete. Entities that conduct activities outside of the explicit examples are left to guess whether their particular scenario is non-discriminatory. Also, while the Regulations seek to guarantee access to consumers with disabilities, the question of what constitutes an acceptable “alternative format” to be provided to those consumers remains open.
What this Means for You
The official comment period on the Regulations began on October 11 and will continue through December 6, 2019. Companies may not desire to provide comments for fear of being seen as “anti-privacy.” However, companies should consider joining industry organizations that are providing comments to give them a method to express their concerns without direct attribution.
Additionally, Attorney General Becerra has indicated that his office will update the Regulations to reflect the recently-passed CCPA amendments. The Regulations are expected to be finalized ahead of the July 1, 2020 regulation deadline. Although changes will be made to the Regulations before they are finalized, companies should begin folding guidance on items such as request mechanisms into their CCPA compliance program.