On October 10, 2019, the California Attorney General, Xavier Becerra, announced that the State of California Department of Justice released draft regulations for the implementation of California's new data privacy law, the California Consumer Privacy Act (CCPA). The long-awaited proposed regulations are designed to provide detailed guidelines regarding several aspects of the CCPA, including notice requirements, responding to data subject requests, verifying data subject requests, special rules for minors, and explanation of the CCPA’s non-discrimination provisions. The ultimate regulations will have a significant impact on how businesses comply with CCPA.
The Attorney General will hold four public hearings in early December (in Los Angeles, San Francisco, Sacramento, and Fresno) to provide interested persons with an opportunity to present statements or comments, either orally or in writing, with respect to the proposed regulations. In addition, any interested party, or their authorized representative, may submit written comments regarding the proposed CCPA regulations at the public hearings or via email (or mail) by the close of the public comment period on December 6, 2019.
The CCPA, which the legislature extensively amended last month, and which amendments the Governor recently signed, will be the strictest privacy law in the nation and will impose significant new obligations on companies with respect to personal information of California residents. The law takes effect on January 1, 2020, with enforcement delayed until July 1, 2020 (or six months after issuance of the Attorney General’s official regulations, whichever is sooner).
The draft of the proposed regulations has been released against the backdrop of a new ballot initiative, “The California Privacy Rights and Enforcement Act of 2020” (CPREA), launched two weeks ago by the Californians for Consumer Privacy, the nonprofit group behind what became the CCPA. The CPREA is intended to significantly revamp and strengthen the CCPA. If passed, CPREA would require California to establish a new data protection agency responsible for enforcing privacy violations and issuing new regulations, thus limiting the role of the Attorney General in the enforcement of the CCPA and other privacy violations.
According to the Attorney General, the proposed regulations will benefit consumers, making it easier to exercise their CCPA-related rights, promoting greater transparency regarding how businesses collect, use, and share personal information, and instructing businesses how to comply with the CCPA.
According to an economic impact assessment prepared for the California Attorney General’s Office by an independent firm, the CCPA is projected to have a significant economic impact on businesses, affecting up to 400,000 California-based businesses alone, and resulting in compliance costs of more than $55 billion over the next decade. Although the regulations could change as a result of public comment, businesses should immediately review these regulations to assess how they will impact their compliance with CCPA, and consider whether to provide comments on provisions that could significantly impact their ability to comply or the cost of compliance.
The following summarizes the key requirements under the proposed regulations:
The CCPA requires covered businesses to provide notice to consumers of their privacy practices before collecting the consumer’s personal information. The proposed regulations describe the style, content, and format of the required notices to consumers, including notice of data collection practices, the right to opt-out of sale of personal information and financial incentives. The following are requirements applicable to all these notices:
- The proposed regulations provide that any notices should be in straightforward, plain language that avoids technical or legal jargon.
- The consumer’s attention should be drawn to the notice, including the use of formats accessible to those with disabilities, and covering all languages in which the business offers contracts in the ordinary course of business, among other requirements.
- The notice should be provided at or before the collection of personal information; the regulations provide examples of how the notice can be provided in both online and offline scenarios.
- The proposed regulations detail the notice requirements for the right to opt-out of sale of personal information, including placing “Do Not Sell My Personal Information” or “Do Not Sell My Info” links on the homepage.
Business Practices for Handling Consumer Requests
The proposed regulations describe the procedures businesses must follow in response to consumer requests under the CCPA:
- Businesses have 45 days to process and respond to a request (and 10 days to confirm receipt), with one additional extension of 45 days.
- Businesses must grant consumers two or more methods to submit requests and they must send a receipt of acknowledging the request, including a toll-free telephone number, and if the business operates a website, an interactive web form accessible through the business’s website or mobile application.
- Businesses must follow detailed guidelines on responding to right to know and deletion requests, such as providing to the specified information that should be provided to consumer and the methods that can be followed in complying with a deletion request.
- Businesses must implement reasonable security measures in responding to requests (e.g., when sending personal information).
- Businesses must explain the circumstances for denying a consumer’s requests, including when the business is unable to verify the consumer’s identity.
- Businesses must comply with the detailed guidelines regarding when businesses can ask consumers to opt back into the sale of personal information.
- Businesses must comply with the detailed guidelines on responding to requests for household information, including when information is to be provided on an aggregate rather than a detailed level.
- Businesses must comply with the specified requirements for employee training, including recordkeeping requirements.
Verification of Requests
The proposed regulations describe how businesses should verify the identity of account holders and non-account holders. A business is required to establish, document, and comply with a reasonable method for verifying that the person making a request to know or a request to delete is the consumer who the business has collected information about, which methods should take account of the sensitivity of the information, and the risk of harm. Different verification methods may apply depending on whether a consumer has an account with the business.
For Account Holders:
- If a business maintains a password-protected account with the consumer, the business may verify the consumer’s identity through the business’s existing authentication practices for the consumer’s account.
For Non-Account Holders, a business must use different levels of verification depending on the information requested:
- For requests for “categories” of information collected: a “reasonable degree of certainty” is required (i.e., at least two data points of personal information).
- For requests for specific personal information: a “high degree of certainty” is required (i.e., at least three data points of personal information and signed declaration with penalty of perjury).
Special Rules Regarding Minors
The proposed regulations clarify the opt-in and opt-out rights of minors (according to age groups, under 13 vs. 13-16) and set out best practices for businesses to reasonably verify parental consent.
- For minors under the age of 13: businesses should verify that affirmative opt-in consent is actually made by a parent or guardian.
- For minors between ages 13 and 16, a business that has actual knowledge that it collects or maintains the personal information of such minors shall establish, document, and comply with a reasonable process for allowing such minors to opt-in to the sale of their personal information.
- When a business receives a request to opt-in to the sale of personal information from a minor between ages 13 and 16, the business shall inform the minor of the right to opt-out at a later date and of the process for doing so.
The proposed regulations provide guidelines regarding what constitutes a discriminatory practice by a business towards consumers who exercise their rights under the CCPA.
- A business cannot treat a consumer differently, e.g., via price or service difference, simply because that consumer exercised a right under the CCPA. However, a business may offer a financial incentive in the form of a different price or level of service if it is reasonably related to the value of the “consumer’s data.”1 For example, a music streaming business offers a free service and a premium service that costs $5 per month. If only the consumers who pay for the music streaming service are allowed to opt-out of the sale of their personal information, then the practice is discriminatory, unless the $5 per month payment is reasonably related to the value of the consumer’s data to the business (the example is taken from the regulations themselves).
- The regulations also provide guidelines for calculating the value of a consumer’s data.