The proposed regulations attempt to provide clarity around some of the questions business have been struggling to answer.
Governor Gavin Newsom has signed the five bills amending the California Consumer Privacy Act (CCPA) and other related bills into law. Our previous Alert provides an overview of the effect of those amendments on the CCPA.
Additionally, the Office of the Attorney General has released the long-anticipated proposed CCPA regulations, which outline procedures intended to facilitate consumers’ new rights under the CCPA and provide compliance guidance to businesses regarding:
- Notices businesses must provide to consumers under the CCPA;
- Handling consumer requests made pursuant to the CCPA;
- Verifying the identity of the consumer making those requests;
- Personal information of minors; and
- Nondiscrimination and offering of financial incentives.
Comments regarding the proposed regulations are due December 6, 2019. The proposed regulations are detailed below.
- Be drafted to be easily read and understood by an average consumer using plain, straightforward language that draws the consumer’s attention.
- Be in the language(s) in which the company does business.
- Be accessible to consumers with disabilities.
- Be visible or accessible where consumers will see it before any personal information is collected.
The proposed regulations also go beyond the CCPA in some ways. For example, while a simple notice is sufficient for purposes of collecting personal information, if the business purpose for collecting that information changes after the information was collected, explicit consent is required to use the personal information for the new purpose.
Notice to Consumers
Businesses cannot collect or use information for any purpose other than what is described in its notice. As noted, explicit consent is required to use the personal information for any new purpose. If notice is not provided at or before collection, the business cannot collect personal information. A business that does not collect information directly from consumers cannot sell such information unless it either:
- Provides the consumer notice and an opportunity to opt out; or
- Confirms that such notice was provided by the source and obtains signed attestations describing the same.
Right to Opt Out of Sale
The notice of the right to opt out only applies if a business is “selling” personal information as defined in the CCPA. A business must post a clear and conspicuous “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on its website homepage or download or landing page of its mobile app. The notice must include:
- A description of opt-out right;
- A web form for opting out;
- Instructions for other methods of opting out;
- Proof required if using an agent to exercise right;
Notice of Financial Incentives
The proposed regulations would add an explicit notice requirement if a business is offering a financial incentive or price/service difference in exchange for the retention or sale of personal information. The notice must include:
- A succinct summary of the incentive offer;
- A description of material terms;
- How to opt in;
- Notice of the consumer’s right to opt out at any time; and
- Grounds for why incentive is permitted under the CCPA.
The regulations relating to privacy policies largely restate the requirements set forth in the CCPA. The policy must be posted online through a conspicuous link on the business’ website homepage or download or landing page of its mobile app. The policy must include a description of the:
- Right to know about personal information collected, disclosed or sold;
- Right to request deletion of personal information,
- Right to opt out of the sale of personal information (if applicable);
- Right to nondiscrimination for exercising of privacy rights;
- Right to the use of an authorized agent;
- Contact information for consumer’s requests for additional information; and
The policy must also include instructions for submitting a verifiable request and a description of the process used to verify such requests.
Handling Consumer Requests
The proposed regulations set forth rules and procedures regarding how businesses must process consumer requests, including the requests to know, requests to delete and the right to opt out of selling personal information. The regulations also address requests made by a consumer’s authorized agent and requests pertaining to household information.
The proposed regulations provide for different requirements depending on whether the consumer is submitting a request to know, request to delete or request to opt out of the sale of personal information. In general, at least one method must reflect the manner in which the business interacts with the consumer. For example, retail stores may need three methods―a toll-free number, a web form and an in-person form that can be submitted at the retail location.
- Requests to Know: Requires two or more methods, minimally a toll-free number and a web form if the business operates a website. Other methods may include email, an in-person form and a mail form. However, given the recent amendments to the CCPA, this requirement will need to be amended to exempt businesses operating exclusively online and which have a direct relationship with the consumer from whom it collects personal information from the toll-free telephone number requirement. Such online-only companies must provide an email address for submitting privacy requests instead.
- Requests to Delete: Requires two or more methods but no mandatory methods. Business can choose from a toll-free number, web form, email, in-person form and mail form. Online requests must use a two-step process: (1) a request to delete and (2) confirmation of the request.
Responding to Requests to Know or Delete
- Within 10 days: The business must confirm receipt, describe verification process, and expected response time.
- Within 45 days: The business must respond to requests. A 45-day extension is available if necessary and the business notifies consumer with an explanation.
- Businesses shall never disclose sensitive personal information covered under Civil Code section 1798.81(d).
- Response to Request to Delete: The business may comply by permanently and completely erasing, deidentifying or aggregating personal information. The manner chosen must be specified in the response. Deletion from backup systems can be delayed until the backup is next accessed or used.
The proposed regulations also set forth circumstances when a business may deny a request, such as when a business cannot verify the identity of the requestor, and requirements when denying a request.
Responding to Requests to Opt Out of Sale
Businesses must provide two or more methods to opt out, minimally a web form accessible via a clear and conspicuous “Do Not Sell My Personal Information” or “Do Not Sell My Info” link. Other methods may include a toll-free number, email, an in-person form, a mail form and user-enabled privacy controls. However, at least one method must reflect the manner in which the business interacts with the consumer.
- Within 15 days: The business must honor request to opt out of sale.
- Within 90 days: The business must notify all third parties to whom business has sold personal information, instruct them not to further sell the information, and notify consumer when this is completed.
- Requests to opt out do not need to be verified.
Requests to opt in after opting out of the sale of personal information require a two-step process: (1) a request to opt in and (2) confirmation of opt-in choice. Businesses may inform a consumer who has opted out when a transaction requires the sale of their information as a condition of completing the transaction with instructions on how to opt in.
Training and Record Keeping
The proposed regulations describe the training required for all individuals who are responsible for handling consumer inquiries about a business’ privacy practices and CCPA requirements. Moreover, under the proposed regulations, businesses must establish procedures for record keeping and are required to maintain records for at least 24 months of consumer requests made pursuant to the CCPA and how the business responded.
Verification of Requests
Businesses are required to establish a reasonable method to verify that the consumer making a request is the individual about whom the business has collected information. In verifying a request, the business must consider a variety of factors such as:
- The type, sensitivity and value of the personal information;
- The risk of harm to the consumer;
- The likelihood of fraudulent or malicious actors;
- Whether information used for verification is sufficiently robust to protect against fraud or spoofing;
- The manner in which the business interacts with consumer; and
- Available technology.
Additional considerations include:
- User name and password can be used for password-protected accounts if user is required to reauthenticate before disclosing or deleting information.
- Before any categories of personal information are disclosed, the business must require that the consumer provide at least two data points.
- Before any specific pieces of personal information are disclosed, the business must require that the consumer provide at least three data points and a signed declaration under penalty of perjury that requestor is the consumer whose personal information is the subject of the request. The declaration must be retained by the business.
Special Rules Regarding Minors
A business that has actual knowledge that it collects or maintains personal information of children under the age of 13 would be required to establish, document and comply with a reasonable method for confirming that a parent or guardian has opted in to the sale of such information on behalf of the child, including one of the following means:
- Obtaining a written consent signed under penalty of perjury and returned via mail, fax or electronic scan.
- Requiring a credit card, debit card or other online payment system that provides notification of each transaction, if the transaction is monetary.
- Having the parent or guardian connect with trained personnel via a toll-free number, video conference or in person.
- Verifying the parent or guardian’s identity by checking government identification and deleting the same from records promptly after verification is complete.
A business that has actual knowledge that it collects or maintains personal information of children over 13 but under the age of 16 shall establish, document and comply with a reasonable process for opting in to the sale of their information, which includes a two-step process: (1) request to opt in and (2) confirmation of opt in choice.
Notably, under the CCPA, a business that willfully disregards the consumer’s age shall be deemed to have had “actual knowledge” of the consumer’s age.
The proposed regulations provide that a financial incentive or a price or service difference is discriminatory and therefore prohibited if the business treats a consumer differently because the consumer exercised a right conferred by the CCPA or these regulations, unless the price or service difference is reasonably related to the value of the consumer’s data. Several methods for calculating this value are set forth in the proposed regulations including a broad, catchall “[a]ny other practical and reliable method of calculation used in good-faith.”