On Thursday, October 10, the California Attorney General’s office released the much-anticipated draft regulations for the California Consumer Privacy Act (CCPA). The draft regulations offer a roadmap for compliance with the landmark consumer privacy law set to go into effect January 1, 2020.
The draft regulations offer companies some clarity on the hastily drafted law passed in 2018. However, the draft regulations also signal that California is poised to take a tough enforcement stance.
During a press conference, Stacey Schesser, head of the California Attorney General’s privacy unit, stated that once the regulations are finalized, her office will “focus on an enforcement strategy so [the] law will have teeth.”
In response to industry hopes for a relaxation of the burdens on businesses, California Attorney General Xavier Becerra stated, “We want companies to understand that consumers now have rights and there’s no excuse—ignorance is not an excuse—for not complying with the law.”
The California AG’s office will receive public comments on the draft regulations through December 8, 2019. It will also hold four public hearings across the state to receive additional feedback from businesses and consumers before issuing finalized regulations. CCPA enforcement efforts will begin the later of July 1, 2020, or six months after the AG finalizes its regulations.
The 24 pages of proposed regulations address several areas of the CCPA that companies have been struggling to decipher, including treatment of user-enabled privacy controls, notice requirements, response to requests by consumers, recordkeeping requirements, and the non-discrimination policy.
User-enabled privacy controls as an opt-out
Significantly, the proposed regulations provide that businesses who collect personal information from consumers online must treat user-enabled privacy controls (such as browser plugins or privacy settings) that signal a decision by that consumer to opt out of the sale of their personal information as a valid opt-out request.
In other words, the regulations treat merely using a cookie-blocking browser plug-in the same as making an opt-out request pursuant to the CCPA.
Further, that opt-out request applies not only to the browser or device utilizing the user-enabled privacy controls, but also to the consumer more generally, to the extent the consumer’s identity is known.
It is unclear exactly how this portion of the proposed regulations will be applied in the context of other opt-out requests under the CCPA, and it is likely to be the subject of significant public comment.
The proposed regulations also clarify the manner and method of providing consumers with notice of the collection of their personal information and their right to opt out of the sale of their data. These notices must:
- Use plain, straightforward language and avoid technical or legal jargon
- Draw the customer’s attention to the notice
- Be available in the languages in which the company ordinarily conducts its business
- Be accessible to consumers with disabilities
- Be visible or accessible where consumers will see it before any personal information is collected
- Include a list of the categories of personal information to be collected and the commercial purpose(s) for such collection
- Provide instructions and a website or offline method for submitting their request to opt-out of the sale of their data
Interestingly, California plans to develop an opt-out button or logo that companies must use in addition to posting the required notices.
Response to consumer requests
The draft regulations require businesses to provide at least one method for consumers to submit requests in the manner in which the business primarily interacts with the consumer, even if it means a business must offer three methods for submitting requests.
For example, if a business operates a website but typically interacts with customers in person at a retail store, the business must offer:
- A toll-free telephone number
- An online form
- A form that consumers can submit in person at the retail location
Covered entities also must confirm receipt of any request to know or request to delete within 10 days of receipt and inform the consumer on how the business will process the request, including the business’s verification process and when the consumer should expect a response.
Companies must use reasonable security measures when transmitting personal information the consumer in response to a request, and only do so after undertaking “reasonable” methods for verifying “to a reasonable degree of certainty” that the person making the data request is the same person about whom the information has been collected.
In responding to a request to delete or a request to opt out of sales, a business may present the consumer with the choice to delete/opt out of sales of only select portions of their personal information only if the business also offers a global option covering all personal information that is more prominently presented than any other choice.
For requests to opt out of sales of personal information, businesses must act “as soon as feasibly possible,” but no later than 15 days after receiving the request. Businesses also have a duty to notify third parties to whom it has already sold the personal information and instruct them not to further sell the information. Companies must notify the consumer when they have completed this requirement.
The draft regulations require businesses to maintain records of consumer requests and how the business responded for at least 24 months. These records must include the date and nature of the request, manner in which the consumer made the request, date and nature of the business’s response, and the basis for the denial of the request, if applicable.
Businesses that annually buy, receive, sell, or share the personal information of 4 million or more consumers have additional recordkeeping and reporting requirements.
For every calendar year, these businesses must compile metrics on the number of requests to know, delete, and opt-out that are received, complied with, or denied; as well as the median number of days the business took to substantively respond to requests.
The CCPA prohibits treating a consumer differently because the consumer exercised a right conferred by CCPA. Article 6 of the draft regulations clarifies that a business may still offer a price or service difference if it is reasonably related to the value of the consumer’s data.