The California Consumer Privacy Act (CCPA), enacted in 2018, is closer to completion and businesses should be preparing for its stringent new data privacy and security requirements, which come into force on January 1, 2020. In just one weekend in October, California Governor Gavin Newsom signed the CCPA’s final amendments of the year and California Attorney General Xavier Becerra published the law’s draft regulations. As we previously discussed, the recent amendments, among other things, clarify the definition of “personal information,” exempt certain types of employee and business-to-business data from aspects of the law, and create new obligations for data brokers.
The Attorney General is accepting comments on the regulations’ nature, scope and applicability until December 6, 2019, and he must finalize them by July 1, 2020. An independent research firm estimates that to comply with the CCPA, medium-sized businesses (100-500 employees) will incur initial costs of $450,000 and larger businesses (more than 500 employees) will incur, on average, $2 million in initial costs. To minimize expenses, a business should leverage its existing data privacy and information security program into its CCPA compliance effort, while simultaneously preparing for similar laws that may be enacted domestically in 2020.
Despite their ambiguities and shortcomings, the draft regulations will assist businesses in understanding their obligations and responsibilities under the law. Of greatest note, the regulations clarify five keys areas of CCPA compliance: issuing privacy notices, complying with “do not sell” requirements, verifying data subject requests, implementing recordkeeping and public disclosure measures, and executing financial incentive programs.
The CCPA and its draft regulations identify all the situations in which covered businesses must provide consumers with notice of their data processing activities and the scope and content of website privacy policies. The regulations identify five “general principles” that apply to all notices required under the law. They must:
- be presented in a format that is easy to read and understandable by the average consumer;
- use plain, straightforward language (i.e., avoid technical or legal jargon);
- be formatted to draw attention to them;
- be available in all languages in which the business provides its contracts, disclaimers, sales announcements and other information to consumers; and
- be accessible to consumers with disabilities.
The regulations also clarify that a business is not required to provide “point-of-collection” notice of its data processing activities to individuals on whom it collects personal information from third parties (and not the individuals themselves). However, the business is restricted from selling such information, unless it contacts the individual directly and provides notice of its data processing activities or confirms that the source of information provided the individual appropriate notice at the point of collection and receives an attestation to the same.
On the other hand, the draft regulations create some incongruities by failing to account for the CCPA’s exemption related to personal information on employees, job candidates and contractors. For example, to satisfy the point-of-collection notice requirements, the regulations require businesses to provide notice of the categories of personal information collected, the business or commercial purpose for which such information will be used, and access to “do not sell” (if applicable) and website privacy links. In the context of privacy notices for employees, job candidates and contractors, however, the latter two requirements (“do not sell” and website privacy links) seem inappropriate and the draft regulations should be updated to reflect these recent exemptions set forth in the CCPA.
Selling Personal Data
The regulations also provide requirements for businesses that collect or maintain the personal information of children under the age of 13, which are in addition to (and not in lieu of) those set forth in the federal Children’s Online Privacy Protection Act. The regulations require a business that collects information of children under the age of 13 to establish, document and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the child’s personal information is the child’s parent or guardian. The regulations provide examples of methods that are reasonably calculated to verify the identity of the parent/guardian providing consent:
- Providing a consent form to be signed by the parent or guardian under penalty of perjury.
- In connection with a monetary transaction, requiring a parent or guardian to use an online payment system that notifies the account holder of the transaction.
- Having the parent or guardian call a toll-free number or engage in a videoconference with trained personnel.
- Checking a form of government identification against a database, provided the business deletes the information after the verification is complete.
Verifying Data Right Requests
The CCPA mandates that the Attorney General issue regulations establishing rules and procedures related to the intake and processing of and response to data subject requests. For rights related to access and erasure, the regulations require businesses to implement two, and in some instances three, mechanisms to allow individuals to submit data requests, including (at a minimum) a toll-free number, interactive web forms, a designated email address and request forms that can be submitted in person or by mail. For individuals seeking to opt out of the sale of their personal information, a business must offer two such methods, which may include (at a minimum) interactive web forms, a toll-free number, mail-in forms and the implementation of user-enabled online privacy controls.
The regulations require businesses to “verify” requests for data access and erasure. By contrast, a request to opt out of the sale of personal information “need not be a verifiable consumer request,” and businesses can deny such requests if they reasonably believe they are fraudulent. For access and erasure requests, the regulations set forth different verification procedures based on whether the individual exercising the right maintains a password-protected account with the business. If the individual does not maintain such an account, the business must implement certain measures and undertake a fact-based analysis to verify the individual’s identity to a “reasonable degree of certainty” if he or she is seeking access to certain categories of personal information and to a “reasonably high degree of certainty” if he or she is seeking access to specific pieces of personal information the business collected. If an individual is requesting the erasure of personal information, the business must verify the identity to a reasonable degree or reasonably high degree of certainty, depending on the sensitivity of the personal information and the risk of harm posed to an individual by an unauthorized disclosure.
Notwithstanding the complexities related to the verification of an individual’s identify, the regulations provide specific guidance that businesses will appreciate. For example, the draft regulations provide that a business shall not – at any time – disclose the following personal information in response to a request to access one’s data:
- Social Security number, driver’s license number or other government-issued identification;
- financial account number;
- health or medical identification number; or
- account password, or security questions or answers.
In addition, the regulations provide that a business does not have to provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable and unreasonable risk to the security of the personal information. Moreover, in responding to requests for erasure, the regulations specifically exempt archives and back-up systems, which has raised concerns in other data protection laws where such guidance has been omitted.
Recordkeeping and Public Disclosures
One of the regulations’ more onerous provisions governs a business’s recordkeeping and disclosure requirements. A business is required to maintain records of data rights requests and responses thereto for at least two years. The record must contain the date and nature of the data request, the manner in which the request was made, the date and nature of the response, and the basis for the denial, if applicable. The regulations are clear, however, that data maintained for recordkeeping purposes may not be used for any other purpose.
Next, a business that alone or in combination with others buys, sells or shares for commercial purposes the personal information of at least 4 million consumers annually must compile the following metrics for the previous calendar year:
- the number of data requests received that relate to access, erasure and opting out of the sale of personal information;
- how the business responded to the requests; and
- the median number of days within which the business substantively responded to such requests.
Businesses are required to post this information in their website privacy policies.
Financial Incentive Programs
A business that provides a financial incentive program (such as a loyalty rewards program) based on the retention or sale of personal information must provide notice to each consumer of the program’s material terms, including the difference in price or service based on participation in the program, how consumers can opt in to the financial incentive program, and their rights to opt out at any time. The regulations mandate that the business provide an explanation of why the financial incentive or price/service difference is permitted under the CCPA, such as a good faith estimate of the value of the consumer’s data and a description of the method the business used to calculate the data’s value. The CCPA provides several factors for a business to consider when calculating the value of a consumer’s data, such as:
- The marginal or average value to the business for the sale, collection or deletion of a consumer’s data.
- Revenue or profit generated from separate tiers, categories or classes of typical consumers.
- Revenue generated from the sale, collection or retention of the personal information.
- Expenses related to the sale, collection or retention of a consumer’s personal information.
The draft regulations also provide that the value calculation may be based on “[a]ny other practical and reliable method of calculation used in good faith,” which will give businesses more flexibility in this area. However, it is important for a business to determine, as its first step in complying with the CCPA’s financial incentive rules, whether any rewards or loyalty program it offers is truly based on the “disclosure, deletion, or sale” of personal information. In contrast, if the program is based on the sale and distribution of goods and services wherein the collection and use of personal information (e.g., email and other contact information) is ancillary to the program’s purpose, then businesses may not be subject to these financial incentive restrictions and calculation requirements.
The CCPA’s draft regulations represent a significant step forward by California’s legislature in seeking to implement one of the nation’s most comprehensive data privacy laws. Although the regulations raise several ambiguities, businesses should make a good faith effort to implement as many aspects of the law as possible to avoid the risks presented by noncompliance.