The Bottom Line
- The California Attorney General is accepting comments on the CCPA draft regulations until December 6 and has scheduled four public hearings on the draft in California in early December.
- With the January 1, 2020 effective date quickly approaching, organizations must continue to implement their CCPA compliance procedures even though these draft regulations are not yet final.
The Attorney General of California has released draft regulations to implement the California Consumer Privacy Act (CCPA) just a few months before the law’s January 1, 2020 effective date.
Briefly, the CCPA was signed into law on June 28, 2018. It is the nation’s first comprehensive privacy law that applies to all industries and grants California residents new rights relating to the access to, deletion of and sharing of their “personal information” (broadly defined to include any information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”) when collected by a for-profit business that either:
- has annual gross revenues in excess of $25 million;
- buys, receives or sells the personal information of 50,000 or more consumers, households or devices; or
- derives 50 percent or more of its annual revenues from selling consumers’ personal information.
For more information on the CCPA, see our previous alerts: IAB Provides Framework for CCPA and CCPA Update: Preparing for the CCPA — 10 Things You Can Tackle Now.
The Draft Regulations
The draft regulations are quite detailed and establish procedures to facilitate the new rights granted to consumers by the CCPA and provide businesses with guidance on compliance. In particular, the proposed regulations provide specific guidance regarding:
- Notices businesses must provide to consumers;
- Practices for handling consumer requests;
- Practices for verifying the identity of the consumers making those requests;
- Practices regarding the personal information of minors under 16 years of age; and
- Offering of financial and other incentives to consumers that do not exercise their CCPA rights.
Many believe that the regulations impose new requirements and go further in some respects than the original text of the CCPA. (They also appear to have been crafted before, and do not fully reflect, all of the recently enacted amendments. To read more about the recent amendments, see our alert, California Legislature Passes Five Bills Amending the CCPA.)
Notices to Consumers
The draft regulations address numerous notices to consumers required under the CCPA, which may vary depending upon the specific activities engaged in by an organization. All of the notices must be designed and presented so that they are easy to read — including on small screens — and understandable to an average consumer. They also must be accessible to consumers with disabilities and in the languages in which the business provides consumer contracts and other information to consumers. The regulations identify the information that must be included in each notice, restrict the collection of personal information when notice is not given, and describe situations in which certain notices need not be given. The regulations also specify how notice should be given when a business collects personal information, or substantially interacts with customers, offline.
Notice at Collection
The draft regulations provide that the notice that must be provided at or before collection of personal information must:
- Be visible or accessible where consumers will see it before any personal information is collected;
- List the categories of personal information about consumers that will be collected; and
- List the business or commercial purpose or purposes for which each category of personal information will be used.
Notice of Right to Opt-Out
The notice — of the right to opt-out of the sale of personal information — must:
- Be posted on the internet webpage to which the consumer is directed after clicking on the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on the website homepage (which, for CCPA purposes, includes any webpage where personal information is collected) or the download or landing page of a mobile application; and
Notice of Financial Incentive
A notice of “financial incentive” may be necessary to explain to consumers each financial incentive or price or service difference a business may offer in exchange for the retention or sale of a consumer’s personal information so that the consumer may make an informed decision on whether to participate in the incentive. Such notice must provide:
- A “succinct summary” of the financial incentive or price or service difference offered;
- An explanation of how consumers can opt-in, a notification of their right to withdraw at any time and how that right may be exercised; and
- An explanation of why the financial incentive or price or service difference is permitted under CCPA, including the estimated value of a consumer’s data and the method by which the amount was calculated.
- Information regarding consumers’ right to know about personal information that is collected, disclosed, or sold (also known as a “request to know”);
- Their right to request the deletion of their personal information (also known as a “request to delete”;
- Their right to opt-out of the sale of their personal information;
- Their right to non-discrimination for the exercise of their privacy rights; and
- A contact at the business for questions or concerns about its privacy policies and practices.
Handling Consumer Requests
The draft regulations also explain how businesses must handle consumer requests under the CCPA. This section of the draft regulations covers:
- The methods for consumers to submit requests to know, requests to delete and requests to opt-out; and
- How businesses should respond to those requests, including mandatory deadlines for confirming receipt of the request and completing the request, and notifying third parties to whom a business has previously sold the personal information.
They also set forth circumstances when a business may deny a request, such as when a business cannot verify the identity of the requestor, and when a business can request that a consumer opt back into the sale of personal information.
The regulations specify a 24-month minimum retention period for consumer requests and the business’s responses to such requests, explain how such records must be maintained and impose enhanced recordkeeping requirements on businesses that annually buy, receive, sell or share the personal information of four million or more consumers. Those responsible for an organization’s CCPA compliance should be property trained.
Verification of Requests
The draft regulations establish rules and procedures for businesses to verify the identity of consumers making requests to know and requests to delete. Under the draft regulations, businesses must establish, document and comply with a reasonable method of verification that takes into consideration the sensitivity of the personal information at issue and the risk of harm to the consumer posed by any unauthorized access or deletion. The draft regulations contain specific requirements that apply to consumers who have a password-protected account with the business and those that apply to non-accountholders.
As discussed in the draft regulations, businesses must implement reasonable security measures to detect fraudulent identity-verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information. With respect to non-accountholders:
- Requests for disclosure of categories of personal information must be verified to a reasonable degree of certainty, which the draft regulations state may be demonstrated by matching at least two data points provided by the consumer to information maintained by the business; and
- Requests for specific pieces of personal information must be verified to a reasonably high degree of certainty, a higher bar that requires matching at least three pieces of personal information provided by the consumer with information maintained by the business and a signed declaration under penalty of perjury.
Minors Under 16 Years of Age
The draft regulations establish rules and procedures for businesses to obtain affirmative authorization for the sale of the personal information of minors under 16 years of age, as well as the methods to verify that the person affirmatively authorizing the sale of the personal information of a child under 13 years of age is the parent or guardian of that child. Notably, the affirmative authorization is in addition to any verifiable parental consent required under the Children’s Online Privacy Protection Act (COPPA), which applies to the collection of personal information, and not just the sale of such information.
Additionally, the regulations establish rules and guidelines regarding discriminatory practices and financial incentive offerings. They explain what kinds of business practices constitute discrimination under the CCPA. They also provide guidance regarding how to calculate the value of a consumer’s data in designing financial and other incentives such that they do not run afoul of the prohibition against discriminatory practices.