CCPA Update – California Attorney General Issues Proposed CCPA Regulations

October 17, 2019
Firm Publication

On October 10, California’s Attorney General released proposed regulations that provide much needed guidance on how businesses can plan for compliance with the California Consumer Privacy Act of 2018 (CCPA), which will arguably impose additional requirements on businesses beyond the corners of the CCPA. According to the Attorney General, “The proposed regulations would establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.” The CCPA, which goes into effect January 1, 2020, establishes the most stringent data privacy protections in the United States and gives individuals more control over how companies collect and manage individuals’ personal information.

Below we have provided a high-level summary of the proposed regulations as well as key impacts the proposed regulations will have on businesses’ CCPA compliance planning efforts.

Summary of the Proposed Regulations

Notices

The proposed regulations detail the form and content of required notices under the CCPA (both offline and online), including notices that are required to be made to consumers regarding the following:

  • The personal information that businesses collect and individuals’ rights to know certain things about businesses’ collection, use and sharing of such information.
  • Individuals’ right to opt-out of the sale of such personal information.
  • Financial incentives that a business may offer in exchange for the collection or sale of personal information.

For example, with respect to (2) above, the opt-out right, a business that sells personal information must notify consumers of their right to opt-out from such sales by posting “Do Not Sell My Personal Information” or “Do Not Sell My Info” on the business’s website or application homepage. This “Do Not Sell My Information” link or button must link to a description in the business’s privacy policy of consumers’ right to opt-out, as well as a webform by which the consumer may submit their opt-out request.

For businesses that do not operate a website but sell personal information, they must provide notice of an offline method that is appropriate in the context to make individuals aware of their opt-out rights.

Further, if a business sells consumer personal information and does not provide an opt-out notice, then the consumer is automatically considered to have submitted an opt-out request even if the consumer provides its personal information to the business. Businesses that do not sell personal information must state in their privacy policy that they do not sell personal information.

The proposed regulations also differentiate between a business’s fully fledged privacy policy and a “notice at collection,” which must disclose certain information at or before the time the business collects consumer personal information and which must link to the applicable privacy policy.

Notably, the proposed regulations require that notices of both personal information collection and consumers’ right to opt-out of personal information sales be accessible to consumers with disabilities.

Handling Consumer Requests

The regulations provide further clarity on the scope of “requests to know” and detail timing for response to consumer requests. Requests to know include requests for a business to identify:

  • Categories and “specific pieces of personal information”* in a business’s possession or control (identified both by category and the “specific pieces” that a business possesses or controls).
  • Data sources: The categories of sources from which the business has collected such information.
  • Personal information sold or disclosed: The categories of the individual’s personal information that the business has sold or disclosed for a business purpose.
  • Third parties to whom personal information sold or disclosed: The categories of third parties to whom the individual’s personal information was sold or disclosed for a business purpose.
  • Business or commercial purpose(s) for personal information collection and/or selling: The CCPA enumerates business purposes, and responses must track the same.

“Requests to delete” are requests by a consumer for a business to delete personal information about such individual that the business has collected, whether directly from the individual or another source.

Businesses must confirm receipt of consumer “requests to know” and “requests to delete” within 10 days of receipt and must respond to such requests within 45 days of receipt. In certain circumstances, businesses may take an additional 45 days to respond for a maximum total of 90 days from the date the request is received.

Verifying Consumer Identity

The CCPA requires that a business need only provide information in response to an individual’s “request to know” and “request to delete” personal information, if the request is “verifiable.” The Attorney General’s proposed regulations outline rules for verifying the identity of requesters and impose additional requirements on businesses for how to treat a request if they are unable to verify a requester’s identity.

Businesses must establish and document a “reasonable method” for verifying that the individual making the “request to know” or the “request to delete” is the individual about whom the personal information relates. When verifying a consumer’s identity, a business must make an effort to use the personal information already maintained by the business for purposes of verification and not solicit additional information unless necessary. If such additional information must be solicited, then it can only be used for identity verification or fraud prevention purposes, and the newly collected personal information must be deleted after processing the request. Businesses are directed to avoid collecting certain types of personal information unless necessary to verify the requester’s identity, including Social Security Number, driver’s license number, account number with any security or access code, etc., health insurance information, or username or email address together with a password or security question that would permit access to an online account.

If a business cannot verify the identity of a person making a “request to know” categories and/or specific pieces of personal information in the business’s records, then the business may not disclose such information and must inform the requester that it cannot verify their identity. Conversely, for other “requests to know,” including requests to know data source categories, an inability to verify a requester’s identity does not justify the decision to not disclose responsive information.

If a business cannot verify a consumer’s identity for a “request to delete,” then the request must be treated as an opt-out of sale request. Businesses may comply with a verified “request to delete” by permanently erasing the relevant personal information on its existing systems (with the exception of archives or back-up systems), de-identifying the personal information, or aggregating the personal information.

Opt-out requests do not need to be a verifiable consumer request and, therefore, identity verification is not required.

Businesses that collect or sell personal information relating to more than four million individuals, households or devices on an annual basis are subject to additional record-keeping requirements and disclosures.

Personal Information of Minors

The proposed regulations provide guidance on how individuals under 16 years old may opt-in to the sale of their personal information. Parents of individuals under 13 years old or, for individuals at least 13 and less than 16 years old, the individuals themselves, must clearly request to opt-in and then confirm the opt-in decision separately.

Impacts on CCPA Planning Efforts

Specific attention should be paid to the process requirements for consumer requests, including “requests to know,” “requests to delete,” and opt-out requests. For example, if a business denies a “request to know” specific pieces of information about the consumer, it is instructed to treat the request as a request to know categories of personal information on file instead. To illustrate, businesses are prohibited from disclosing a consumer’s Social Security Number, driver’s license number or other government-issued identification number, financial account numbers, health insurance or medical ID number, account password, or security questions and answers in response to a request to know, even if a business holds such information about the consumer. If faced with a “request to know” specific pieces of information a business holds, the business cannot disclose the actual data (e.g., the consumer’s actual Social Security Number), but can provide a listing of relevant categories (e.g., “Social Security Number”), assuming the business is able to verify the requester’s identity. Businesses must make sure that their internal plans and policies for responding to such requests account for these requirements.

In addition, businesses should ensure that they have the technical mechanisms in place to adequately identify and organize responsive consumer data when responding to requests to know, and to separate and delete consumer data when responding to requests for deletion, and that such requests are capable of being honored in accordance with the requisite time period provided in the proposed regulations. Further, businesses must be prepared to specify the manner in which they have deleted personal information in response to a particular request to delete (e.g., permanent deletion, de-identification or aggregation). Businesses must maintain records of consumer requests and how the business has responded for a minimum of 24 months, and such records will need to conform with the proposed regulations’ recordkeeping requirements.

Businesses also should check their privacy policies against the specific content requirements of the proposed regulations and confirm that all required notices are presented at the relevant locations, including for consumers’ right to opt-out of the sale of personal information. Additionally, businesses that do not collect personal information directly from consumers are not required to provide the initial notice to consumers but would need to, prior to selling such personal information, directly contact consumers to notify them of their right to opt-out or obtain specific assurances from the source of the personal information as to how initial notice and opt-out was provided to such consumers.

Public Comments

Written comments concerning the proposed regulations may be submitted by mail or email by 5:00 p.m. Pacific Time on December 6 to the Attorney General. Additionally, four public hearings will be held by the Attorney General in order to solicit comments and statements from individuals. The hearings will take place from 10:00 a.m. to 4:00 p.m. Pacific Time December 2-5 at various locations across California.

The proposed regulations provide a more detailed picture of what businesses are required to do in order to comply with the CCPA but could change from their current draft form depending upon comments received during the public comment period. For more information about the CCPA, please read our previous article regarding the recent additional amendments to the law and how to prepare for compliance. For further questions or information regarding your business’s compliance with the CCPA, please contact one of the authors.


* Interestingly, the phrase “specific pieces of personal information,” which appears in the CCPA but is not defined, was not defined in the proposed regulations either, despite urging by various industry members to clarify the meaning of the term.