Keypoint: The long-awaited proposed AG regulations are here, and while they provide some much-needed clarity, they will leave businesses wanting more.
On October 10, 2019, the California Attorney General’s office published its long-awaited proposed CCPA regulations. The AG’s office also announced that it will hold public hearings on the regulations on December 2, 3, 4 and 5, 2019, and that the written comment period will end on December 6, 2019, at 5:00 p.m.
In the following blog post, we will analyze and discuss many of these proposed regulations. In addition, members of Husch Blackwell’s privacy and data security practice group will host a webinar on Tuesday, October 15, from 12:00-1:30 p.m. CT, to analyze the proposed regulations. Click here to register.
The regulations are broken into the following seven articles:
- Article 1. General Provisions
- Article 2. Notices to Consumers
- Article 3. Business Practices for Handling Consumer Requests
- Article 4. Verification of Requests
- Article 5. Special Rules Regarding Minors
- Article 6. Non-Discrimination
- Article 7. Severability
In this blog post, we will examine Articles 1 through 4, which are generally applicable to all businesses subject to the CCPA. We will address Articles 5 and 6, in separate posts. Article 7 contains only a severability clause, which does not require further analysis.
As a general point, it is worth noting that the regulations comprise 24 pages of single-spaced text. In comparison, a printed version of SB 1121 (the pre-amended version of the CCPA), totals roughly 16 pages of single-spaced text. In other words, there is a lot to unpack in the regulations, and there is no doubt that we will dig further into the requirements over the next few weeks.
Review of Specific Articles
Article 1. General Provisions
Article 1 does two things: it provides the scope of the regulations and defines 21 terms, some of which appear in the CCPA and others which are used for the first time in the regulations.
Section 999.300(b) states that a violation of the regulations constitutes a violation of the CCPA and will be subject to the CCPA remedies. Considering the breadth of the requirements set forth in the regulations, businesses should take note of that provision.
The definitions section provides a number of useful definitions, including defining “affirmative authorization,” “authorized agent,” “categories of sources,” “categories of third parties,” “financial incentive,” and “third-party identity verification service.”
Of particular note, the regulations answer the long-held question of what constitutes a “household.” The regulations define that term to mean “a person or group of people occupying a singe dwelling.” Certainly not ground-breaking but useful nonetheless.
Article 2. Notice to Consumers
As its name foretells, Article 2 provides guidance on the various notices to consumers that a business must provide. Before digging into the requirements, it is useful to note what the regulations do not do, namely, they do not provide a form privacy notice or form language for business’s to employ. This will come as a disappointment for businesses that were hoping the AG’s office would provide a format that could be readily employed to ensure compliance.
Although there are differences between the various provisions, each of the notices is required to:
- Be easy to read and understandable to an average consumer;
- Use plain, straightforward language and avoid technical or legal jargon;
- Use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable;
- Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers; and
- Be accessible to consumers with disabilities.
Notice of Collection
The notice at collection must inform “consumers at or before the time of collection of a consumer’s personal information of the categories of personal information to be collected from them and the purposes for which the categories of personal information will be used.”
Notice of Right to Opt-Out of Sales
This notice must “inform consumers of their right to direct a business that sells (or may in the future sell) their personal information to stop selling their personal information, and to refrain from doing so in the future.” Of course, the addition of the phrase “or may in the future sell” is sure to cause headaches for businesses.
The regulation also sets forth requirements for how businesses must provide the notice. For example, businesses are required to “post the notice of right to opt-out on the Internet webpage to which the consumer is directed after clicking on the ‘Do Not Sell My Personal Information’ or ‘Do Not Sell My Info’ link on the website homepage or the download or landing page of a mobile application.”
The regulation also sets forth requirements for businesses that substantially interact with consumers offline and do not have a website.
Notably, if a business collects personal information while not having a proper opt-out notice posted, it must treat every consumer as having submitted a valid opt-out request.
The AG’s office also published an opt-out button/logo although it is not available in the version of the regulations currently posted online.
Notice of Financial Incentive
This notice is intended to “explain to the consumer each financial incentive or price or service difference a business may offer in exchange for the retention or sale of a consumer’s personal information so that the consumer may make an informed decision on whether to participate.” The notice will apply to customer loyalty programs.
This notice must provide a summary of the financial incentive or price difference offered, describe the material terms of the financial incentive or price of service difference, explain how the consumer can opt-out, notify consumers of their right to withdraw, and explain why the financial incentive or price difference is permitted under the CCPA.
Notably, this provision does not address how the CCPA’s requirements should be read in light of California’s pre-existing online notice statutes, such as CalOPPA and the Shine the Light Law. Those statutes are still good law and businesses will need to consider those requirements as well.
It also does not address how the California privacy notice should interact, if at all, with GDPR-complaint online privacy notices or notices required by Nevada and Delaware. Presumably, reasonable minds will differ on the right approach, which could lead to variation in policies between businesses. Given that the regulation states that policies must be “easy to read and understandable to an average consumer” businesses will need to wrestle with how to incorporate all of these disclosure requirements (and presumably more as other states enact similar laws).
Article 3. Business Practices for Handling Consumer Requests
One of the primary areas that businesses were waiting for guidance on was the proper process for handing verified consumer requests. In this Article, the regulations provide guidance on that issue as well as other related issues.
Methods for Submitting Requests to Know and Requests to Delete
This part of the regulation clarifies the methods that businesses must provide for submitting verified requests. Those methods differ depending on whether the request is a request to know or request to delete. For online requests to delete, businesses are required to use a two-step process where the consumer must first submit a request to delete and then confirm that they want their information deleted.
Responding to Requests to Know and Requests to Delete
After receiving a request to know or delete, a business must respond within 10 days to confirm receipt and explain how the business will process the request, including the business’s verification process. Businesses must respond to these requests within 45 days, but can take up to an additional 45 days it they provide notice to the consumer.
In responding to requests to know, the regulations specifically prohibit businesses from disclosing “a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers.” That is significant and must not be over-looked by businesses because it is not provided for in the CCPA and covers the type of data elements that are subject to the CCPA’s statutory damages for data breaches.
A business also should not “provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.”
Further, a business is not required to respond to requests to know if it cannot verify the consumer’s identify pursuant to the requirements of Article 4.
A business that denies a consumer’s request pursuant to an exemption to the CCPA must inform the requestor and explain the basis for the denial.
This provision also further specifies the exact types of information that must be relayed to the consumer.
In responding to requests to delete, a business must completely and permanently erase the personal information on its existing systems but it does not have to do so with archived or back-up systems. This provision will be welcome news for businesses that have struggled with the concept of having to modify back-up tapes, which, by their very nature, are supposed to remain unchanged. However, if the archived or back-up system is later accessed or used, the request must be honored.
If a business denies a request to delete, it must inform the consumer, describe the basis for the denial, delete any personal information that is not subject to the exemption, and not use the retained information for any reason other than the exempted purpose.
Those familiar with the CCPA will know that its defines “service provider” in relation to “third party” and sets forth certain requirements (such as a written contract containing specific provisions) for entities to be considered service providers.
In turn, the regulations modify those requirements through two provisions.
First, the regulations provide that “[t]o the extent that a person or entity provides services to a person or organization that is not a business, and would otherwise meet the requirements of a “service provider” under Civil Code section 1798.140(v), that person or entity shall be deemed a service provider for purposes of the CCPA and these regulations.” (Emphasis added.) That provision appears to address the fact that the CCPA’s definition of service provider states that it is an entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information.” (Emphasis added.)
Second, the regulations provide that “[t]o the extent that a business directs a person or entity to collect personal information directly from a consumer on the business’s behalf, and would otherwise meet all other requirements of a “service provider” under Civil Code section 1798.140(v), that person or entity shall be deemed a service provider for purposes of the CCPA and these regulations.” Again, this appears to address a potential loophole in the service provider definition, which only discusses “processing” information on behalf of a business and not “collecting” information on behalf of a business.
The regulations proceed to identify a few other requirements for service providers, including how they should handle requests to know or delete.
Requests to Opt-Out
As with requests to know and delete, the regulations provide further guidance on the handling of requests to opt-out. Again, the regulations identify the methods for receiving requests to opt-out.
Notably, in responding to a request to opt-out, “a business may present the consumer with the choice to opt-out of sales of certain categories of personal information as long as a global option to opt-out of the sale of all personal information is more prominently presented than the other choices.”
A business must respond to an opt-out request no later than 15 days from the date the request is received. A business also must notify all third parties to whom it sold the consumer’s personal information in the 90-day period prior to receiving the consumer’s request. The business must tell those third parties that the consumer has exercised the right to opt-out and instruct them not to further sell the information.
A request to opt-out does not need to be a verifiable request but if a business reasonably believes that the request is fraudulent it can deny the request.
Requests to Opt-In After Opting Out of the Sale of Personal Information
These requests must follow a two-steps process of clear opt-in and confirmation.
Training and Record-Keeping
The regulations reiterate the CCPA’s requirement that certain individuals must be provided training on the CCPA.
The regulations further provide that a business must keep a record of all consumer requests for the prior 24 months.
Article 4. Verification of Requests
Pursuant to this article, businesses are required to establish, document and comply with a reasonable method for verifying that the person making the request is who they represent to be. The regulations identify three requirements:
- Whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that complies with this section.
- Avoid collecting the types of personal information identified in Civil Code section 1798.81.5(d), unless necessary for the purpose of verifying the consumer.
- Consider a number of factors such as the nature of the personal information collected and maintained, the risk of harm to the consumer, the likelihood of fraud, whether the personal information used to verify the identity is susceptible to being spoofed or fabricated, the manner in which the business interacts with the consumer and available technology for verification.
Businesses also are required to implement reasonable security measures to detect fraudulent identity-verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information.
The regulations provide further guidance and requirements for identity verification with respect to specific types of requests and the nature of the consumer’s interaction with the business.
As noted, for an even deeper dive into these regulations, please attend our webinar on Tuesday, October 15, from 12:00-1:30 p.m. CT. Click here to register.
While the above analysis provides an overview of the AG’s proposed regulations, there is no doubt that businesses will be pondering these provisions for many weeks to come. Businesses also will need to keep in mind that these are only proposed regulations and, therefore, are susceptible to change. Nonetheless, they provide much needed guidance on the CCPA’s requirements, although still leaving many questions unanswered.