Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: The long-awaited proposed AG regulations are here, and while they provide some much-needed clarity, they will leave businesses wanting more.

On October 10, 2019, the California Attorney General’s office published its long-awaited proposed CCPA regulations. The AG’s office also announced that it will hold public hearings on the regulations on December 2, 3, 4 and 5, 2019, and that the written comment period will end on December 6, 2019, at 5:00 p.m.

In the following blog post, we will analyze and discuss many of these proposed regulations. In addition, members of Husch Blackwell’s privacy and data security practice group will host a webinar on Tuesday, October 15, from 12:00-1:30 p.m. CT, to analyze the proposed regulations.  Click here to register.

ANALYSIS

Overview

The regulations are broken into the following seven articles:

  • Article 1. General Provisions
  • Article 2. Notices to Consumers
  • Article 3. Business Practices for Handling Consumer Requests
  • Article 4. Verification of Requests
  • Article 5. Special Rules Regarding Minors
  • Article 6. Non-Discrimination
  • Article 7. Severability

In this blog post, we will examine Articles 1 through 4, which are generally applicable to all businesses subject to the CCPA. We will address Articles 5 and 6, in separate posts. Article 7 contains only a severability clause, which does not require further analysis.

As a general point, it is worth noting that the regulations comprise 24 pages of single-spaced text. In comparison, a printed version of SB 1121 (the pre-amended version of the CCPA), totals roughly 16 pages of single-spaced text. In other words, there is a lot to unpack in the regulations, and there is no doubt that we will dig further into the requirements over the next few weeks.

Review of Specific Articles

Article 1. General Provisions

Article 1 does two things: it provides the scope of the regulations and defines 21 terms, some of which appear in the CCPA and others which are used for the first time in the regulations.

Section 999.300(b) states that a violation of the regulations constitutes a violation of the CCPA and will be subject to the CCPA remedies. Considering the breadth of the requirements set forth in the regulations, businesses should take note of that provision.

The definitions section provides a number of useful definitions, including defining “affirmative authorization,” “authorized agent,” “categories of sources,” “categories of third parties,” “financial incentive,” and “third-party identity verification service.”

Of particular note, the regulations answer the long-held question of what constitutes a “household.” The regulations define that term to mean “a person or group of people occupying a singe dwelling.” Certainly not ground-breaking but useful nonetheless.

Article 2. Notice to Consumers

As its name foretells, Article 2 provides guidance on the various notices to consumers that a business must provide. Before digging into the requirements, it is useful to note what the regulations do not do, namely, they do not provide a form privacy notice or form language for business’s to employ. This will come as a disappointment for businesses that were hoping the AG’s office would provide a format that could be readily employed to ensure compliance.

In general, Article 2 provides guidance on four types of notices: (1) notice at collection of personal information, (2) notice of right to opt-out of the sale of personal information, (3) notice of financial incentives, and (4) a business’s online and offline privacy policy.

Although there are differences between the various provisions, each of the notices is required to:

  1. Be easy to read and understandable to an average consumer;
  2. Use plain, straightforward language and avoid technical or legal jargon;
  3. Use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable;
  4. Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers; and
  5. Be accessible to consumers with disabilities.

Notice of Collection

The notice at collection must inform “consumers at or before the time of collection of a consumer’s personal information of the categories of personal information to be collected from them and the purposes for which the categories of personal information will be used.”

It must be available to consumers at the point of collection whether that is on or offline. The notice also must contain certain specific information such as a list of categories of personal information about consumers that will be collected, the business or commercial purpose for which the information will be used, and a link to the business’s privacy policy.

Notice of Right to Opt-Out of Sales

This notice must “inform consumers of their right to direct a business that sells (or may in the future sell) their personal information to stop selling their personal information, and to refrain from doing so in the future.” Of course, the addition of the phrase “or may in the future sell” is sure to cause headaches for businesses.

The regulation also sets forth requirements for how businesses must provide the notice. For example, businesses are required to “post the notice of right to opt-out on the Internet webpage to which the consumer is directed after clicking on the ‘Do Not Sell My Personal Information’ or ‘Do Not Sell My Info’ link on the website homepage or the download or landing page of a mobile application.”

The regulation also sets forth requirements for businesses that substantially interact with consumers offline and do not have a website.

Businesses also are directed as to what the notice must state, including a description of the consumer’s right to opt-out of sales, the webform by which the consumer can submit their request, instructions for any other methods for submitting requests, and a link to the business’s privacy policy.

Businesses are not required to provide this notice if (1) they do not, and will not, sell personal information and (2) state in their privacy policy that they do not, and will not, sell personal information.

Notably, if a business collects personal information while not having a proper opt-out notice posted, it must treat every consumer as having submitted a valid opt-out request.

The AG’s office also published an opt-out button/logo although it is not available in the version of the regulations currently posted online.

Notice of Financial Incentive

This notice is intended to “explain to the consumer each financial incentive or price or service difference a business may offer in exchange for the retention or sale of a consumer’s personal information so that the consumer may make an informed decision on whether to participate.” The notice will apply to customer loyalty programs.

This notice must provide a summary of the financial incentive or price difference offered, describe the material terms of the financial incentive or price of service difference, explain how the consumer can opt-out, notify consumers of their right to withdraw, and explain why the financial incentive or price difference is permitted under the CCPA.

Privacy Policy

The privacy policy must “provide the consumer with a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information.”

The privacy policy must be posted online or, for businesses that are stuck in 1995 and do not have a website, must be conspicuously available to consumers.

The list of information that a privacy policy must include covers a page-and-a-half of text. To summarize, the policy will need to explain the various rights provided by the CCPA; provide instructions for submitting verifiable requests; describe the process the business will use to verify the request; identify the categories of personal information collected; disclose whether the business sells personal information and, if so, provide additional information; explain how a consumer can designate an authorized agent to make a request; provide contact information; and identify the effective date.

Notably, this provision does not address how the CCPA’s requirements should be read in light of California’s pre-existing online notice statutes, such as CalOPPA and the Shine the Light Law. Those statutes are still good law and businesses will need to consider those requirements as well.

It also does not address how the California privacy notice should interact, if at all, with GDPR-complaint online privacy notices or notices required by Nevada and Delaware. Presumably, reasonable minds will differ on the right approach, which could lead to variation in policies between businesses. Given that the regulation states that policies must be “easy to read and understandable to an average consumer” businesses will need to wrestle with how to incorporate all of these disclosure requirements (and presumably more as other states enact similar laws).

Article 3. Business Practices for Handling Consumer Requests

One of the primary areas that businesses were waiting for guidance on was the proper process for handing verified consumer requests. In this Article, the regulations provide guidance on that issue as well as other related issues.

Methods for Submitting Requests to Know and Requests to Delete

This part of the regulation clarifies the methods that businesses must provide for submitting verified requests. Those methods differ depending on whether the request is a request to know or request to delete. For online requests to delete, businesses are required to use a two-step process where the consumer must first submit a request to delete and then confirm that they want their information deleted.

Responding to Requests to Know and Requests to Delete

After receiving a request to know or delete, a business must respond within 10 days to confirm receipt and explain how the business will process the request, including the business’s verification process. Businesses must respond to these requests within 45 days, but can take up to an additional 45 days it they provide notice to the consumer.

In responding to requests to know, the regulations specifically prohibit businesses from disclosing “a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers.” That is significant and must not be over-looked by businesses because it is not provided for in the CCPA and covers the type of data elements that are subject to the CCPA’s statutory damages for data breaches.

A business also should not “provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.”

Further, a business is not required to respond to requests to know if it cannot verify the consumer’s identify pursuant to the requirements of Article 4.

A business that denies a consumer’s request pursuant to an exemption to the CCPA must inform the requestor and explain the basis for the denial.

This provision also further specifies the exact types of information that must be relayed to the consumer.

In responding to requests to delete, a business must completely and permanently erase the personal information on its existing systems but it does not have to do so with archived or back-up systems. This provision will be welcome news for businesses that have struggled with the concept of having to modify back-up tapes, which, by their very nature, are supposed to remain unchanged.  However, if the archived or back-up system is later accessed or used, the request must be honored.

If a business denies a request to delete, it must inform the consumer, describe the basis for the denial, delete any personal information that is not subject to the exemption, and not use the retained information for any reason other than the exempted purpose.

Service Providers

Those familiar with the CCPA will know that its defines “service provider” in relation to “third party” and sets forth certain requirements (such as a written contract containing specific provisions) for entities to be considered service providers.

In turn, the regulations modify those requirements through two provisions.

First, the regulations provide that “[t]o the extent that a person or entity provides services to a person or organization that is not a business, and would otherwise meet the requirements of a “service provider” under Civil Code section 1798.140(v), that person or entity shall be deemed a service provider for purposes of the CCPA and these regulations.” (Emphasis added.) That provision appears to address the fact that the CCPA’s definition of service provider states that it is an entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information.” (Emphasis added.)

Second, the regulations provide that “[t]o the extent that a business directs a person or entity to collect personal information directly from a consumer on the business’s behalf, and would otherwise meet all other requirements of a “service provider” under Civil Code section 1798.140(v), that person or entity shall be deemed a service provider for purposes of the CCPA and these regulations.” Again, this appears to address a potential loophole in the service provider definition, which only discusses “processing” information on behalf of a business and not “collecting” information on behalf of a business.

The regulations proceed to identify a few other requirements for service providers, including how they should handle requests to know or delete.

Requests to Opt-Out

As with requests to know and delete, the regulations provide further guidance on the handling of requests to opt-out. Again, the regulations identify the methods for receiving requests to opt-out.

Notably, in responding to a request to opt-out, “a business may present the consumer with the choice to opt-out of sales of certain categories of personal information as long as a global option to opt-out of the sale of all personal information is more prominently presented than the other choices.”

A business must respond to an opt-out request no later than 15 days from the date the request is received. A business also must notify all third parties to whom it sold the consumer’s personal information in the 90-day period prior to receiving the consumer’s request. The business must tell those third parties that the consumer has exercised the right to opt-out and instruct them not to further sell the information.

A request to opt-out does not need to be a verifiable request but if a business reasonably believes that the request is fraudulent it can deny the request.

Requests to Opt-In After Opting Out of the Sale of Personal Information

These requests must follow a two-steps process of clear opt-in and confirmation.

Training and Record-Keeping

The regulations reiterate the CCPA’s requirement that certain individuals must be provided training on the CCPA.

The regulations further provide that a business must keep a record of all consumer requests for the prior 24 months.

A business that alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers is required to post certain information on its online privacy policy relating to the number of requests it received and how it responded.

Article 4. Verification of Requests

Pursuant to this article, businesses are required to establish, document and comply with a reasonable method for verifying that the person making the request is who they represent to be. The regulations identify three requirements:

  1. Whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that complies with this section.
  2. Avoid collecting the types of personal information identified in Civil Code section 1798.81.5(d), unless necessary for the purpose of verifying the consumer.
  3. Consider a number of factors such as the nature of the personal information collected and maintained, the risk of harm to the consumer, the likelihood of fraud, whether the personal information used to verify the identity is susceptible to being spoofed or fabricated, the manner in which the business interacts with the consumer and available technology for verification.

Businesses also are required to implement reasonable security measures to detect fraudulent identity-verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information.

The regulations provide further guidance and requirements for identity verification with respect to specific types of requests and the nature of the consumer’s interaction with the business.

As noted, for an even deeper dive into these regulations, please attend our webinar on Tuesday, October 15, from 12:00-1:30 p.m. CT.  Click here to register.

Conclusion

While the above analysis provides an overview of the AG’s proposed regulations, there is no doubt that businesses will be pondering these provisions for many weeks to come. Businesses also will need to keep in mind that these are only proposed regulations and, therefore, are susceptible to change. Nonetheless, they provide much needed guidance on the CCPA’s requirements, although still leaving many questions unanswered.

 

Print:
EmailTweetLikeLinkedIn
Photo of David Stauss David Stauss

 

David is co-leader of Husch Blackwell’s national privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also represents clients in data security-related litigation. David is certified by the International Association of Privacy Professionals as a Certified Information Privacy Professional (US), Certified Information Privacy Technologist, and Fellow of Information Privacy.

Photo of Bob Bowman Bob Bowman

Bob advises clients on a range of intellectual property issues and keeps them current on emerging technologies. Bob is a forward thinker who keeps up with the changing landscape of technical innovation and the law surrounding the Internet of Things, blockchain, smart contracts and data privacy.

Photo of Marci Kawski Marci Kawski

Marci represents installment lenders, auto finance companies, payday and short-term lenders, online lenders, credit unions, and banks when faced with regulatory issues. She provides practical advice to clients to ensure they comply with the myriad laws governing their businesses. Marci’s skills extend to all aspects of consumer finance litigation: discovery, dispositive motion practice, mediation, negotiation of settlement agreements, trial and appeal. Her litigation experience informs her counsel to clients hoping to avoid regulatory issues. Credit unions and other financial institutions also turn to Marci to prepare and review third-party and vendor contracts.

Photo of Tobias P. Moon Tobias P. Moon

Tobias guides financial clients of all sizes, from startups to the country’s largest banks. His range of experience also includes extensive work with credit unions, mortgage companies, online lenders, automobile lenders, student loan servicers and private equity funds. He guides financial institutions through commercial lending, fintech, data privacy and security, among other complex matters or proactive risk management, regulation and growth. With more than a decade of experience, Tobias provides practical advice and crafts thorough solutions.

He has in-depth experience both as in-house and as outside counsel advising clients on preparation of Compliance Management Systems addressing these laws and subsequent reviews and audits of such systems.

He helps companies navigate licensing and regulatory matters during the most complex acquisitions, mergers and asset transfers. He regularly counsels clients on various federal statutes, including:

  • Real Estate Settlement Procedures Act (RESPA)/Regulation X
  • Truth in Lending Act (TILA)/Regulation Z
  • Equal Credit Opportunity Act (ECOA)/Regulation B
  • Home Mortgage Disclosure Act (HMDA)/Regulation C
  • Unfair or Deceptive Acts or Practices (UDAAP)

Tobias also assists clients with complying with seller/servicer requirements set forth by Fannie Mae and Freddie Mac and the requirements set by insurers such as the Federal Housing Administration and the U.S. Department of Veterans Affairs.