California Attorney General Publishes Proposed CCPA Regulations

On Thursday, October 10th, the California Attorney General’s Office released long-awaited Proposed Regulations governing implementation of key provisions of the California Consumer Privacy Act of 2018 (CCPA) (Proposed Regulations). The Attorney General’s Office is accepting public comments on the Proposed Regulations until 5 pm PST on December 6th. Any revisions to the regulations to the Proposed Regulations are to be subject to an additional 15 day public comment period before being finalized. The CCPA requires the final regulations be adopted on or before July 1, 2020. In addition to accepting public comments, the Attorney General will hold a series of public hearings around the state between December 2nd and December 5th.

The Proposed Regulations address a number of key compliance points for businesses and service providers subject to CCPA requirements, including:

• Definitions. The Proposed Regulations include new definitions for terms such as “Authorized agent,” “Categories of Sources,” “Household” and “Third-Party identity verification service.”
• Notice Format and Availability. The Proposed Regulations set forth detailed requirements with regard to the format and availability of the various consumer notices required by the CCPA. The notices must (i) be in plain language and avoid technical or legal jargon, (ii) be in a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, (iii) be available in languages in which the business communicates information to consumers in the ordinary course of business, and (iv) be accessible to consumers with disabilities, or at a minimum, provide information on how a consumer with a disability may access the notice in an alternative format. For businesses that do not collect personal information directly from consumers, the Proposed Regulations include provisions that would exempt the business from providing notice at the time of collection provided that it takes steps to contact the consumer directly or obtain certain attestations from the source from which the personal information was obtained.
• Opt-Out Button or Logo. In addition to, but not in lieu of, posting a notice of the right to opt-out of the sale of personal information, businesses may also post a uniform button or logo which will link to a webpage containing the information regarding the opt-out found in the regulations or to the section of the business’ privacy policy that contains the same information. However, the Proposed Regulations do not include the button or logo; only a placeholder indicating that it will be added later.
• Consent. The Proposed Regulations specify that a business can only use a consumer’s personal information in a manner that is consistent with the privacy notice provided to consumers at the time their information was collected. If a business intends to use a consumer’s personal information for a purpose that was not previously disclosed to the consumer at collection, the business must directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose. This may encourage businesses to draft their privacy policies broadly in anticipation of future uses.
• Notice of Financial Incentive. The CCPA requires businesses that offer financial incentives to notify consumers of such incentives. The Proposed Regulations require that such notification include: (i) a succinct summary of the financial incentive offered, (ii) a description of the material terms of the financial incentive, including the categories of personal information that are implicated by the financial incentive, (iii) how the customer can opt-in to the financial incentive, (iv) notification of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right, (v) an explanation of why the financial incentive or price or service difference is permitted under the CCPA, including a good faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference, and a description of the method the business used to calculate the value of the consumer’s data.
• Methods of Submitting Requests to Know and Requests to Delete. The CCPA requires a business to provide two or more designated methods for submitting requests for information, including, at a minimum, a toll-free telephone number, and if the business operates a website, an interactive web form accessible through the business’ website or mobile application. The Proposed Regulations suggest the following as other acceptable methods: (i) a designated email address, (ii) a form submitted in person, and (iii) a form submitted by mail. Additionally, the Proposed Regulations provide that at least one method must reflect the manner in which the business primarily interacts with consumers. The Proposed Regulations also require that a business use a two-step process for online requests to delete whereby the consumer first submits the request to delete, and then later confirms it. How this two-step process is to work in practice is not further specified in the Proposed Regulations.
• Receipt of Requests to Know and Requests to Delete. The Proposed Regulations require that upon receiving a request to know or a request to delete, a business must confirm receipt of the request within 10 days as well as provide information about how the business will process the request. A business must then respond to a request to know or a request to delete within 45 days which begins on the day the business receives the request, provided that the business may take an additional 45 days to respond if it provides the consumer with notice and an explanation for the delay.
• Response to Requests to Know. The Proposed Regulations provide that a business shall not provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information. Additionally, a business shall not at any time disclose a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers. If a business maintains a password-protected account with the consumer, it may comply with a request to know by using a secure self-service portal for consumers to access, view, and receive a portable copy of their personal information if the business complies with verification requirements, the portal fully discloses the personal information that the consumer is entitled to under the CCPA, it uses reasonable data security controls.
• Response to Requests to Delete. If a business successfully verifies the identity of a requestor, the Proposed Regulations state that the business must either (i) permanently and completely erase the personal information on its existing systems, (ii) de-identify the personal information, or (iii) aggregate the personal information. A business may delay compliance with the consumers’ request to delete with respect to data stored on an archived or backup system until the archived or backup system is next accessed or used.
• Service Providers. The Proposed Regulations seek to clarify instances when an entity will be considered to be a “service provider.” The Proposed Regulations, for example, state that a person or entity providing services to an organization that is not a “business” but that person or entity otherwise meets the definition of a “service provider,” then the person or entity will be deemed a service provider for CCPA purposes. In addition, to the extent that a business directs a person or entity to collect personal information directly from a consumer on the business’s behalf, and would otherwise meet all other requirements of a “service provider”, that person or entity would be a service provider for CCPA purposes. The Proposed Regulations also provide that a service provider may not use personal information received either from a person or entity it services or from a consumer’s direct interaction with the service provider for the purpose of providing services to another person or entity. A service provider may, however, combine personal information received from one or more entities to which it is a service provider, on behalf of such businesses, to the extent necessary to detect data security incidents, or protect against fraudulent or illegal activity.
• Requests to Opt-Out. The Proposed Regulations require that a business that receives an opt-out request, notify all third parties to whom it has sold the personal information of the consumer within 90 days prior to the receipt of the request, and inform them not to further sell the information.
• Recordkeeping. The Proposed Regulations impose a 24 month recordkeeping requirement on businesses regarding CCPA rights requests received from consumers and how the business has responded to such requests. It also requires all businesses that alone or in combination, annually buy, receive, sell, or share for commercial purposes, the personal information of 4,000,000 or more consumers, compile and display in their privacy policy certain metrics for the previous calendar year. The metrics are as follows: (i) number of requests to know received, complied with, and denied, (ii) number of requests to delete received, complied with, and denied, (iii) number of requests to opt-out received, complied with, and denied, and (iv) the median number of days within which the business substantively responded to these requests.
• Verification. The Proposed Regulations set forth factors to guide businesses in determining the method by which the business will verify a consumer’s identity. The factors are: (i) the type, sensitivity, and value of the personal information collected and maintained about the consumer, (ii) the risk of harm to the consumer posed by any unauthorized access or deletion, (iii) the likelihood that fraudulent or malicious actors would seek the personal information, (iv) whether the verification information to be provided by the consumer is sufficiently robust to protect against fraud, (v) the manner in which the business interacts with the consumer, (vi) technology available for verification.
• Non-Discrimination and Financial Incentive Offerings. The CCPA provides that a business may offer a financial incentive to consumers for the collection and sale of their personal information, as long as the difference is reasonably related to the value of the consumer’s data. The Proposed Regulations offer eight methods for businesses to choose from for calculating the value of a consumer’s data. The methods are as follows: (i) the marginal value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data; (ii) the average value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data; (iii) revenue or profit generated by the business from separate tiers, categories, or classes of consumers or typical consumers whose data provides differing value; (iv) revenue generated by the business from sale, collection, or retention of consumers’ personal information; (v) expenses related to the sale, collection, or retention of consumers’ personal information; (vi) expenses related to the offer, provision, or imposition of any financial incentive or price or service difference; (vii) profit generated by the business from sale, collection, or retention of consumers’ personal information; and (viii) any other practical and reliable method of calculation used in good-faith.
• Special Rules Regarding Minors. The CCPA requires that the parent or guardian of a minor under the age of 13 provide an affirmative opt-in to the sale of the minor’s personal information. The Proposed Regulations provide a non-exhaustive list of methods that are “reasonably calculated to ensure that the person providing consent is a child’s parent or guardian.” The Proposed Regulations also include rules for the collection of personal information from individuals between 13 and 16 as well as notice rules for individuals under the age of 16.

AGG’s Privacy and Consumer Regulatory Practice is working with clients in a wide-range of industry sectors on CCPA compliance issues. For additional information, please contact Montserrat Miller or Kevin Coy.