On October 11, 2019, California Attorney General Xavier Becerra signaled his enforcement priorities and released the long awaited proposed regulations under the California Consumer Privacy Act (“CCPA”), which was signed into law on June 28, 2018 and goes into effect on January 1, 2020. The CCPA will apply to businesses, wherever they may be located, that collect or process California consumers’ personal information and either 1) have $25 Million or more of gross annual revenue, 2) derive more than half their revenue from sharing personal information, or 3) buy, sell or share personal information from 50,000 or more consumers or devices.
The CCPA is considered a landmark piece of legislation in the United States and secures new privacy rights for California consumers that concern the collection, use, and processing of their personal information. Key requirements of the law include: 1) businesses must disclose data collection and sharing practices to consumers; 2) consumers have a right to request that their data be deleted; 3) consumers have a right to opt out of the sale or sharing of their personal information; and 4) businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent.
The proposed regulations are intended to operationalize the CCPA and provide practical guidance to consumers and businesses subject to the law. The regulations would give insight into how the California Department of Justice interprets the CCPA, which is important to know as it will begin enforcing the law by July 1, 2020.
The following are key areas of the proposed regulations:
- Generally, these notices must be designed and presented to consumers in an “easy to read” format for the average user.
- Notices are to include a list of categories of personal information to be collected.
- A business that sells its consumers’ personal information shall provide an opt-out notice via a “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on the website homepage.
2. Business Practices for Handling Consumer Requests to Know and to Delete Personal Information: The proposed regulations describe the methods a business must provide for consumer requests to know and to delete personal information:
- There should be at least two methods for such submissions; at minimum, a toll-free telephone number, and an interactive webform accessible through the website.
- A business has 10 days to confirm receipt of a consumer request and explain how it will process the request. Then, a business shall respond within 45 days, which begins the day it receives a request.
- A business can deny a request in the following circumstances: 1) if it is unable to verify the identity of the consumer; 2) if the disclosure creates a “substantial, articulable, and unreasonable” risk to the security of the personal information, the consumer’s account, or to the business’ systems or networks; or 3) if the request conflicts with federal or state law or falls within an exception to the CCPA.
- When responding to a consumer request, businesses shall provide an individualized response and cannot refer to general business practices unless the response is the same for all consumers.
- A response to a request to know shall include the: 1) categories of sources from which personal information was collected; 2) the business or commercial purpose for why personal information was collected; 3) the categories of third-parties to whom the business sold or disclosed the category of personal information, for a business purpose; and 4) the business or commercial purpose for which it sold or disclosed the category of personal information.
3. Business Practices for Handling Consumer Requests to Opt-Out: The proposed regulations also describe for businesses the methods to provide for consumer requests to opt-out of a sale of personal information:
- Similar to submitting requests to know and to delete, there should be at least two or more designated methods to request to opt-out, including at a minimum, a clear and conspicuous link titled “Do not Sell my Personal Information,” or “Do Not Sell My Info” on the business’ website.
- If a business collects personal information from consumers online, it shall treat user-enabled privacy controls (browser plugin or privacy setting) that indicate the consumer’s choice to opt-out as a valid request.
- After receiving an opt-out request, a business shall act on it as soon as “feasibly possible,” but no later than 15 days from date received.
- A business shall notify third parties to whom it has sold the consumer’s personal information within 90 days prior to receipt of the opt-out request that the consumer has exercised their rights therein. Additionally, the business shall instruct the third parties not to further sell the information. Once completed, the business is to notify the consumer that this process is complete.
- Note that the request to opt-out need not be a verifiable consumer request. However, if a business has a good-faith belief that such a request is fraudulent, it may deny the request.
- If a consumer wants to opt-in after opting out of the sale of personal information, a two-step process must be used. The consumer must clearly request to opt-in, and separately, they must confirm their choice to do so.
4. Verification of Requests: The proposed regulations explain how a business should verify a consumer’s identity when seeking to process requests:
- When feasible, a business should match the identifying information provided by the consumer to the personal information of the consumer that is already maintained. The regulations encourage higher levels of verification for higher levels of access to information. Meaning for access to sensitive information, the regulations suggest at least three personal data elements be provided.
- A business should try to avoid requesting additional information from the consumer for purposes of verification. However, if the information already maintained does not help, a business can ask for more information only for the purposes of verifying identity.
- A business does not need to provide or delete any de-identified consumer information maintained.
- When maintaining a password-protected account for a consumer, a business may verify identity through its existing authentication practice for the consumer’s account, provided that the consumer re-authenticates themselves before data is disclosed or deleted.
5. Service Providers: The proposed regulations state that a “service provider,” a person or entity that processes personal information on behalf of a business and for a business purpose, shall not use such information received either from the business itself or from the consumer’s direct interaction for the purposes of providing services to another person or entity.
6. Special Rules Regarding Minors: The proposed regulations explain that businesses must comply with a reasonable method for obtaining affirmative authorization from the parent or guardian of a child, in addition to any obligations under the Children’s Online Privacy Protection Act (“COPPA”). Reasonable methods include, but are not limited to, providing a consent form to be signed by the parent or guardian or having a parent or guardian call or communicate via video-conference or in-person to trained personnel.
7. Non-Discrimination: The proposed regulations make clear that a financial incentive or a price or service difference is discriminatory and prohibited, if the business treats a consumer differently because they exercised their rights under the CCPA. An exception here is if the business offers a different price, level or quality of goods and services, if the price or difference is directly related to the value provided by the consumer’s persona; information.
8. Training: The proposed regulations provide that a business must establish, document, and comply with a training policy to ensure all individuals responsible for handling consumer requests or the business’ compliance with the CCPA are informed of all the necessary requirements under the law. This is particularly important because a business is required to maintain a record of consumer requests made pursuant to the CCPA and how the business responded to those said requests for at least 24 months.
The California Attorney’s General office is opening a public comment period on the proposed regulations, which includes four public hearings this December across various cities in California. The public hearings are intended to give all interested persons the opportunity to present statements or comments with respected to the proposed CCPA regulations. Public comments are due on December 6, 2019.