On October 10, 2019, the California Attorney General released proposed regulations to the California Consumer Privacy Act (CCPA), introducing some new requirements that were not originally included in the CCPA. The regulations are divided into seven articles, which we discussed in an earlier blog here. In this post, we will undertake a comprehensive review of the proposed regulations and identify recommended next steps to address the regulations.
While the analysis below is comprehensive and unpacked, the proposed rules provide direction on how the AG interprets and may enforce the CCPA. According to the Notice of Proposed Rulemaking Action, the AG mentioned that the regulations would “benefit the welfare of California residents because they will facilitate the implementation of many components of the CCPA.” The AG further states that the draft regulations “provide clear direction to businesses on how to inform consumers of their rights and how to handle their requests” (see Notice of Proposed Rulemaking Action, pg. 10). Moreover, on January 6, 2020, the AG issued an advisory to consumers. The advisory informed consumers of their rights while holding organizations accountable for transparency and compliance under the statute. A final point: the AG released a CCPA fact sheet stating that over $12 billion worth of personal information will be protected each year from the CCPA, giving consumers unprecedented power over the use of their data.
Overall, the advisory, fact sheet and Initial Statement of Reasons do not provide any insight into the status of the proposed regulations, when the regulations would be finalized, nor whether to expect significant changes to the final regulations. Since this is all formal guidance intended to operationalize the CCPA and provide practical guidance, subject to the law, it reiterates the CCPA’s core obligations, regulatory scope, and enforcement priorities while simultaneously providing consumers with actionable transparency regarding the use of their data.
Article 1. General Provisions
In Article 1, the scope provision ties the regulations to CCPA because it illuminates that a violation of the regulations equates to a violation of the CCPA (see Section 999.300(b)). This is significant to note because of the extensiveness of the CCPA statute. In other words, redress for any violation of the regulation is subject to the same remedies as a CCPA violation, either a fine of $2,500 for each violation or $7,500 for each intentional violation.
Additionally, this article includes 21 additional definitions that add clarity or remove ambiguity for previously undefined words like a “household.”
Article 2. Notices to Consumers
California already has pre-existing online notice statutes like the California Online Privacy Protection Act (CalOPPA) and Shine the Light. Organizations will likely grapple with how to consider requirements for these regulations along with GDPR and notice requirements from other states like Delaware and Nevada.
Article 3. Business Practices for Handling Consumer Requests
The proposed regulations outline the proper handling of consumer requests. Specifically, the article details the methods for verifiable requests along with receiving, processing, and responding to a consumer request to know (e.g. right to know about the categories of information collected and purpose), access (e.g. right to request disclosures) or delete. Upon receipt of a Request to Know or Delete consumer personal information, the organization must confirm receipt within ten (10) days and respond within 45 days.
In particular, for deletion requests, organizations are required to use a two-step process when the consumer asks to delete, coupled with confirmation from the consumer they do, indeed, want their personal information deleted (see Section 999.312(d)). Also of importance, personal information must be transferred securely, and all deleted information must be permanently erased, de-identified or aggregated. The deletion request does not apply to archived or offline backup systems unless the archive or offline backup system is later accessed or used.
However, if a deletion request is denied, in connection with an exemption for example, the organization must inform the basis for the denial and delete any personal information not applicable to the exemption.
Article 4. Verification of Requests
Organizations are tasked with establishing, documenting and complying with a reasonable method for verifying the individual making the request is whom they claim to be. In connection with methods for verifying the individual, the business is also required to implement “reasonable security measures” to detect fraudulent identity-verification activity to prevent unauthorized access or deletion of a consumer’s personal information (see Section 999.323(d)).
A host of considerations are provided within the regulations to analyze whether personal information is sensitive or valuable, risks or harm to the consumer from unauthorized access or deletion, and third-party verification services, among others. A recommendation to avoid requesting “additional information” from the consumer for purposes of verification is also suggested. If the identity cannot be verified without requesting additional information, the organization should delete any new personal information collected for verification purposes.
Finally, a question often asked by clients: “Do we have to delete any consumer personal information?” The regulations are clear in that “if a business maintains consumer information that is de-identified, a business is not obligated to provide or delete this information in response to a consumer request or to re-identify individual data to verify a consumer request” ((see Section 999.323(e)).
Article 5. Special Rules Regarding Minors
Based on the California AG’s comments mentioned in a separate article, aggressive and early decisive enforcement will entail minor personal information. Thus, businesses should be prudent in authorization methods as it pertains to minors.
For minors under 13, methods must be in place for determining if the individual who provided the minor authorization is, in fact, the parent or guardian of the minor. Upon receipt of the authorization, the organization must notify the parent or guardian of both their right to opt-out at a later date and how they can opt-out. The methods mentioned can include a consent form signed by the parent or guardian to requiring the use of a payment system that notifies the parent after every financial transaction, among others.
For minors between 13 and 16 years of age, organizations must establish procedures to allow an affirmative opt-in to the sale of their personal information, along with notification of the right to opt-out and how it can be exercised. There are no parental affirmation requirements for minors between 13 and 16 years old.
Article 6. Nondiscrimination
For Article 6, businesses may offer financial incentives and price of service differences. However, to prevent incentives from only being offered to consumers who do not opt-out, when a consumer exercises their privacy right, a business must reasonably relate the value of the incentive to the value of the consumer’s data.
Illustrative examples are given on how different practices would be treated by the statute. Additionally, there are eight factors or methods introduced on how to calculate the value of a consumer’s data. Whatever method chosen must be documented.
Finally, an organization’s denial of a consumer’s request to know, delete, or opt-out for permitted reasons under the CPA should not be considered discriminatory.
While the above provides an inclusive summary of the AG’s proposed regulations, consider the following next steps:
- Continuously update data flow mappings or Records of Processing Activities (RoPA) documentation to assist with consumer rights and request compliance efforts.
- Design methods and means to capture affirmations from parents or guardians of minors under age 13, and affirmations from minors between 13 and 16.
- Update websites, draft and implement verification processes, train call center personnel or customer service representatives on the appropriate handling of consumer requests and how to respond to CCPA inquiries.
Finally, work with general counsel, the legal department or outside counsel to get a full accounting of what must be disclosed to the consumer, as well as being fully informed about the CCPA because it is prone to change as well as any other applicable privacy statutes.