On October 10, 2019, the California Attorney General issued its notice of proposed rulemaking containing its proposed CCPA Regulations. In many instances, the draft Regulations go beyond simply clarifying existing CCPA provisions and instead set forth new requirements that alter prior interpretations of the law.
This analysis highlights some of those provisions and expected next steps as we inch closer to the new year.
Consumer Notices
Perhaps most notable are the additional requirements for the four types of consumer notices addressed by the Regulations: the point of collection notice, the full privacy policy, the notice of right to opt-out of sale (“DNS Notice”), and the financial incentives notice.
Point of Collection Notice. This notice must be provided at or before the moment the business collects personal information of a consumer, whether online or offline. This suggests that, for online data collection, merely having a link to the Privacy Policy in the footer of the page is not sufficient. But a link to the subsection of the business’s full Privacy Policy containing this information likely can be provided in lieu of a full notice. For offline data collection, the Regulations suggest including the notice on printed forms, providing the consumer with a paper version of the notice, or posting a prominent sign with the URL of the required notice.
Full Privacy Policy. The draft Regulations require more detailed disclosures in the full Privacy Policy than what is required under existing CCPA provisions, including:
- Matching each category of personal information collected to the categories of sources from which that information was collected, the business or commercial purpose(s) for which the information was collected, and the categories of third parties with whom the business shares personal information;
- A description of the process used to verify consumer requests;
- A statement of whether or not the business has disclosed or sold any personal information to third parties for a business or commercial purpose in the preceding 12 months; and
- Additional disclosures for businesses that sell information of minors and businesses that process personal information of 4 million or more California consumers.
Do Not Sell (“DNS”) Notice. In addition to providing clarity around the formatting and content of the “DNS Notice” link for online services, the draft Regulations require businesses that “substantially interact” (which is undefined) with consumers offline to also make consumers aware of their right to opt-out by, for example, posting signage directing consumers to a website DNS Notice.
Financial Incentives Notice. The draft Regulations make it clear that consumers must be provided enough information to make an informed choice based on the benefits and costs of CCPA-related financial incentives, such as a discount offered to a consumer for the collection of her personal information. This “financial incentives notice” must include comprehensive disclosures about the types of financial incentives offered, the categories of personal information implicated, opt-in mechanisms, the right to withdraw, and an explanation of why the financial incentive or price or service difference is permitted under the CCPA, including a good-faith estimate of the value of the consumer’s data and a description of the method the business used to calculate the value of the consumer’s data. The notice can either be part of the Privacy Policy or part of a separate notice, depending on the circumstances in which the business offers the financial incentive.
Consumer Requests and Verification
The draft Regulations also provide a significant amount of detail around how businesses are expected to handle consumer requests (such as requests to access their information), including detail regarding verification of the identity of the requestor.
DNS Requests. Per the draft Regulations, businesses not only have to act on Do Not Sell requests within 15 days after receipt, they also must inform anyone to whom data was sold in the prior 90 days of the request and instruct them not to sell the data further. This was not included in the statute and raises significant practical difficulties for certain types of potential sales. For instance, in targeted advertising, “upstream” partners and publishers often cannot currently do this look-back to inform “downstream” partners of new opt-outs, as usually neither party can match to the other’s identifiers. Further, the draft Regulations also require businesses to treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request. While current Do Not Track signals and cookies blockers may not fall within this category, we do expect a proliferation of plugins and browser extensions that are explicitly designed to send a DNS signal and, as such, must be treated as valid DNS opt-outs.
Methods for Submitting Requests. The draft Regulations also now require businesses to provide two or more methods to submit access and deletion requests and that one of the required methods for submitting requests reflect how the business primarily interacts with the consumer. This added obligation may require a business to offer 3 methods for access requests (e.g., retail stores with secondary websites must offer a toll-free number and an interactive webform to satisfy the existing CCPA requirements, and an in-person form to satisfy the new requirement). Unlike the CCPA itself, the Regulations also allow businesses to choose a method for receiving deletion requests, provided that one method reflects how the business primarily interacts with the consumer. Finally, despite providing businesses with some flexibility as to the methods they choose, the draft Regulations further require businesses to accept requests anywhere they receive them, either by processing the request as if it had been submitted appropriately or directing the user to the business’ designated method for receiving requests.
Responding to Requests. The draft Regulations impose more granular requirements on how businesses may respond to access and deletion requests. Notably, these requirements address the information provided in the confirmation of receipt, the types of information that cannot be disclosed, individualized responses for right-to-know requests, and treatment of deletion requests.
Verification. The draft Regulations provide some much-needed clarity on how businesses are expected to verify consumer requests. For example, the draft Regulations set forth the factors that a business must consider when developing its verification process, including the type, sensitivity, and value of the personal information collected and the risk of harm to the consumer posed by any unauthorized access or deletion. They also make it clear that businesses should, whenever feasible, only use information already maintained about the user, and they set forth the different verification standards dependent on the specificity of the information requested (i.e., categories of data vs. specific pieces of information).
Additional New Requirements
While this analysis does not cover everything added or clarified within the draft Regulations, we want to call attention to the most notable components of the CA AG’s proposal.
In addition to the provisions addressed above, we also recommend businesses review:
- The prohibition on using personal information for any purpose that was not previously disclosed in the business’s point of collection notice unless the business directly provides notice and obtains explicit consent for the new use (whereas only notice is required in the text of the CCPA itself);
- The requirements for notice and consent for information resellers that do not collect personal information directly from consumers;
- The potential narrowing of the “service provider” exception to “sale” by explicitly prohibiting service providers from using personal information received from one customer (or from that customer’s users) for the purpose of providing services to another person or entity;
- The expansion of training requirements so that every business (and potentially every service provider) must now “inform” all personnel responsible for handling consumer requests, and all personnel responsible for CCPA compliance, about all aspects of the CCPA – not just a select few sections;
- The requirement that businesses must ensure that the person who authorizes the sale of a personal information of a child under 13 is actually that minor’s parent or guardian, which could mean that COPPA consent is not enough; and
- The requirement to calculate the value of consumers’ personal information as part of businesses’ non-discrimination obligations.
What’s Next
In many ways, the draft Regulations provide helpful clarity on several of the more complicated CCPA requirements, but they also introduce several new requirements that are neither reasonable nor clear.
Importantly, these draft Regulations are not yet final. The Regulations are open for public comment until December 6, 2019 and are expected to be finalized in the spring of 2020. Additionally, the AG’s office indicated that it will update the rules to reflect the amendments signed by Governor Newsom on October 11.
We look forward to a robust comment period.