CCPA Update: California Attorney General Issues Draft Privacy Rules
On Thursday, California Attorney General Xavier Becerra released draft regulations implementing the California Consumer Privacy Act (CCPA). The regulations provide the first glimpse into how the Attorney General interprets the sprawling law, which is slated to go into effect on January 1.
The new regulations cover seven topics:
- Notices to Consumers: The draft regulations clarify the format and content of notices that businesses must provide to consumers when they (a) seek to collect personal information, (b) inform the consumer of the right to opt-out of the sale of personal information, (c) provide details on financial incentive programs, and (d) publish a privacy policy. The draft regulations include the following specific requirements:
- Notices must be designed and presented in an easy-to-read, understandable way, and be ADA accessible.
- Notices must describe, for each category of personal information collected, the categories of sources and the business or commercial purpose(s) for which the information is collected, as well as the categories of third parties with whom the business shares that information.
- Notably, for notices provided offline, the notice must be provided prior to data collection, such as via a hard copy of the notice or prominent, in-store signage with a link to the notice.
- Opt-out notices must contain certain content, including a description of the proof required when a consumer is using an authorized agent to help them exercise their opt-out right. The draft regulations also propose the concept of an opt-out button or logo, but such button or logo would need to be provided in addition to, and not instead of, the notice.
- Businesses must impose restrictions on the collection of personal information when they are unable to provide notice.
- Handling Consumer Requests: The draft regulations propose an extensive, standardized set of rules on operationalizing the handling of consumer requests. Many of the proposed requirements are not expressly described in the CCPA. Businesses that have been working to implement the CCPA should review this section carefully and likely will need to determine if and whether to update their implementation plans to align with the Attorney General’s proposed rules. Notable proposed requirements include the following:
- Businesses will be required to confirm the receipt of consumer requests within 10 days, re-confirm requests to delete personal information, and maintain records on handling of consumer requests for at least two years. On deletion requests, the draft regulations state that compliance with a deletion request excludes archived or back-up systems.
- After verification of identity, businesses should respond to household requests submitted via a non-password protected account with aggregate household information.
- If a consumer submits a request through a non-designated method, or a deficient request (unrelated to verification), the business must either treat such request as submitted correctly or provide instructions to the consumer on how to remedy the deficiencies.
- Businesses must provide an individualized response to the consumer, and not a template general response unless the response would be the same for all consumers, and are prohibited from, under any circumstance, disclosing certain sensitive personal information.
- If a consumer has opted out of the sale of personal information, the business must obtain a double opt-in thereafter.
- Businesses may re-name their do-not-sell links with the label “Do Not Sell My Info” rather than only “Do Not Sell My Personal Information."
- Verification of Requests: The draft regulations establish rules and procedures for verifying the identity of consumers making requests.
- For businesses with consumer accounts, the business would generally be able to use existing authentication procedures to verify consumers. For companies that must verify non-accountholders, the draft regulations propose a series of verification procedures tailored to the type of request. For example, requests for access to specific pieces of personal information will require a business to match at least three pieces of a consumer’s personal information, and the consumer to submit a signed declaration under penalty of perjury.
- For a request made by an authorized agent, the proposed regulations provide that the business may require written permission from the consumer and that the consumer verify their own identity directly with the business, unless the consumer has provided the agent with power of attorney pursuant to probate laws.
- Service Providers: The proposed regulations clarify that a service provider shall not use personal information it collects from a business or consumer in connection with its provision of services to another person or entity. However, a service provider may combine personal information to the extent necessary to detect data security incidents or protect against fraud or illegal activity.
- Mini-Data Broker Requirements: The proposed regulations provide that if a business annually buys, shares, or receives for commercial purposes, or sells the personal information of, 4 million consumers, it must compile a number of metrics, disclose such metrics in its privacy policy, and establish and document training. Notably, an entity need not meet the definition of a data broker (as specified in AB 1202) to be subject to this requirement.
- Rules Regarding Minors: The draft regulations establish rules on obtaining consent to sell personal information obtained from/about minors. To obtain parental consent to sell the personal information of minors, a business must obtain consent that is additional to any verifiable parental consent obtained under the federal Children’s Online Privacy Protection Act (COPPA).
- Non-Discrimination: The draft regulations provide additional guidance on how to comply with the CCPA’s non-discrimination provisions. In particular, the regulations provide detail on calculating the value of consumer data for purposes of determining whether a price or service difference is “reasonably related” to the value of the consumer’s data.
- December 2, 2019 – Sacramento
- December 3, 2019 – Los Angeles
- December 4, 2019 – San Francisco
- December 5, 2019 – Fresno