What Does This Mean for Covered Businesses?
Two important privacy law developments took place last week in California. On 10 October 2019, the California Attorney General (AG) published its proposed regulations under the California Consumer Privacy Act (CCPA), and on 11 October 2019, Governor Gavin Newsom signed several bills that were passed in mid-September amending the CCPA (click here for a summary of those amendments).
In this alert, we summarize some of the key requirements in the proposed CCPA regulations. While they clarify some aspects of California’s new comprehensive privacy law, they also expand on and introduce new requirements and regulatory ambiguities. At this point, these regulations are still in draft, and the AG is formally soliciting public comments until December 6, 2019. Since the CCPA will become operative just a few weeks later on January 1, 2020, companies should carefully consider these regulatory developments as part of any ongoing work to achieve CCPA readiness.
The regulations, however, contain detailed requirements regarding where these notices must appear and what they must say, and also require all notices to:
Be easy to read and understandable to an average consumer.
Use plain language and avoid technical or legal jargon.
Use a format that draws the individual's attention to them and makes them readable, including on smaller screens, if applicable.
Be available in the languages that the organization ordinarily uses in its ordinary course of business.
Be accessible to individuals with disabilities.
The following are examples of other noteworthy requirements proposed by the AG:
Notice at Collection: A business must describe the categories of personal information that it will collect from California residents in a manner that provides them with a meaningful understanding of the information being collected and, for each category of personal information, the business or commercial purposes for which it will be used.
A business may only collect from California residents the categories of personal information listed in such notice, and if a business wishes to use personal information for a purpose not previously disclosed in the notice, it must obtain explicit consent before doing so.
Moreover, if a business does not collect information directly from California residents, it need not provide them with a notice at collection, but additional requirements apply if that business intends to sell the information.
Include a description of California residents' right to opt-out.
Incorporate a webform consumers can use to submit a request to opt-out (or an offline equivalent if the business does not operate a website).
Describe the proof required if a California consumer wishes to use an authorized agent to exercise their right to opt-out.
The business must also provide a clear and conspicuous link to this notice entitled “Do Not Sell My Personal Information” or “Do Not Sell My Info” on any webpage where it collects California residents’ personal information.
Notice of Financial Incentive: If a business offers a financial incentive (e.g., a discount to use a service) to California residents in exchange for the right to collect, retain, or sell their personal information—which is only permitted if the value of the incentive is reasonably related to the value of the individual’s data—the business must provide a notice that:
Summarizes the incentive.
Describes the material terms of the incentive (including the categories of personal information implicated)
Explains how the California resident can opt-in to and withdraw from the incentive.
Outlines why the incentive is permitted under the CCPA based on the value of the data at issue.
A business must use and document a reasonable and good faith method for calculating the value of the consumer’s data based on a list of factors in the regulations.
Categories of sources from which that information was collected.
Business or commercial purposes for which the information was collected.
Categories of third parties with whom the business shares personal information.
Handling and Verifying CCPA Requests
The CCPA establishes new privacy rights for California residents, including the right to access copies of the information that a business holds about them and other details about how their information is processed (“right to know”), the right to have a business delete certain information about them (“right to delete”), and the right to opt out of a business’ selling of personal information about them (“right to opt-out”). The AG’s draft regulations, however, go on to clarify that it is the primarily responsibility of a business—and not a service provider—to give effect to these rights with respect to the personal information that it processes as a business under the CCPA. The regulations also include detailed requirements regarding how companies must handle requests to exercise CCPA rights, including the channels that must be made available for individuals to submit their requests, the content and timeline of responses, and how to verify the identity of the requestor. For example, consider the following.
Requests to Know: Businesses have 10 days to confirm receipt of the request and 45 days by default to respond to it. Businesses may take into account security risks when determining how to respond to requests, and is prohibited from disclosing certain sensitive categories of information to requestors, including Social Security numbers, government ID numbers, passwords and security questions and answers. If a California resident seeks details about how a business uses personal information about them, the response must generally be individualized to the requestor and explain how the specific personal information was processed. Denials of requests must also be explained.
Requests to Delete: Businesses must implement a two-step process to receive, and then confirm deletion requests. Businesses have 10 days to confirm receipt and 45 days by default to respond. A business may give effect to a request by permanently erasing, de-identifying, or aggregating the personal information at issue. There is a limited exception for backup and archived copies of personal information. If a business relies on a statutory exception to deny the request, it must explain the basis of the denial, delete any information outside the scope of the exception, and not use personal information about the requestor except in accordance with the exception. If a business cannot verify the identity of the requestor, it must treat the request as a request to opt-out of sale.
Requests to Opt-Out: Businesses that collect personal information online must treat user-enabled privacy controls (such as a browser plugin, privacy setting or other mechanism) that communicate or signal California residents’ choice to opt-out of the sale of their personal information as a valid opt-out request. A business must act on a request to opt-out as soon as feasibly possible and no later than 15 days from receipt, and has 90 days to instruct all third parties to whom it sold personal information about the California resident to not further sell the information, following which the business must notify the individual that this has been completed. Businesses must respond to requests to opt-out even if they are not verified, but there is an exception if they believe the request is fraudulent. This elaboration of CCPA’s opt-out requirements could prove challenging for organizations to implement.
Verification: The regulations establish certain principles and rules regarding how businesses must verify the identity of requestors, which vary based on the type of personal information and request at issue. For example, the more sensitive the information at issue, the more stringent the verification process must be. Verifying the identity of an individual who wishes to know the categories of personal information processed about them requires a “reasonable degree of certainty,” whereas verifying the identity of an individual who wishes to know the specific pieces of personal information that a business holds about them requires a “high degree of certainty.” Little clarity is provided on how to implement these regulatory standards.
Also, businesses must generally avoid requesting additional information from the consumer for purposes of verification, though it may do so if necessary, in which case they must delete any such additional information as soon as practical after processing the request except pursuant to prescribed record-keeping requirements.
Authorized Agents: When a consumer uses an authorized agent to submit a request to know or delete, a business can require: (i) the authorized agent to submit a written permission with the request to know or delete; and (ii) the consumer to directly verify their identity with the business. If the proof is not submitted, the business may deny the request. This does not apply if the authorized agent is acting under power of attorney pursuant to Probate Code sections 4000 and 4465.
Special Rules regarding Minors
Again, it is important to note that the AG’s regulations are still in draft, and more developments may unfold once the official public comment period ends on December 6, 2019. In the meantime, if you have any questions about this legislative development or any other privacy or technology law matter, please do not hesitate to reach out to one of the Contact Partners listed below.
Contributors: Harry Valetk & Jonathan Tam.