Mic Drop: California AG releases long-awaited CCPA Rulemaking

Data Protection Report - digital privacy, CCPA and cybersecurity

On October 10, 2019, with just weeks to go until the law goes into effect, the California Attorney General released the long-awaited draft regulations for the California Consumer Privacy Act (CCPA).

The proposed rules shed light on how the California AG is interpreting and will be enforcing key sections of the CCPA. In the press release announcing the proposed regulations, Attorney General Becerra described CCPA as “[providing] consumers with groundbreaking new rights on the use of their personal information” and added, “It’s time we had control over the use of our personal data.”

The proposed regulations are intended to operationalize the CCPA and provide practical guidance to consumers and businesses subject to the law. In addition to the draft rules, the AG’s office also published a “CCPA Fact Sheet” and the “Initial Statement of Reasons,” which also provide insights as to the regulatory focus and enforcement priorities. According to the AG’s office, the draft rules summarized below, are needed to “[mitigate] the asymmetry of knowledge and power between individuals and businesses.” Businesses “must comply to the greatest extent it can” to give consumers greater control over their personal information: to vest consumers with the right to know details about how their personal information is collected, used, and shared by businesses; the right to take control of their information by having businesses delete it and stop selling it; and the right to exercise these privacy rights without suffering discrimination in price or service.

The rules are not final. The Attorney General will hold public hearings in four California cities during the first week of December to hear comments. Written comments will be accepted by the Attorney General until 5 PM (Pacific time) on December 6, 2019.

Below is a summary of the proposed regulations that may have the most impact for organizations who are seeking to operationalize the CCPA requirements in time for the January 1 deadline.

Article 1: Definitions

In addition to the definitions already set forth by CCPA, the proposed regulations define additional terms that will be important in interpreting the CCPA and how the California Attorney General will enforce the CCPA’s provisions. For example, “Household” is defined as “a person or group of people occupying a single dwelling” (999.301(h)). Article 3 provides rules on how requests to access or delete household information should be treated. We have received many questions from our clients on how to handle requests relating to the household. The rules answer some of these questions but they also add a new logistical step regarding how the businesses must design the web form to receive, verify and process requests relating to household data.

The rules also define “Third-party identity verification service” as “a security process offered by an independent third-party who verifies the identity of the consumer making a request to the business.” Article 4 of the proposed rules explicitly allows the business to use a third-party service to verify the consumer’s identity.

Article 2: Notices to Consumers

Article 2 requires businesses to give consumers notices of their privacy practices at or before the time personal information is collected. Notice should be provided in a clear, conspicuous and easy to understand format. Under the draft rules, businesses can only use consumer’s personal information in a manner that is consistent with the privacy notice provided to consumers at the time their information was collected. If a business wants to use personal information in a way not previously disclosed, the business must directly notify the consumer of this new use and obtain explicit consent.

The draft rules have added a new language and accessibility requirement. Notices must be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers. Notices must also be accessible to consumers with disabilities. At a minimum, businesses should provide information on how a consumer with a disability may access the notice in an alternative format. (999.305(a)(2)(d); 999.306(a)(2)(d); 999.307(a)(2)(d); and 999.308(a)(2)(d))The draft regulations make it clear that the notice requirement covers not only online but also offline collection of personal information. (999.308(a)(1) A business that substantially interacts with consumers offline shall also provide notice to the consumer by an offline method that facilitates consumer awareness of their right to opt-out. Such methods include, but are not limited to, printing the notice on paper forms that collect personal information, providing the consumer with a paper version of the notice, and posting signage directing consumers to a website where the notice can be found. (999.306(b)(2))
Businesses that sell information must provide a link, clear notice of the practice and instructions on how to opt out. (999.306(c))
Only businesses that sell personal information need to include a “Do No Sell My Info” link; businesses that do not sell personal information must state that they do not sell personal information. (999.306(d)
Businesses that provide financial incentives in exchange for the ability to sell a consumer’s information must explain the incentive or difference in price or service. (999.307(b)(5))
A business that does not collect personal information directly from consumers cannot “sell” a consumer’s personal information unless it has received signed attestations from the source of the personal information that a notice has been provided, including an example of the notice. These attestations must be retained by the business for at least two years and made available to the consumer upon request. (999.305(d))
For everyone that has been waiting for guidance on how an opt-out logo or button should look, no guidance was included in these draft rules. The AG’s office adds a note that guidance on the button or logo will be added in a modified version of the regulations at a later date. (999.306(e)

Article 3: Business Practices for Handling Consumer Requests

Article 3 addresses the AG’s rules on how businesses should receive and respond to consumer requests to invoke their rights to access (or “know”), delete or opt-out. The Article is broken into seven sections and includes specific sections on Service Providers and Training/Record-Keeping. In general, the rules provide guidance on how a business must respond to requests and what constitutes an acceptable response. Some of these rules are quite prescriptive and may not match with what businesses have planned to do as part of their current CCPA compliance program. For example:ser

Business must provide two or more methods for receiving requests including a toll free number at a minimum and an interactive web form if the business operates a website. The business must take into account its primary method of interacting with customers. Using a brick and mortar retail business as an example, the rules state that if the business operates a website but primarily interacts with customers in person at a retail location, the business shall offer three methods to submit requests to know a toll-free telephone number, an interactive webform accessible through the business’s website, and a form that can be submitted in person at the retail location. Even if the request is received in a manner that is not one of the designated methods of submission, e.g., online chats, businesses must still treat the request as if it had been submitted in accordance with the business’s designated manner or provide the consumer with specific directions on how to submit the request or remedy any deficiencies with the request. (See 999.312 (c) & (f)).
Business must use a two-step process for deletion requests: (1) the consumer must clearly submit a request to delete; and (2) the business must separately confirm the consumer wants to delete its personal information. (999.312 (d))
Business have ten (10) days to confirm receipt of a request for access or deletion and must provide in response information about “how the business will process the request.” (999.313 (a))
Unsurprisingly, a business shall not provide access to a consumer if the business cannot verify the consumer making the request. (999.313 (c)(1) & (2)) The rules however also state that “a business shall not provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk” to the security of the information, the business systems or the consumers account. (999.313 (c)(3)) A business is also prohibited from disclosing a consumer’s “Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password or security questions and answers.” It does not state whether partial redaction is preferable or if this means those specific pieces of information are now exempted from the consumer’s right to access. (999.313 (c)(4))
In response to request for access to categories of information, a business may not direct the consumer to the privacy policy, but must provide an individualized response. (999.313 (c)(9)).
In response to request to delete, a business may do one of three things: (1) permanently and completely delete; (2) de-identify; or (3) aggregate. (999.313 (d)(2)).
The draft rules have a new section on service providers. The impact of these proposed rules cannot be overstated for any organization that has been focused on figuring out if certain businesses are third parties or service providers. Directly addressing a scenario that has often caused confusion, the draft rules state that to the extent that a business directs a person or entity to collect personal information directly from a consumer on the business’s behalf, that person or entity shall be deemed a service provider for purposes of the CCPA and these draft regulations. On the contrary, the proposed rules state that a service provider cannot “use personal information received either from a person or entity it services or from a consumer’s direct interaction with the service provider for the purpose of providing services to another person or entity.” It is unclear whether this is meant to address the scenario of when businesses that are performing a service for another business may also use the personal information it has collected to improve the product or service for another person or entity. (999.314).
The proposed rules create a new requirement that a business that receives an opt-out request must notify all third-parties with whom it sold the data during the ninety (90) days prior to receiving the request of the consumer’s request to opt-out, and the business must instruct them not to sell the data in the future. (999.315 (f)).
The draft regulations create record keeping rules for businesses including a requirement for businesses to keep for 24 months any record of requests received and processed. Business that annually buy, receive, sell or share the personal information of more than 4,000,000 consumers must annually tabulate and report metrics regarding the impact of CCPA on the business. (999.317 (g))
Under the proposed rules, if a request to access or delete the household information is received from one of the members of the household and the consumer submitting the request does not have a password-protected account with the business, the business may respond to a request to know or request to delete household information by only providing aggregate household information. If all consumers of the household jointly request access to specific pieces of information for the household or the deletion of household personal information, and the business can individually verify all the members of the household subject to verification requirements set forth in Article 4, then the business shall comply with the request. (999.318)

Article 4: Verification of Requests

The proposed regulations provide that a business must establish rules and methods to verify the identity of consumers who make requests. (999.323) In addition to matching the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, businesses may also use a third-party identity verification service to verify the consumer’s identity. The draft regulations provide a series of factors businesses must consider when determining the method of verification, including:

The type, sensitivity, and value of the personal information;
The risk of harm to the consumer posed by unauthorized access or deletion;
Likelihood that malicious actors would see the information;
Whether information provided can be protected against becoming spoofed or fabricated;
The manner which the business interacts with the consumer; and
Available technology for verification.

Other items to note:

When a consumer has a password-protected account with the business, traditional authentication practices (e.g., two-factor authentication) may be used to verify the consumer, and consumers must re-authenticate themselves prior to the disclosure or deletion of data. (99.324(a))
Businesses must not comply with any request where there is a suspicion of malicious activity until the consumer’s identity has been properly identified. (999.324(b))
In the case of non-accountholders, the draft regulations set forth differing standards for verification. (999.325)
When a consumer uses an authorized agent to request on his or her behalf a request to know or a request to delete personal information, businesses may require that the consumer either provide written permission to the agent or verify their own identity directly with the business. (999.326(a))Businesses can deny a request from a proposed agent, if the agent fails to submit proof that the consumer has authorized that agent to act on their behalf. (999.326 (c))

Article 5: Special rules regarding minors (defined as under 16)

With respect to minors under 13 years of age, CCPA requires an affirmative opt-in to a sale of personal information by the minor’s parent or guardian. The proposed regulations state that the business must establish a “reasonable method” for determining that the person authorizing the sale actually is the parent or guardian and this “affirmative authorization is in addition to any verifiable parental consent required under” COPPA (emphasis supplied). The draft regulation lists six methods that are considered “reasonably calculated” to achieve that result, including a consent form to be signed by the parent or guardian that is returned to the business by “postal mail, facsimile, or electronic scan,” or having the parent or guardian call a toll-free number staffed by “trained personnel.” When a business receives an affirmative authorization to opt-in, the business shall inform the parent or guardian of the right to opt-out at a later date and of the process for doing so on behalf of their child. (999.330)

For minors at least 13 and less than 16 years of age, the proposed regulations will require a two-step opt-in process. The minor must: (1) clearly request to opt-in and then, separately (2) confirm their choice to opt-in. Again, the business must inform the minor of the right to opt-out at a later date and of the process for doing so. (999.331).

Article 6: Non-Discrimination

The proposed regulations provide more guidance on what the CCPA means with regard to non-discrimination and financial incentive offerings.

The proposed rules provide two examples to help determine if a business practice is discriminatory (999.336(c)). In the first example, if a music streaming business offers a free service and a premium service that costs $5 per month, and only the consumers who pay for the music streaming service are allowed to opt-out of the sale of their personal information, then the practice is discriminatory, unless the $5 per month payment is reasonably related to the value of the consumer’s data to the business.

In the second example, a retail store may offer discounted prices to individuals who sign up for their mailing lists as long as the consumer can continue to receive discounted prices even after they have exercised a right (right to know, delete, opt out). As long as individuals who have exercised a right under the CCPA are not treated differently, offering discounts to consumers who sign up for their mailing lists is not discriminatory.

The proposed regulations would permit a business to offer a price or service difference if the difference is reasonably related to the value of the consumer’s data. The proposed regulations require the business to use and document a “reasonable and good faith method for calculating the value of the consumer’s data. (999.337) The draft regulations require that a business shall use one or more of the following factors when determining the value of a consumers data (though the last one provides a broad opening):

The marginal value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data;
The average value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data;
Revenue or profit generated by the business from separate tiers, categories, or classes of consumers or typical consumers whose data provides differing value;
Revenue generated by the business from sale, collection, or retention of consumers’ personal information;
Expenses related to the sale, collection, or retention of consumers’ personal information;
Expenses related to the offer, provision, or imposition of any financial incentive or price or service difference;
Profit generated by the business from sale, collection, or retention of consumers’ personal information; and
Any other practical and reliable method of calculation used in good-faith.

Key Takeaways

The draft rules answer some questions businesses have been struggling with, including: how to treat household data, who is and is not a service provider, how can verification be done using only the information the consumer provided, and how can responses to access requests be delivered involving sensitive personal information without further exposing the business to potential liability. They also arguably increase the burden of complying with CCPA and create new obligations and requirements with less than 3 months until the law goes into effect. Moreover, these draft rules do not provide guidance on how an opt-out logo or button should look and they add many new layers to the notice and record keeping requirements. Lastly, if your business is in retail, it is worth noting that out of eight examples the AG’s office provided as illustrative real-life scenarios, the AG decided to highlight in three examples related to online and offline collection of personal information at retail locations. The only other industry that was highlighted was a music streaming business.

Once the comment period is closed on December 6, we anticipate the AG’s office will issue a second set of draft rules which will reflect the comments received. For any businesses that are interested in participating in the rulemaking, written comments can be submitted to:

Email: PrivacyRegulations@doj.ca.gov

Privacy Regulations Coordinator

California Office of the Attorney General

300 South Spring Street, First Floor

Los Angeles, CA 90013

If you would like further assistance understanding how these draft rules may impact your business or submitting comments, please contact any of the authors of this post.