Proposed Regulations Under the CCPA Provide Some Clarity, But Questions Remain

October 25, 2019 Alerts and Newsletters

Earlier this month, the California Attorney General issued long-awaited proposed regulations (“Proposed Rule”) under the California Consumer Privacy Act (“CCPA”)[1] along with a Notice of Proposed Rulemaking Action and Initial Statement of Reasons explaining the Proposed Rule. The Proposed Rule focuses primarily on notices to consumers, handling consumer requests, and identity verification requirements but also includes details and clarifications of other CCPA requirements. Below, we highlight the key provisions found in the Proposed Rule.

Notices to Consumers

The Proposed Rule clarifies the four types of consumer notice requirements under the CCPA: (i) notice at the time of collection, (ii) notice of the right to opt-out of the sale of personal information, (iii) notice of financial incentives, and (iv) the privacy policy. Of particular note, the Proposed Rule specifies that the notice at the time of collection must be provided in a way that is visible and accessible to consumers prior to collecting any personal information. In the notice at the time of collection, the business must describe the categories of personal information to be collected, the purposes for which the business will use each category, and notice of the right to opt out of sale (if applicable). A business may satisfy the requirement for notice at the time of collection by providing either a link to the relevant information on its website privacy policy or for off-line information collection, posting signage or providing paper forms that include the web address for the business’s privacy policy. Additionally, the Proposed Rule extends beyond the statutory language of the CCPA by requiring a business to not only notify but also obtain explicit consent from the consumer in order to use the consumer’s personal information for additional purposes not described in the notice at the time of collection.

Businesses that do not collect personal information directly from consumers will not be required to provide a notice at time of collection. Instead, before selling any personal information, these businesses must either provide notice of the right to opt-out of the sale to consumers or obtain a signed attestation from the original source of the personal information that the original source previously provided such opt-out notice to the consumer.

Consumer Requests

Another area where the Proposed Rule provides considerable procedural details is in connection with receiving and responding to consumer individual rights requests. Businesses must provide at least two methods[2] for consumers to submit a request to know or a request to delete, one of which must mirror how the business primarily interacts with consumers. According to the Proposed Rule, in-person businesses may need three methods for consumers to submit requests, including a paper form, an online form, and a toll-free number.

Upon receiving a request to know or to delete, businesses would be required to confirm receipt within 10 days and respond within 45 days (with an option for one 45 day extension) regardless of how long it takes to verify the identity of the consumer making the request. With respect to consumer requests to opt-out of the sale of personal information, businesses must respond within 15 days and advise all third parties to whom the business has sold the consumer’s personal information in the past 90 days to stop selling the consumer’s information. Additionally, businesses must treat user enabled privacy controls, such as on a browser, as a valid request to opt-out of the sale of personal information in the same manner as if the request was made by the consumer through one of the methods offered by the business.

The Proposed Rule imposes administrative requirements related to handling consumer requests as well. Specifically, businesses must train staff responsible for fielding consumer inquiries and maintain request records for 24 months.

Verification of Consumer Requests

The Proposed Rule requires businesses to adopt reasonable methods for verifying the identity of consumers making requests to know and requests to delete based on various factors including the type, sensitivity, and value of the personal information involved and potential risk of harm to consumers. During the verification process, businesses should only confirm information already in its records and avoid collecting new personal information if feasible. If a consumer possesses a password-protected account with a business, the business may verify the individual’s identity though the consumer’s account provided that the consumer re-authenticate themselves. In order to verify non-accountholders, businesses must undertake a verification process to verify the consumer’s identity to either a reasonable degree of certainty for disclosing categories of personal information or a reasonably high degree of certainty for disclosing specific pieces of personal information. In all cases, businesses must implement reasonable security measures to detect fraudulent identity-verification activity.

Notably, a request to opt-out of the sale of personal information need not be verified in the same manner as other individual rights requests, but if the business has a good-faith belief that the request is fraudulent, it may deny the request.

Service Providers

In the Initial Statement of Reasons, the California Attorney General acknowledged that the CCPA creates unintended consequences due to the manner in which “service provider” is defined in the statute. The Proposed Rule clarifies that an entity providing services to a non-business (e.g., non-profit or government agency) that otherwise meets the requirements of a “service provider” in the CCPA shall be deemed to be a service provider. The practical effect of this clarification is that a service provider who processes personal information on behalf of non-businesses need not comply with consumer requests related to such information where the non-business entity that owns or controls the information would not be required to do so. It is important to note, however, that any such service provider that is itself a “business” must still comply with the CCPA and consumer requests with respect to any personal information that it collects, maintains, or sells outside of its role as a service provider.

The Proposed Rule permits a service provider to deny consumer requests to know and requests to delete that it may receive in its role as service provider if it informs the consumer of the reason for denial, advises the consumer to submit the request directly to the business on whose behalf it processes information, and if feasible, provides contact information for that business. The last requirement is intended to assist consumers who may not know the identity of the business that has control of the personal information. Importantly, the Proposed Rule also states that service providers collecting personal information on behalf of a business may not use that personal information to provide services to another person or entity (with limited exceptions in order to detect data security incidents or protect against fraudulent or illegal activity).


The Proposed Rule provides additional details clarifying the CCPA requirement that businesses must obtain consent from parents authorizing the sale of personal information of children under age 13. This consent is in addition to any “verifiable parental consent” required under the Children’s Online Privacy Protection Act (COPPA). The Proposed Rule also provide examples of acceptable methods of verifying that the person providing consent is the parent or guardian of the child. A business that has actual knowledge that it collects or maintains the personal information of children age13, 14 or 15 must establish and comply with a process to allow such children to opt-in to the sale of their personal information.


Businesses that offer a financial incentive or price or service difference in exchange for the retention or sale of a consumer’s personal information must provide a notice of financial incentive to consumers. The notice requirement is designed to enable consumers to make an informed choice about whether to opt-in to the incentive or differential price or service. However, any financial incentive or a price or service difference that causes a business to treat a consumer differently because the consumer exercises a right under the CCPA is deemed to be discriminatory and prohibited unless the financial incentive or price or service difference is reasonably related to the value of the consumer’s data. The Proposed Rule provides illustrative examples and guidance as to methods for calculating the value of consumer data for this purpose. Businesses that seek to offer a financial incentive, charge a different price or provide a different level of service to consumers who elect to opt out of the sale of personal information should closely adhere to the valuation guidance and document their methodology.

The Proposed Rule provides some needed clarifications to facilitate compliance with the CCPA; however, there remains significant uncertainty as to many aspects of the law, such as interpretation of the statutory exemptions. Interested stakeholders may submit written comments regarding the proposed CCPA regulations. Comments are due by 5 P.M. Pacific Time on December 6, 2019. In addition, the California Attorney General will hold four public forums in various California cities during the week of December 2, 2019. Final regulations are expected by summer of 2020. If you would like to become directly involved in this conversation or if you have questions involving the Proposed Rule or the CCPA more broadly, please contact your regular Verrill attorney.

[1] On October 11, 2019, California Governor Gavin Newsom signed into law seven CCPA amendment bills passed by the state legislature. The next opportunity to amend the CCPA will be in the 2020 legislative session.

[2] Amendment AB 1564, which was passed by the California legislature and subsequently signed into law by Newsom on October 11, 2019, would allow a business that operates solely online and has a direct relationship with consumers to provide only one method to submit a request to know, which can be an email address. The final regulations will need to reflect this change in the law.

Firm Highlights


HHS Confirms Providers’ Right to 340B Discount Pricing for Contract Pharmacies

As a holiday gift to providers, the U.S. Department of Health and Human Services (HHS) General Counsel recently issued a strongly worded Advisory Opinion indicating that federal law requires drug manufacturers to deliver covered...


Massachusetts Insurers Receive $100M from Obamacare

On March 11, 2021 Boston Business Journal published an article, "Feds have paid Mass. insurers over $100M from Obamacare settlement," discussing that the cash influx could reduce premium increases in the third quarter of...


Potential Lasting Solutions for Health Care

On February 26, Boston Business Journal published an article, "There Has to be a Better Way," discussing potential lasting solutions for behavioral health care and surprise billing. Health care attorney Jim Roosevelt states in...


Patent Litigation: Medical Device

Defended company medical device manufacturer against claimed infringement of expired patent relating to laser hair removal; obtained stay of matter pending reexamination of patent, which resulted in cancelling of all allegedly infringing claims and...


340B Providers Get Partial Relief from New Dispute Resolution Regulation

1. 340B ADR Process Established At long last, more than ten years after Congress directed it to do so, HHS has finalized an alternative dispute resolution (“ADR”) process for both providers and pharmaceutical manufacturers...


Verrill Welcomes Jeffrey A. Smagula, Experienced Health Care and Life Sciences Attorney, Former Health Plan Compliance Executive

(May 12, 2021) – Verrill is pleased to welcome Jeffrey A. Smagula to the firm’s Boston office as Counsel in its nationally recognized Health Care & Life Sciences Group. Jeff Smagula brings to Verrill...


Verrill Welcomes Health Care Attorney Alicia Siani

(February 2, 2021) – Verrill is pleased to welcome health care attorney Alicia Siani to the firm’s Boston, Massachusetts office. Siani represents clients in a wide range of regulatory issues, including HIPAA privacy matters...


“If I've told you once, I've told you eight times…” HHS OIG Issues Another Audit Report on Hospitals’ Failure to Report Credits for Explanted Cardiac Devices and Lays the Groundwork Collection of Overpayments


Massachusetts Health Care Bill Makes Several Significant Changes

While you were celebrating the New Year, Governor Baker signed Chapter 260 of the Acts of 2020, an “Act promoting a resilient health care system that puts patients first,” the result of the Legislature’s...


Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition.

Health care attorney Paul Shaw co-authored Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition with Robert Griffith, published by the American Health Law Association (AHLA). Paul and Robert provide legal...

Contact Verrill at (855) 307 0700