Proposed Regulations Under the CCPA Provide Some Clarity, But Questions Remain

Earlier this month, the California Attorney General issued long-awaited proposed regulations (“Proposed Rule”) under the California Consumer Privacy Act (“CCPA”)[1] along with a Notice of Proposed Rulemaking Action and Initial Statement of Reasons explaining the Proposed Rule. The Proposed Rule focuses primarily on notices to consumers, handling consumer requests, and identity verification requirements but also includes details and clarifications of other CCPA requirements. Below, we highlight the key provisions found in the Proposed Rule.

Notices to Consumers

The Proposed Rule clarifies the four types of consumer notice requirements under the CCPA: (i) notice at the time of collection, (ii) notice of the right to opt-out of the sale of personal information, (iii) notice of financial incentives, and (iv) the privacy policy. Of particular note, the Proposed Rule specifies that the notice at the time of collection must be provided in a way that is visible and accessible to consumers prior to collecting any personal information. In the notice at the time of collection, the business must describe the categories of personal information to be collected, the purposes for which the business will use each category, and notice of the right to opt out of sale (if applicable). A business may satisfy the requirement for notice at the time of collection by providing either a link to the relevant information on its website privacy policy or for off-line information collection, posting signage or providing paper forms that include the web address for the business’s privacy policy. Additionally, the Proposed Rule extends beyond the statutory language of the CCPA by requiring a business to not only notify but also obtain explicit consent from the consumer in order to use the consumer’s personal information for additional purposes not described in the notice at the time of collection.

Businesses that do not collect personal information directly from consumers will not be required to provide a notice at time of collection. Instead, before selling any personal information, these businesses must either provide notice of the right to opt-out of the sale to consumers or obtain a signed attestation from the original source of the personal information that the original source previously provided such opt-out notice to the consumer.

Consumer Requests

Another area where the Proposed Rule provides considerable procedural details is in connection with receiving and responding to consumer individual rights requests. Businesses must provide at least two methods[2] for consumers to submit a request to know or a request to delete, one of which must mirror how the business primarily interacts with consumers. According to the Proposed Rule, in-person businesses may need three methods for consumers to submit requests, including a paper form, an online form, and a toll-free number.

Upon receiving a request to know or to delete, businesses would be required to confirm receipt within 10 days and respond within 45 days (with an option for one 45 day extension) regardless of how long it takes to verify the identity of the consumer making the request. With respect to consumer requests to opt-out of the sale of personal information, businesses must respond within 15 days and advise all third parties to whom the business has sold the consumer’s personal information in the past 90 days to stop selling the consumer’s information. Additionally, businesses must treat user enabled privacy controls, such as on a browser, as a valid request to opt-out of the sale of personal information in the same manner as if the request was made by the consumer through one of the methods offered by the business.

The Proposed Rule imposes administrative requirements related to handling consumer requests as well. Specifically, businesses must train staff responsible for fielding consumer inquiries and maintain request records for 24 months.

Verification of Consumer Requests

The Proposed Rule requires businesses to adopt reasonable methods for verifying the identity of consumers making requests to know and requests to delete based on various factors including the type, sensitivity, and value of the personal information involved and potential risk of harm to consumers. During the verification process, businesses should only confirm information already in its records and avoid collecting new personal information if feasible. If a consumer possesses a password-protected account with a business, the business may verify the individual’s identity though the consumer’s account provided that the consumer re-authenticate themselves. In order to verify non-accountholders, businesses must undertake a verification process to verify the consumer’s identity to either a reasonable degree of certainty for disclosing categories of personal information or a reasonably high degree of certainty for disclosing specific pieces of personal information. In all cases, businesses must implement reasonable security measures to detect fraudulent identity-verification activity.

Notably, a request to opt-out of the sale of personal information need not be verified in the same manner as other individual rights requests, but if the business has a good-faith belief that the request is fraudulent, it may deny the request.

Service Providers

In the Initial Statement of Reasons, the California Attorney General acknowledged that the CCPA creates unintended consequences due to the manner in which “service provider” is defined in the statute. The Proposed Rule clarifies that an entity providing services to a non-business (e.g., non-profit or government agency) that otherwise meets the requirements of a “service provider” in the CCPA shall be deemed to be a service provider. The practical effect of this clarification is that a service provider who processes personal information on behalf of non-businesses need not comply with consumer requests related to such information where the non-business entity that owns or controls the information would not be required to do so. It is important to note, however, that any such service provider that is itself a “business” must still comply with the CCPA and consumer requests with respect to any personal information that it collects, maintains, or sells outside of its role as a service provider.

The Proposed Rule permits a service provider to deny consumer requests to know and requests to delete that it may receive in its role as service provider if it informs the consumer of the reason for denial, advises the consumer to submit the request directly to the business on whose behalf it processes information, and if feasible, provides contact information for that business. The last requirement is intended to assist consumers who may not know the identity of the business that has control of the personal information. Importantly, the Proposed Rule also states that service providers collecting personal information on behalf of a business may not use that personal information to provide services to another person or entity (with limited exceptions in order to detect data security incidents or protect against fraudulent or illegal activity).

Minors

The Proposed Rule provides additional details clarifying the CCPA requirement that businesses must obtain consent from parents authorizing the sale of personal information of children under age 13. This consent is in addition to any “verifiable parental consent” required under the Children’s Online Privacy Protection Act (COPPA). The Proposed Rule also provide examples of acceptable methods of verifying that the person providing consent is the parent or guardian of the child. A business that has actual knowledge that it collects or maintains the personal information of children age13, 14 or 15 must establish and comply with a process to allow such children to opt-in to the sale of their personal information.

Non-Discrimination

Businesses that offer a financial incentive or price or service difference in exchange for the retention or sale of a consumer’s personal information must provide a notice of financial incentive to consumers. The notice requirement is designed to enable consumers to make an informed choice about whether to opt-in to the incentive or differential price or service. However, any financial incentive or a price or service difference that causes a business to treat a consumer differently because the consumer exercises a right under the CCPA is deemed to be discriminatory and prohibited unless the financial incentive or price or service difference is reasonably related to the value of the consumer’s data. The Proposed Rule provides illustrative examples and guidance as to methods for calculating the value of consumer data for this purpose. Businesses that seek to offer a financial incentive, charge a different price or provide a different level of service to consumers who elect to opt out of the sale of personal information should closely adhere to the valuation guidance and document their methodology.

The Proposed Rule provides some needed clarifications to facilitate compliance with the CCPA; however, there remains significant uncertainty as to many aspects of the law, such as interpretation of the statutory exemptions. Interested stakeholders may submit written comments regarding the proposed CCPA regulations. Comments are due by 5 P.M. Pacific Time on December 6, 2019. In addition, the California Attorney General will hold four public forums in various California cities during the week of December 2, 2019. Final regulations are expected by summer of 2020. If you would like to become directly involved in this conversation or if you have questions involving the Proposed Rule or the CCPA more broadly, please contact your regular Verrill attorney.