CCPA Countdown: Draft Regulations Add Clarity and New Requirements
On October 10, 2019, the California Attorney General issued its notice of proposed rulemaking containing its proposed CCPA Regulations. In many instances, the draft Regulations go beyond simply clarifying existing CCPA provisions and instead set forth new requirements that alter prior interpretations of the law.
This analysis highlights some of those provisions and expected next steps as we inch closer to the new year.
- Matching each category of personal information collected to the categories of sources from which that information was collected, the business or commercial purpose(s) for which the information was collected, and the categories of third parties with whom the business shares personal information;
- A description of the process used to verify consumer requests;
- A statement of whether or not the business has disclosed or sold any personal information to third parties for a business or commercial purpose in the preceding 12 months; and
- Additional disclosures for businesses that sell information of minors and businesses that process personal information of 4 million or more California consumers.
Do Not Sell (“DNS”) Notice. In addition to providing clarity around the formatting and content of the “DNS Notice” link for online services, the draft Regulations require businesses that “substantially interact” (which is undefined) with consumers offline to also make consumers aware of their right to opt-out by, for example, posting signage directing consumers to a website DNS Notice.
Consumer Requests and Verification
The draft Regulations also provide a significant amount of detail around how businesses are expected to handle consumer requests (such as requests to access their information), including detail regarding verification of the identity of the requestor.
DNS Requests. Per the draft Regulations, businesses not only have to act on Do Not Sell requests within 15 days after receipt, they also must inform anyone to whom data was sold in the prior 90 days of the request and instruct them not to sell the data further. This was not included in the statute and raises significant practical difficulties for certain types of potential sales. For instance, in targeted advertising, “upstream” partners and publishers often cannot currently do this look-back to inform “downstream” partners of new opt-outs, as usually neither party can match to the other’s identifiers. Further, the draft Regulations also require businesses to treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request. While current Do Not Track signals and cookies blockers may not fall within this category, we do expect a proliferation of plugins and browser extensions that are explicitly designed to send a DNS signal and, as such, must be treated as valid DNS opt-outs.
Methods for Submitting Requests. The draft Regulations also now require businesses to provide two or more methods to submit access and deletion requests and that one of the required methods for submitting requests reflect how the business primarily interacts with the consumer. This added obligation may require a business to offer 3 methods for access requests (e.g., retail stores with secondary websites must offer a toll-free number and an interactive webform to satisfy the existing CCPA requirements, and an in-person form to satisfy the new requirement). Unlike the CCPA itself, the Regulations also allow businesses to choose a method for receiving deletion requests, provided that one method reflects how the business primarily interacts with the consumer. Finally, despite providing businesses with some flexibility as to the methods they choose, the draft Regulations further require businesses to accept requests anywhere they receive them, either by processing the request as if it had been submitted appropriately or directing the user to the business’ designated method for receiving requests.
Responding to Requests. The draft Regulations impose more granular requirements on how businesses may respond to access and deletion requests. Notably, these requirements address the information provided in the confirmation of receipt, the types of information that cannot be disclosed, individualized responses for right-to-know requests, and treatment of deletion requests.
Verification. The draft Regulations provide some much-needed clarity on how businesses are expected to verify consumer requests. For example, the draft Regulations set forth the factors that a business must consider when developing its verification process, including the type, sensitivity, and value of the personal information collected and the risk of harm to the consumer posed by any unauthorized access or deletion. They also make it clear that businesses should, whenever feasible, only use information already maintained about the user, and they set forth the different verification standards dependent on the specificity of the information requested (i.e., categories of data vs. specific pieces of information).
Additional New Requirements
While this analysis does not cover everything added or clarified within the draft Regulations, we want to call attention to the most notable components of the CA AG’s proposal.
In addition to the provisions addressed above, we also recommend businesses review:
- The prohibition on using personal information for any purpose that was not previously disclosed in the business’s point of collection notice unless the business directly provides notice and obtains explicit consent for the new use (whereas only notice is required in the text of the CCPA itself);
- The requirements for notice and consent for information resellers that do not collect personal information directly from consumers;
- The potential narrowing of the “service provider” exception to “sale” by explicitly prohibiting service providers from using personal information received from one customer (or from that customer’s users) for the purpose of providing services to another person or entity;
- The expansion of training requirements so that every business (and potentially every service provider) must now “inform” all personnel responsible for handling consumer requests, and all personnel responsible for CCPA compliance, about all aspects of the CCPA – not just a select few sections;
- The requirement that businesses must ensure that the person who authorizes the sale of a personal information of a child under 13 is actually that minor’s parent or guardian, which could mean that COPPA consent is not enough; and
- The requirement to calculate the value of consumers’ personal information as part of businesses’ non-discrimination obligations.
In many ways, the draft Regulations provide helpful clarity on several of the more complicated CCPA requirements, but they also introduce several new requirements that are neither reasonable nor clear.
Importantly, these draft Regulations are not yet final. The Regulations are open for public comment until December 6, 2019 and are expected to be finalized in the spring of 2020. Additionally, the AG’s office indicated that it will update the rules to reflect the amendments signed by Governor Newsom on October 11.
We look forward to a robust comment period.