On Oct. 10, 2019, the California Attorney General’s Office issued the California Consumer Privacy Act Proposed Regulations. The proposed regulations focus on the following CCPA provisions:

  1. notice to consumers;
  2. business practices for handling requests;
  3. verification of requests;
  4. special rules regarding minors; and
  5. nondiscrimination.

Organizations will have until December 8 to submit comments on the proposed regulations, and four public hearings will be held in early December to collect further comments.

Summary

While the proposed regulations are analyzed in detail below, businesses should be particularly aware of the following new requirements:

  • Privacy Policy Must Describe Verification Process. Among other things, a business’s privacy policy must describe (a) the verification process the business will use in relation to consumer requests to know, delete and opt out, including the information consumers must provide in relation to such process, and (b) how consumers can designate an authorized agent to make a request on their behalf.
  • Financial Incentives/Estimated Value of Consumer Data. Businesses offering financial incentives must provide consumers with an explanation of why the financial incentive is permitted under the CCPA, a good-faith estimate of the value of the consumer’s data in relation to the financial incentive, and a description of the method used to calculate the value.
  • Two-Step Deletion Process. Business must have a two-step deletion procedure whereby a consumer submits a deletion request online, and thereafter the business confirms the consumer wants their personal information deleted prior to honoring the deletion request.
  • Large Data Processors Must Publish Rights Metrics. A business that annually buys, receives, sells, or shares for commercial purposes the personal information of four million+ consumers, must be able to disclose the number of requests to know, delete, and opt out it received; the number it complied with in whole or in part; the number it denied; and the median number of days the business took to respond to such request for the previous calendar year.
  • Partial Opt-Out Choices. A business can provide more granular opt-out choices for selling, including presenting a consumer with the opportunity to opt out of only certain types of sales or certain data categories for sale, as long as the business displays the global, full opt-out more prominently.

Notices to Consumers

Article 2 contains specific notice requirements in regard to three areas under the CCPA:

  • collecting consumer personal information,
  • selling consumer personal information (opt-out right), and
  • offering a financial incentive in exchange for the retention or sale of consumer personal information.

Throughout all the notice sections in Article 2, the proposed regulations indicate the notices must be presented in plain, straightforward language, readable on small screens, be available in the languages which the business typically uses in conducting its operations, be accessible to consumers with disabilities, and be a form that allows the consumer to print it as a separate document.

Privacy Policy (§ 999.308). The regulations reiterate that the privacy policy must inform consumers of their right to know the personal information collected, disclosed, and sold, their right to deletion, their right to opt out of sales, their right not to be subject to discriminatory treatment by exercising their rights, who to contact for more information, and the last date the privacy policy was updated. However, they also require that a business must include the following information in its privacy policy:

  • describe the process the business will use to verify the consumer, including any information the consumer must provide;
  • state whether or not it sells personal information of minors under 16 years of age without affirmative authorization;
  • explain how a consumer can designate an authorized agent to make a request on behalf of the consumer; and
  • if the business annually buys, receives, sells, or shares for commercial purposes the personal information of more than four million consumers, it must provide information about the number of requests to know, delete, and opt out, and the median number of days the business took to respond to such request.

Notice of Collection of Personal Information (§ 999.305). A business can meet the notice requirement by providing a link to the business’s privacy policy. The regulations also provide that a business “may conspicuously post a link to the notice on the business’s website homepage or the mobile application’s download page, or on all the web pages where personal information is collected.” Where personal information is collected offline, a business can provide “notice on a printed form that collects personal information, provide the consumer with a paper version of the notice, or post prominent signage directing consumers to the web address where the notice can be found.”

Notice of Right to Opt Out of Sale of Personal Information (§ 999.306). Notice of the right to opt out of sale should inform consumers of their right to direct a business that sells (or may in the future sell) their personal information to stop selling and refrain from doing so in the future. A business is exempt from providing a notice of the right to opt out if it does not and will not sell personal information during the time period during which the notice is posted, and it states this in its privacy policy. When a business’s privacy policy states this, a consumer whose personal information is collected “shall be deemed to have validly submitted a request to opt-out.”

Not only must the opt-out notice advise of the right to opt out and provide a link to the business’s privacy policy, but it must also include information about:

  • the webform by which consumers can submit their opt-out requests online;
  • where the business does not operate a website, the offline method a consumer can use to opt out;
  • instructions on any other methods a consumer can use to opt out; and
  • the proof required when a consumer uses an authorized agent to exercise their opt-out rights.

A business that sells personal information “shall post the notice of the right to opt-out on the Internet webpage to which the consumer is directed after clicking on the ‘Do Not Sell My Personal Information’ or ‘Do Not Sell My Info’ link on the website homepage or the download or landing page of the mobile application.” An opt-out button or logo “may be used in addition to posting the notice of the right to opt -out, but not in lieu of any posting of the notice.” Consequently, based on the “may” language, it appears a business that sells personal information will not be required to have the designated logo or button, but could merely have the words “Do Not Sell My Information” which when clicked takes the consumer to the information noted above in the business’s privacy policy.

Notice of Financial Incentive (§ 999.307). Notice of financial incentives must include the following information:

  • summary of the financial incentive or price or service difference offered;
  • a description of the material terms of the financial incentive, including the categories of personal information implicated by the financial incentive;
  • how consumers can opt in to the financial incentive;
  • a consumer’s right to withdraw from the financial incentive; and
  • an explanation of why the financial incentive is permitted under the CCPA, including a good-faith estimate of the value of the consumer’s data at issue in relation to the financial incentive and a description of the method used to calculate the value.

Consumer Rights Requests

Business Practices for Handling Consumer Requests

Submission Methods for Right to Know and to Delete (§ 999.312). Despite a bill pending before the Governor that would require an ecommerce business to provide only one method for consumers to assert their CCPA rights, the current CCPA statutory text requires a business to provide two or more designated methods for submitting requests to know (access) and requests for deletion. The proposed regulations give a business discretion in deciding the two methods it will offer to consumers.

Furthermore, the proposed regulations call for a two-step deletion procedure whereby a consumer submits a deletion request online, and thereafter the business separately confirms the consumer wants their personal information deleted prior to honoring the deletion request.

Requests to Know and Requests to Delete Timing (§ 999.313). Businesses must meet the following timeline:

  • 10 days: Within 10 days of receiving a request to know or a request to delete, a business must confirm receipt and provide information about how will process the request, including a description of the verification process, and when a consumer should expect a response.
  • 45 days: A business has 45 days to respond to a request, and the 45-day response period begins when the request is received by the business regardless of the time necessary to verify the request.
  • 90 Days: A business can extend the response period to a maximum total of 90 days if it provides the consumer with the notice and an explanation of why the extension is necessary.

Submission Methods for Requests to Opt-Out of Sales (§ 999.315). As outlined in the statutory text, businesses are required to provide two or more methods for consumers to submit opt-out requests to prevent their data from being sold, including at least a webform and a clear link on the business’s website. Of note, the proposed regulation provides businesses with a bit of flexibility, allowing the business to choose between two link titles: “Do Not Sell My Personal Information” or “Do Not Sell My Info.” Examples of other acceptable opt-out mechanisms include mail requests and user-controls (such as a privacy setting or browser setting).

The proposed regulation allows businesses to provide more granular opt-out choices, including presenting a consumer with the opportunity to only opt out of certain types of sales or certain data categories for sale, as long as the business displays the global, full opt-out more prominently.

Special Rules Regarding Minors. Businesses who knowingly collect the personal information of children under the age of 13 must create and maintain a process for parental or guardian consent to the sale of personal information of the child. Examples of appropriate processes include: a signed form, use of a credit card, telephone verification, and video-conferencing. For children between the ages of 13-16, the business must identify a reasonable method for allowing the minor to opt in to data sales, and inform them of their right to opt out and the process for doing so.

Verification of Requests

Verification of Requests (§ 999.323). The proposed regulations do not stipulate a particular method of consumer verification in conjunction with a rights request. Instead, businesses should implement risk-based approach for verifying or authenticating a consumer before fulfilling their rights request, weighing:

  • the type, sensitivity, and value of the information;
  • risk of harm to a consumer posed by unauthorized access or disclosure; and
  • the likelihood of fraudulent or malicious actors.

The proposed regulation further permits businesses to outsource the authentication process using a third-party identification service (a term newly defined by the proposed regulation). As with the GDPR, businesses should avoid authentication utilizing sensitive information unless necessary.

Verification Via User Accounts (§ 999.324). If the consumer maintains a password-protected account with the business, the business may verify the customer through their account, utilizing existing authentication procedures, so long as they require the consumer to re-authenticate before disclosing or deleting the consumer’s data.

Verification Without a User Account (§ 999.325). The proposed regulation specifically identifies the standard of certainty businesses should use in their verification processes when there is no user account associated with the individual. Requirements vary based on the type of request, and provide businesses with the ability to “match” the authenticating information to information already maintained by the business to verify the consumer:

  • Requests for the categories of personal information collected require the business to meet a reasonable degree of certainty, or the matching of at least two data points.
  • Requests for the specific pieces of personal information require the business to meet a high degree of reasonable certainty, or the at least three matching data points.
  • Requests for deletion should be scaled according to sensitivity of the data, and the risk of harm posed. Low-risk deletion requests require a reasonable level of certainty, while sensitive data deletion requires a high degree of reasonable certainty.     

Authorized Agents (§ 999.326). If an authorized agent submits a request on behalf of a consumer, the proposed regulation permits a business to require the consumer to provide written authorization for the agent to act on their behalf, and verify their own identity with the business.

Where a business cannot verify the identity of the person making the request, it is not required to honor the request and must inform the person that it cannot verify their identity. In relation to a deletion request, when a business cannot verify the identity of a person, the statutory text requires the business to treat the deletion request as a request to opt out of sale.

Responding to Requests

  1. Requests to Know

Businesses must use reasonable security measures when transmitting personal information, and are permitted to respond to access requests online when the consumer maintains a password-protected account with the business. The 12-month period covered by the request runs from the date the business received the request. In responding to requests to know, a business:

  • is not required to provide specific pieces of personal information if such disclosure would create a “substantial, articulable, and unreasonable risk” to the security of the information, consumer account, or the business’s security.
  • must never disclose a consumer’s Social Security number, driver’s license number, or other government-issued identification number, financial account number, health insurance, or medical identification number, an account password, or security questions or answers.
  • must inform consumers of the basis for its denial when it is based on a conflict with federal or state law or an exception to the CCPA.
  • must provide an individualized response to a consumer request to know categories of personal information, sources and third parties and not refer to the privacy policy unless its response would be the same for all consumers.

2. Requests to Delete

A business can comply with a deletion request by either permanently erasing the personal information on its existing systems, de-identifying the personal information, or aggregating the personal information. A business can delay compliance with the deletion request for information stored on archived or back-up systems until those systems are next accessed. In addition, a business can offer consumers an option to delete only select portions of their personal information, but must also offer the global deletion option.

In responding to the deletion request the business must disclose the manner of deletion, and inform the consumer that it will keep a record of the deletion request. Where a business denies a deletion request it must inform the consumer of the basis for the denial, delete any information not subject to the exception, and not use the retained information for any other purpose that provided for by the exception. 

Service Providers (§ 999.314). In relation to requests to know or delete, service providers have two options – directly respond to such requests, or inform the consumer to submit the request directly to the business, and when feasible provide the contact information for the business.

3. Opt Out of Selling

In addition to the statutory requirements, if the information has already been sold to a third party, the business is required to notify the third party of the opt-out decision and instruct them not to further sell the data. Once completed, the business should notify the consumer that it has taken such action.

Consumer Request Records

Record Keeping (§ 999.317). The draft regulations include new record keeping requirements for businesses, including requiring businesses to:

  • Keep a record of each consumer rights request received for at least 24 months. Such records shall not be used for any other purpose and can be maintained in a ticket or log format.
  • If the business receives, buys, sells, or shares the information of four million or more consumers, the business must keep, compile, and publicly post the following metrics regarding consumer rights requests:
    • The number of requests the business received for each right (know, delete, opt out),
    • The number of requests the business complied with and denied, and
    • The median number of days within which the business substantially responded.

Loyalty Programs, Non-Discrimination & Valuation of Data

Discriminatory Practices (§ 999.336). A business must notify consumers of any financial incentive price or service difference (i.e., a loyalty program) that it offers. The price difference must be reasonably related to the value of the consumer’s data. A business cannot provide a different price or otherwise treat a consumer differently because the consumer exercised their right to know, opt out, or delete.

Calculating the Value of Consumer Data (§ 999.337). A business offering a loyalty program or financial incentive program, must use (and document) a reasonable and good-faith method for calculating the value of their consumer data. The business must use one or more of the following methods:

  • The marginal value of the sale, collection, or deletion of an average consumer’s data,
  • The average value of the sale, collection, or deletion of an average consumer’s data,
  • Revenue or profit generated by the business from separate tiers or classes of consumer data,
  • Revenue generates by the sale, collection, deletion or retention of consumer data,
  • Expenses related to the sale, collection, deletion or retention of consumer data,
  • Expenses related to the offer, provision, or imposition of any financial incentive or price difference,
  • Profit generated by the business by the sale, collection, deletion or retention of consumer data, or
  • Any other practical or reliable method of calculation used in good faith.

Miscellaneous

Training (§ 999.317). Any employee handling consumer rights requests must be trained on the CCPA. Training policies and records must be maintained by the business.

Service Providers (§ 999.314). Based on the proposed regulations, an entity that collects personal information directly from a consumer on behalf of a business and would meet all other requirements of a service provider under the CCPA is considered a service provider under the CCPA. Pursuant to the statutory text, a service provider cannot use any personal information it receives in providing its services for the purposes of providing services to another entity.

Severability (§ 999.341). If any portion of the rule is held to be unconstitutional, contrary to statute, exceeding the authority of the AG, or otherwise inoperative, such decision will not affect the validity of the remaining portions of the regulations.