In summer 2018, the California legislature drafted and passed the California Consumer Privacy Act (CCPA) with incredible dispatch and under what many would term duress in the face of a procedural deadline for a ballot initiative. That initiative would have added to the state constitution — with its supermajority amendment requirements — many of the provisions that ultimately found their way into the CCPA. The abbreviated legislative process, however, produced a bill with numerous gaps and anomalies.
While two rounds of amendments have sought to address those gaps and anomalies, the CCPA also includes provisions requiring the Attorney General to engage in a mandatory rulemaking process focused on numerous key aspects of the CCPA. Businesses, consumer advocates and privacy watchers have all been eagerly awaiting the Attorney General’s guidance — a wait that finally ended on October 10, 2019, when the Attorney General finally released the proposed text of his regulations.
The nature and breadth of the Attorney General’s proposed regulations explain why they took so long to produce: Put simply, the proposed regulations are significant and will have substantial implications for businesses’ ongoing efforts to comply with the CCPA with less than three months before the effective date. Indeed, even if they do not resolve all of the law’s many ambiguities, they do provide helpful implementation guidance — along with surprising new requirements, some of which may questionably extend beyond the CCPA itself.
Against this backdrop, this Update highlights the most important takeaways from the Attorney General’s proposed regulations before providing a more detailed analysis of the full proposal. The piece then details the path forward from here, emphasizing an important fact: The proposed regulations are not set in stone, as the comment period for the regulations continues through December 6, and these comments will likely start what might be a lengthy administrative process that could result in material changes to the proposal.
Highlights
The Attorney General’s proposed regulations are thick with important provisions, and businesses should thus study the full regulations carefully. Nonetheless, before delving into a detailed analysis of the full bill, in this Update we highlight several key aspects of the Attorney General’s proposal, including that the regulations:
- provide detailed guidance on the primary disclosures required by the CCPA, including notices “at or before the point of collection,” notices regarding consumers’ right to opt-out of the sale of personal information and to be free from discrimination for exercising their privacy rights, and updated privacy policies
- clarify that businesses generally do not have to provide notice “at or before the point of collection” if they are not collecting information directly from the consumer; in such circumstances, however, before selling the information in question, the business must either give the consumer an opportunity to opt out or obtain a “signed attestation” from the entity that collected the personal information that it provided notice at the point of collection to the consumer
- detail specific requirements for verifying the identity of consumers making CCPA rights requests, including directly prohibiting businesses from disclosing Social Security numbers, driver’s license and government-issued ID numbers, financial account numbers, health insurance or medical identification numbers, account passwords or security questions or answers
- require businesses that provide financial incentives for different types of products or services based on the value of the consumer’s information (e.g., free vs. paid streaming) to quantify the value of consumers’ information and disclose the value and methods used to calculate it
- put in place obligations that appear to extend beyond those contemplated by the CCPA, such as that businesses must (1) pass on opt-out requests to entities that have purchased the personal information at issue within the past 90 days and (2) maintain and disclose metrics if they handle the personal information of four million or more consumers each year
Detailed Analysis
The Attorney General’s proposed regulations, after a short general introductory and definitional article, contain five key substantive articles, each of which addresses a different topic: notices to consumers; business practices for handling consumer requests; verification of requests; special rules regarding minors; and nondiscrimination. Notably, the proposed regulations do not address other key outstanding concerns, specifically those related to the protection of trade secrets and intellectual property rights. This Update discusses each of these topics in turn.
Notices to Consumers (Article 2 of the Proposed Regulations)
One of the main objectives of the CCPA is to require businesses to be more transparent about what data they collect and how they use it. To this end, the CCPA, among other things, obligates businesses to:
- inform consumers “at or before the point of collection” of the categories of personal information it collects and the purposes for the collection
- provide consumers with notice of their right to opt out of the sale of personal information, including with a “Do Not Sell My Personal Information” link
- notify consumers when they are using financial incentives to collect personal information
- update their privacy policies with numerous disclosures
The Attorney General’s proposed regulations address each of these notice obligations.
General Guidance (Sections 998.305-08). To begin, the proposed regulations lay out certain general principles that apply to all forms of notice contemplated by the regulations. In particular, the regulations mandate that all the forms of notice identified above — including both the general privacy notice and the notice of the right to opt out — should be “designed and presented to the consumer in a way that is easy to read and understandable to an average consumer,” such that the notice shall:
- use “plain, straightforward language and avoid technical or legal jargon”
- use “a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable”
- be “available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers”
- be “accessible to consumers with disabilities” by, at a minimum, letting consumers with disabilities know how to access the notice in an alternative format
In addition, the proposed regulations make explicit that businesses interacting with consumers offline are still obligated to provide relevant notices, such as through “printed forms” or “prominent signage” where applicable.
Notice at or Before Point of Collection (§ 998.305). The proposed regulations provide a significant amount of clarifying guidance about a business’s obligation to provide notice “at or before the point of collection.”
Method of Providing Notice. Resolving a question left open by the CCPA, the proposed regulations allow businesses that collect personal information online to fulfill their “at or before the point of collection” disclosure obligations by displaying a link, at the point of collection, to the section of their privacy policy that contains the required disclosures. The Attorney General appears to have provided this guidance with the consumer experience in mind.
With respect to offline collection, the regulations note that business can include the notice on the form used to collect information, provide paper notices or simply post “prominent signage” directing consumers to their website.
Importance of Notice. The regulations have given more substance to the important concept of use compatibility and, in doing so, emphasize three ways in which the “at or before the point of collection” notice obligations may limit a business’s behavior:
- First, if a business wants to use the information in a new or different way than it has disclosed, it will need to obtain the consumer’s “explicit consent” before doing so.
- Second, if a business wants to collect personal information other than that disclosed, it must provide a new notice.
- Finally, the regulations make clear that if a business does not provide the relevant notice, it shall not collect personal information from the consumer. This is the introduction of a data collection prohibition in the CCPA.
These requirements underscore the importance businesses should attach to making the notices comprehensive in the first instance, limiting the need to return to the consumer for consent or with further notice.
Content of Notice. The regulations provide additional detail on what businesses must include in their notice “at or before the point of collection” notice, detailing four such items:
- a list of the categories of personal information about consumers to be collected, with the categories written to provide a “meaningful understanding of the information being collected”
- the “business or commercial purpose” for which the business will use each category of personal information collected
- the “Do Not Sell My Personal Information” link (if the business sells such information)
- a link to the business’s privacy policy
Notice Obligations When Not Collecting Directly From Consumer. The proposed regulations provide guidance on one of the more important issues left open by the CCPA: How should businesses provide notice “at or before the point of collection” if they are not collecting information directly from the consumer?
Pragmatically, the regulations do not require businesses to provide notice in such a situation. However, they do require businesses to take one of two steps before selling any information they did not collect directly from a consumer. In particular, in such circumstances that business must either (a) locate the consumer and give the consumer an opportunity to opt out, or (b) obtain a “signed attestation” from the entity that collected the personal information that explains how and provides an example of the notice provided at the point of collection to the consumer.
This obligation could impose significant recordkeeping, contracting, and other compliance burdens on both businesses that obtain, as well as those that provide, personal information. Given the potential recordkeeping difficulties, we expect that businesses that collect and then share or sell personal information should begin preparing to respond to requests for attestations.
Notice of Right to Opt Out of Sale (§ 998.306). The draft regulations did not reveal the long-awaited and eagerly anticipated “Do Not Sell” logo or button, as the Attorney General wants additional public input on the design. Businesses that sell personal information will thus need to prepare to include their own opt-out links entitled “Do Not Sell My Personal Information” or “Do Not Sell My Info” until the logo is ready. The proposed regulations did, however, provide guidance on numerous aspects of opt-out of sale notices.
Method of Notice. The regulations make clear that businesses, when interacting with consumers online, must post the notice of right to opt out on the web page to which the consumer is directed after clicking on a “Do Not Sell My Personal Information” or “Do Not Sell My Info” link.
Businesses that “substantially interact” interact with consumers offline, on the other hand, must print the notice on paper forms that collect personal information, provide consumers with a paper version of the notice or simply “post signage” directing consumers to a website where the notice can be found. Moreover, the proposed regulations make clear that a business that does not operate a website “shall establish, document, and comply with” one of these offline methods for information consumes of their opt-out rights.
Content of Notice. Whether provided online or off, an opt-out of sale notice, to be consistent with the proposed regulations, must provide the following information:
- a description of the consumer’s opt-out rights and describe how the consumer can submit opt-out requests
- the form where consumers can submit requests online (or the primary method for offline requests)
- instructions for any other method by which the consumer may submit a request to opt out (as the CCPA requires two designated methods to opt out)
- a description of the proof the business will require to authenticate agents who want to act on the consumer’s behalf
- a link to the business’s privacy policy
Confirmation When Notice of Opt-Out Is Not Required. The regulations confirm that a business is exempt from the requirement to provide the consumer with notice of the consumer’s opt-out rights if the businesses “does not, and will not, sell personal information” and states as much in its privacy policy.
Interestingly, the proposed regulations impose consequences if businesses do not have an opt-out of sale button: “A consumer whose personal information is collected while a notice of right to opt-out notice is not posted shall be deemed to have validly submitted a request to opt-out.” It will therefore be particularly important for businesses to determine whether such a notice is necessary and may lead to a proliferation of opt-out of sale buttons for avoidance of doubt and to preserve future flexibility.
Notice of Financial Incentives (§ 998.307). Pursuant to the proposed regulations, a business must provide a notice of financial incentive either online (through a link to the appropriate section of the business’s privacy policy, if the business so desires) or at a physical location where consumers will see it before opting in to a financial incentive program. The regulations also provide detailed guidance on what this notice must include:
- a summary of the incentive program and its material terms, including the categories of personal information implicated by the financial incentive or price or service difference
- an explanation of how consumers can both opt in and withdraw from the program
- an explanation of why the incentive program is allowed, including an estimate of the value of a consumer’s data and a description of the method used to calculate that value
Privacy Policies (§ 998.308). The proposed regulations emphasize the importance of privacy policies to the CCPA’s overall scheme. They note that the privacy policy is where the business must provide consumers with a comprehensive description of its online and offline practices regarding how it collects, uses, sells or shares personal information and consumers’ rights regarding that information. The regulations also provide detailed guidance on how businesses must make privacy policies available and what such policies must include.
Method of Posting Privacy Policies. The regulations make clear that businesses should make their privacy policies readily available to consumers. Businesses that are online must post their privacy policies through a “conspicuous link using the word ‘privacy’ on [their] website homepage or on the download or landing page of a mobile application” and make sure that consumers can print out the policy as a separate document if they so desire. Any “California-specific description of consumers’ privacy rights” on a website must also include the privacy policy. Businesses without websites must their privacy policies “conspicuously available to consumers.”
Content of Privacy Policies. The proposed regulations provide a detailed list of what businesses must include in their privacy policies, including some items the CCPA did not explicitly require to be included:
- Disclosures on Information Collected and Sold. As contemplated by the CCPA, under the regulations, businesses must list the categories of personal information they have collected in the previous 12 months and, for each category, the business or commercial purpose for which it was collected. They must further provide this information “in a manner that provides consumers a meaningful understanding of the information being collected.” The regulations also make clear that businesses must state whether they have disclosed or sold any personal information to third parties, list the categories of any such information it has disclosed or sold and state whether they have sold the personal information of minors under 16 years of age without affirmative authorization.
- Right to Know, Deletion and Opt-Out of Sale Requests. Businesses are obligated to inform consumers in the applicable privacy policy of consumers’ right to request information on the information the business collects, uses, discloses and sells; delete their personal information; and opt-out of the sale of their personal information. For right to know and deletion requests, businesses are further obligated to provide instructions for how consumers can vindicate those rights (including links to a request form or portal for making a request) and to describe how they will verify the request, including what information the consumer must provide. For opt-out requests, businesses must include the contents of or a link to the opt-out notice described above.
- Right to Nondiscrimination. The regulations require businesses to explain that they may not discriminate against consumers who exercise their CCPA rights.
- Authorized Agent. Additionally, the policy must describe how a consumer can designate an authorized agent to make a request on the consumer’s behalf.
- Miscellaneous. The privacy policy must also include a business contact whom the consumer can reach “using a method reflecting the manner in which the business primarily interacts with the consumer”; the privacy policy’s last updated date; and (potentially) certain tracking information about the business’s CCPA compliance, which is described in more detail below.
Business Practices for Handling Consumer Requests (Article 3)
The draft regulations provide detailed guidance on — and potentially some significant new obligations regarding — how consumers must be able to submit right to know, deletion and opt-out requests, how businesses must respond to those requests and business’s related training and recordkeeping obligations. We discuss each in turn.
Methods for Submitting Requests (§ 998.312, § 998.315). Addressing some gaps in the CCPA, the regulations provide explicit guidance on how businesses must allow consumers to submit rights requests.
Right to Know and Deletion. Businesses need to make two or more designated methods for consumers to submit requests to know and deletion. In particular, for requests to know, all businesses must provide a toll-free number and, if the business operates a website, an interactive webform. Moreover, if the business operates a website but primarily interacts with consumers in retail locations, it will be required to add a third option that allows consumers to submit a form in person at those locations.
With respect to deletion requests, businesses have more flexibility to choose the two or more designated methods, although for both right to know and deletion requests “one method offered shall reflect the manner in which the business primarily interacts with the consumer.” If a business, furthermore, “does not interact directly with consumers in its ordinary course of business,” one of the methods by which a consumer may submit a right to know or deletion request must be online.
The regulations also subject deletion requests to a two-step process. Under the regulations, after a consumer submits a deletion request (step 1), a business must separately ask the consumer if they do, in fact, want their personal information deleted (step 2).
Finally, the regulations require businesses to be forgiving of consumers who make a mistake when submitting requests. The business must either treat such requests as valid or respond by providing consumers with “specific directions” about how to properly submit a request. (This rule does not pertain to requests that are deficient because they do not provide necessary verification information.)
Right to Opt Out. As with other types of requests, businesses must provide at least two methods of facilitating opt-out requests, one of which must be organic to the method in which the business primarily interacts with the consumer. All businesses are required to provide an “interactive webform” accessible via a “clear and conspicuous link titled ‘Do Not Sell My Personal Information,’ or ‘Do Not Sell My Info’” as one of the methods.
Importantly, the regulations also make clear that businesses that collect information online must “treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request” for the “browser or device, or, if known, for the consumer.” These “user-enabled privacy controls” can serve as one of the two methods for facilitating opt-out requests.
Methods for Responding to Requests (§ 998.313-16, § 998.318). Much as with the submission of requests, the Attorney General’s regulations also provide detailed guidance on responding to consumer requests.
Timing of Responses
Right to Know and Deletion. While the CCPA requires that businesses respond to consumer requests to know or delete within 45 days, the regulations now require an interim step: Within 10 days of receipt of a request, the business must confirm its receipt of the request and provide the requestor with information about how the business will process the request. Those 10 days do not extend the 45-day response requirement, although the business may extend the deadline to a maximum total of 90 days if it provides consumers with notice and an explanation of the need for the extension. (The regulations further state that businesses that store personal information on archived or backup systems are allowed to extend the time by which they must respond to deletion requests with respect to such data until the archived or backup system is next accessed or used.)
Right to Opt Out of Sale. The regulations clarify that businesses must respond to requests to opt out within 15 days of receipt of the response, although they contain no requirement that a business provide an acknowledgment of receipt of such a request.
Specific Guidance on Right to Know Requests
Security Concerns. Addressing a key compliance issue for businesses, the proposed regulations provide a detailed set of rules on how businesses should incorporate data security concerns into their right to know responses. In particular, the regulations state as follows:
- If a business is unable to verify a consumer’s identity (using verification procedures discussed below) after the consumer requested specific pieces of information, the business “shall not disclose any specific pieces of personal information to the requestor and shall inform the consumer that it cannot verify their identity.” The business shall also evaluate the consumer’s request as a request for categories of information, with its more forgiving verification standard.
- If a business is unable to verify a consumer’s identify after the consumer requests categories of information, the business may deny the request to disclose the categories and inform the requestor that it cannot verify their identity. If the business denies a request in whole or in part on these grounds, it must “provide or direct the consumer to its general business practices regarding the collection, maintenance, and sale of personal information set forth in its privacy policy.”
- Business shall not provide consumers with “specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.”
- The regulations flatly prohibit businesses from disclosing a consumer’s Social Security number, driver’s license number or government issued ID number, financial account number, health insurance or medical identification number, account password or security questions and answers in response to right to know requests.
- Businesses are required to use “reasonable security measures when transmitting personal information to the consumer.” If a consumer has a password-protected account with the business, the business can satisfy this requirement by allowing the consumer to “access, view, and receive a portable copy of their personal information if the portal fully discloses” the consumer’s personal information, uses reasonable data security controls and complies the regulations’ verification requirements.
Explanation of Denial. The proposed regulations further require a business, if it denies a consumer’s verified request to know specific pieces of information because of a CCPA exception or conflict with federal or state law, to explain the basis for the denial to the consumer. If a business partially denies a request, it must make the remaining information available to the consumer.
Content of Response. In terms of the content of a business’s right to know response, the regulations make clear that it must provide information from the 12 months that predate the consumer’s request, regardless of how long it took to verify that request. For each category of personal information the business has collected about the consumer, the business must provide the following information:
- the categories of sources from which personal information was collected (with the regulations providing helpful guidance about the level of detail required in describing the categories of the sources of personal information collected, with examples including “from the consumer directly, government entities from which public records are obtained, and consumer data resellers”)
- the business or commercial purpose for such collection
- the categories of third parties to whom the business sold or disclosed the particular category of personal information for a business purpose (with the regulations defining “categories of third parties” as “types of entities that do not collect personal information directly from consumers,” including advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks and consumer data resellers)
- the business or commercial purpose for which it sold or disclosed the category of personal information
Finally, the regulations make clear that businesses must provide an individualized response to requests to know categories of personal information collected, categories of sources and/or categories of third parties rather than rely on general statements in the business’s privacy policy. This response must, moreover, describe the categories in a way that is meaningful to consumers. If, however, its response would be the same for all consumers, the business may refer consumers to the privacy policy if the policy contains — as it should regardless — all the information required to be in a response to a request to know such categories.
Specific Guidance on Right to Delete Requests
Methods of Deletion. A business must also inform the consumer of the method it will use to fulfill the consumer’s deletion request, with the proposed regulations providing three options:
- permanently and completely erasing the personal information on its existing systems, with the exception of archived or backup systems
- de-identifying the personal information
- aggregating the personal information
Denial of Deletion Requests and the Duty to Explain. The regulations make clear that a business may deny a consumer’s deletion request if it is unable to verify the consumer’s identify, although it must inform the consumer of that fact and, importantly, then treat the deletion request as a request to opt out of sale. The regulations further note that businesses are required to maintain a record of when they deny deletion requests, and they may only do so if they inform the consumer of the denial and its basis; delete the information not subject to the exception; and, importantly, do not use the personal information for any purpose other than that provided for by the deletion exception.
Partial Deletion Requests. Finally, the regulations clarify that businesses may give consumers the choice to delete “select portions” of their personal information so long as a global deletion option is “more prominently presented.”
Specific Guidance on Requests to Opt Out of Sale
Obligation to Forward Opt-Out Requests. One of the most substantial provisions in the proposed regulations concerns how businesses should respond to opt-out requests. In particular, in what appears to be a new requirement that extends beyond those imposed by the CCPA itself, the regulations require businesses that sell personal information to forward any opt-out requests to any third parties to whom they sold personal information in the previous 90 days. The business must further inform the consumer when this step has been completed, and the third-party purchaser can continue to use, but cannot sell, the information.
No Verification for Opt-Out. The regulations further make clear that opt-out requests need not be a verifiable consumer request, although businesses can refuse to comply with requests if they have a “good faith, reasonable, and documented belief” that the request is fraudulent and inform the requestor of that belief. Consumers, moreover, may use authorized agents to submit opt-out requests on their behalf, if the consumer provides the agent with written permission to do so. (The regulations stipulate that “user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information shall be considered a request directly from the consumer, not through an authorized agent.”)
Opting Back In After Opting Out. Addressing an area of ambiguity in the CCPA, the regulations provide guidance on consumers opting back in to sale after previously opting out. First, business must employ a two-step process in such circumstances, whereby the consumer makes an initial opt-in request and then separately confirms the choice. Second, the regulations recognize that some transactions require the sale of a consumer’s personal information, and that when a consumer opts out of the sale of personal information, the business may not be able to complete the transaction. In these situations, the regulations create an exception to the 12-month prohibition on asking opted-out consumers to opt back in by allowing businesses to explain that the transaction requires a sale and to provide the consumer with instructions for opting in.
Partial Opt-Out Requests. Finally, much like with the right to delete, the regulations clarify that businesses may give consumers the choice to opt out of sales of “certain categories” of personal information so long as a global deletion option is “more prominently presented” than other choices.
Service Providers. The regulations also address how service providers should respond to consumer requests.
Clarifying the Definition. The CCPA defines a service provider as an entity that “processes” personal information on behalf of a business pursuant to a written contract. The regulations clarify this definition by explaining that two types of entities can be service providers: those acting as a service provider for entities that are not CCPA businesses (e.g., nonprofits, governmental agencies) and those collecting personal information directly from a consumer on behalf of a business. This is particularly helpful for entities that act as a service provider for “persons” who are not a corporate entity that would qualify as a “business” under the CCPA.
Limitations of Service Providers’ Use of Personal Information. The regulations clear up a statutory ambiguity by stating that a service provider cannot use the personal information provided to it or that it collects on behalf of a business to provide services to another person or entity. The only exception to this general rule is when the service provider must combine personal information received from multiple businesses for to provide data security or protect against fraudulent or illegal activity.
Consumer Requests Made to Service Providers. Finally, the regulations provide guidance on what service providers should do if they receive a request directly from a consumer “regarding personal information that the service provider collects, maintains, or sells on behalf of the business it services.” First, the regulations acknowledge that service providers might in some cases “comply with the request.” Second, the regulations note that if the service provider does not respond to the request (presumably because it is not explicitly authorized or is explicitly prohibited by the business to do so), it shall provide an explanation “of the basis for the denial” to the consumer and shall inform the consumer that they should submit the request directly to the business the service provider is servicing (with contact information “when feasible”). This thus establishes affirmative response obligations on service providers that do not otherwise exist in the CCPA — which had previously put the burden of responses solely on the “business.”
Household Information. The regulations attempt to address another area that has presented implementation challenges — household information.
Definition. To begin, the regulations provide a welcome definition of “household”: a person or group of people occupying a single dwelling.
Limitations on Need to Respond to Household Requests. Recognizing that one consumer’s rights could adversely affect the rights of others in the consumer’s household, the regulations provide two key limitations on household requests:
- First, a business must only comply with an access request for household personal information if the request is jointly submitted by all consumers in the household and the business can verify the identity of each member of the household.
- Second, at least insofar as the requests concern household information, businesses may respond to requests to know and delete submitted by consumers who do not have password-protected accounts by providing “aggregate household information.”
Recordkeeping and Training (§ 998.317). The final portion of the section of the regulations discussing consumer requests concerns recordkeeping and training, and this section includes some new requirements that may present compliance challenges for businesses.
Training. First, the regulations require businesses to inform all “individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA” about “all the requirements in the CCPA and these regulations and how to direct consumers to exercise their rights under the CCPA and these regulations.”
Recordkeeping Requirements. Second, businesses are required to retain records of CCPA requests and their response for at least 24 months. The business may maintain these records in a ticket or log format, if the format includes the date and nature of the request, the manner in which the consumer made the request, the date and nature of the response and the basis for any denial. The business cannot use this recordkeeping information for any other purpose.
Metrics and Disclosures for Large Businesses. Third, and most important, the proposed regulations impose significant new recordkeeping and disclosure obligations on businesses that “alone or in combination, annually buy, sell, receive or share for commercial purposes, the personal information of more than 4,000,000 or more consumers.” These businesses must compile and disclose within their privacy policy or on their website the number of right to know, delete, and opt-out requests they receive; whether they complied with or denied, in whole or part, the requests; and the median time for response. These businesses (i.e., ones that buy, sell, receive, or share the personal information of four million consumers) must also have a documented, written training policy that informs individuals responsible for handling CCPA requests or the business’s compliance with the CCPA about the law’s requirements.
Verification of Requests (Article 4)
Recognizing the challenges raised by the need to verify consumer requests, the CCPA directed the Attorney General to make this topic one of the key points covered in the regulations. The regulations do not disappoint in this respect, as they provide detailed verification guidance.
General Rules (§ 998.323). The regulations lay out a number of general principles to govern business’s verification responsibilities.
Written Verification Plan. First, businesses must have a written verification plan that documents the methods the business will use to verify the identities of people who submit requests to know or delete personal information. While businesses must consider various factors (described below) in developing the plan, the regulations are designed to provide businesses with “a significant amount of discretion and flexibility,” while setting the baseline requirement that the methods chosen be “reasonable.” Initial Statement of Reasons at p. 29. Critically, while some of the regulation’s provisions are required, many of the specific procedures are crafted with safe harbor language, advising on what a business “may” do to verify certain categories of consumers.
In particular, the proposed regulations direct business, where feasible, to try to verify by matching information provided by the consumer with information the business already has on file and to avoid collecting additional personal information unless it is necessary for verification purposes. (If a business collects personal information to verify, it must use it only for the purpose of verification or for security or fraud prevention, and it must delete the information as soon as practical after processing the request.) The regulations further direct businesses to consider the following six factors in develop their plans:
- the “type, sensitivity, and value” of the personal information collected
- the risk of harm to the consumer posed by any unauthorized access or deletion
- the likelihood that bad actors will seek the personal information at issue
- the degree to which any personal information provided for verification will protect against “fraudulent requests or being spoofed or fabricated”
- the manner in which the business interacts with the consumer
- available technology for verification
Need for Security Measures. The regulations require businesses to implement “reasonable security measures” to detect “fraudulent identity-verification activity” and accordingly prevent unauthorized access or deletion request.
No Need to Reidentify. Confirming an important aspect of the CCPA, the regulations make clear that if a business maintains consumer information that is de-identified, “a business is not obligated to provide or delete this information in response to a consumer request or to re-identify individual data to verify a consumer request.”
Verification for Password-Protected Accounts (§ 998.324). The regulations require businesses to use a two-factor verification process, at a minimum, to authenticate consumers with password-protected accounts who submit access or deletion requests. First, the business may verify consumers who using the existing authentication procedures for the account. Second, the business is required to have the consumer reauthenticate themselves in another manner consistent with the type, sensitivity and value to the consumer of the information. Moreover, these verification procedures represent a floor: If the business suspects fraudulent activity, it may require additional verification, as it can if the type of information that may be disclosed requires even greater security.
Verification for Nonaccountholders (§ 998.325).
Standards for Verification. The standards a business must use to verify the identity of consumers who do not have an account with the business vary depending on the type of request made.
Access Request for Categories of Personal Information. To verify access requests for categories of information, businesses need to obtain “reasonable degree of certainty,” which “may include matching at least two data points provided by a consumer” with reliable data points maintained by the business.
Access Request for Specific Pieces of Personal Information. Given the sensitivity of these requests, the regulations require businesses to verify the identity of the consumer with a “reasonably high degree of certainty.” Although the regulations provide no one-size-fits-all way to meet this standard, they do provide as an example: (a) matching three pieces of personal information provided by the consumer with personal information maintained by the business, and (b) obtaining a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. (Businesses are to maintain all such signed declarations as part of their recordkeeping responsibilities.)
Requests to Delete. For deletion requests, businesses are to use a different verification standard (“high” or “reasonable” certainty) depending on the sensitivity of the personal information and the risk of harm to the consumer posed by any unauthorized deletion. Regulations use a request to delete family photographs as an example that would require a high level of certainty, as opposed to a request to delete browsing history, which would require a “reasonable” level of certainty.
No Reasonable Method. If a business concludes that there is “no reasonable method” by which it “can verify the identity of the consumer to the degree of certainty required” by the regulations, the business must explain this to the consumer and, “if this is the case for all consumers whose personal information the business holds,” note it in the business’s privacy policy. The business shall revisit this conclusion on a yearly basis. This provision may be critical for businesses that collect certain limited technical information about site visitors but are unable to necessarily match such information to particular individual consumers to respond to an access request.
Authorized Agents (§ 998.326). The regulations do not provide detailed guidance on levels of verification required from authorized agents. Rather, absent the agent having a valid proof of attorney, the regulations simply state that a business may require a consumer to verify their identity directly with the business, even when it wants to use an authorized agent. Businesses can further require agents to present written proof of authorization and may deny the agent’s request if they fail to do so.
Special Rules Regarding Minors (Article 5)
Minors Under 13 Years Old (§ 998.330). A business that has actual knowledge that it collects or maintains the personal information of children under the age of 13 shall establish, document, and comply with a “reasonable method for determine that the person affirmatively authorizing the sale” of the child’s information is the parent or guardian of the child. Moreover, this authorization must be “in addition to any verifiable parental consent required under the Children’s Online Privacy Protection Act,” and the business must notify the parent or guardian of the right to opt out at any time.
According to the regulations, reasonable methods for determining that a parent or guarding is the one providing authorization include:
- providing a written consent form returned by postal mail, fax or electronic scan (not email)
- requiring the parent to use a credit or debit card or other payment system that provides notification of each transaction
- having a parent or guardian connect to trained personnel by phone, videoconference or in person
- checking the parent or guardian’s government-issued ID against databases that would facilitate verification
Minors 13 to 16 Years of Age (§ 998.331). Children under 16 must use a two-step opt-in process to consent to the sale of their personal information: an initial opt-in consent followed by a separate second consent. Businesses must also, “at a later date,” notify the children of their right to opt out.
General Provisions (§ 998.332). A business that is subject to the requirements detailed above with respect to the personal information of children under the age of 16 must include a description of the processes set forth above in its privacy policy. That said, “a business that exclusively targets consumers under 16 years of age and does not sell the personal information of such minors without their affirmative authorization, or the affirmative authorization of their parent or guardian for minors under 13 years of age, is not required to provide the notice of right to opt-out.”
Nondiscrimination (Article 6)
Like the CCPA itself, the proposed regulations emphasize that a business violates the CCPA’s nondiscrimination principle if it treats consumers differently simply because they exercise their CCPA rights. Nonetheless, the regulations make clear that as the most recent CCPA amendments clarified, a business may offer a price or service difference if it is “reasonably related to the value of the consumer’s data to the business” and that, moreover, charging a fee for a manifestly unfounded or excessive rights request is not discriminatory. The regulations further state that a business shall use a reasonable and good-faith method to calculate the value of the consumer’s data, using one or more of the following methodologies:
- the marginal value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data
- the average value to the business of the sale, collection or deletion of a consumer’s data or a typical consumer’s data
- revenue or profit generated by the business from separate tiers, categories or classes of consumers or typical consumers whose data provides differing value
- revenue generated by the business from sale, collection or retention of consumers’ personal informationexpenses related to the sale, collection or retention of consumers’ personal information
- expenses related to the offer, provision or imposition of any financial incentive or price or service difference
- profit generated by the business from sale, collection or retention of consumers’ personal information
- any other practical and reliable method of calculation used in good faith
The Path Forward
While the proposed regulations are significant, they are only a draft and are not legally binding. It may not be until well into next year that the Attorney General is able to finalize them.
Businesses and other members of the public can comment on the draft regulations and suggest changes until December 6. They can make comments in writing or during the four public forums scheduled around the state in early December.
Once the comment period closes, the Attorney General must respond in writing and explain reasons for its adoption or rejection of each comment. We expect this process to take some time, as the volume of comments is likely to be substantial. If the Attorney General changes the regulations in response to the comments, the cycle begins again with a new notice and comment period (although it could be shorter, depending on the type of changes made).
Once the Attorney General finalizes a draft of the regulations, the Office of Administrative Law (OAL) will need to approve them to ensure they are consistent with the statute and other legal requirements. The OAL has 30 working days to approve the regulations and file them with the Secretary of State.
In the unlikely event regulations are able to be filed by the end of February, they will be effective on April 1. If they are filed after the end of February but before May 31 — the more probable course — they will take effect on July 1, the statutory deadline.
Meanwhile, the CCPA itself still goes into effect on January 1, and businesses may quickly begin seeing data subject rights requests, let alone the potential for data breach litigation pursuant to the private right of action. Even if the regulations are not final, they are useful as businesses prepare for the dawning of at least some parts of the new CCPA era.
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.