Doing Business in California: Proposed California Consumer Privacy Act Regulations Now Out for Comment
Two months remain before companies doing business in California must comply with updated consumer protection regulations that take effect January 1, 2020. Earlier this month, California’s Attorney General published proposed comprehensive regulations (Proposed Regulations) to the California Consumer Privacy Act of 2018 (CCPA). The Proposed Regulations clarify and interpret some of the notoriously ambiguous provisions of the CCPA and do so by reinforcing its basic principles through detailed and prescriptive procedures. They also establish some entirely new requirements and raise new questions about what a business needs to do to get ready for the CCPA.
The proposed regulations are complicated and cover a lot of territory. This article is intended to provide a starting point for privacy practitioners who are tasked with implementing the CCPA for their businesses and as an overview for senior management who need to allocate resources and priorities to the task.
For background on the CCPA and its provisions, please see our detailed review of the requirements at Part I and Part II, as well as our discussion of recent amendments to the statute.
Learn more about the CCPA and continued evolution of U.S. privacy protections across the 50 states (and DC), by registering for our upcoming cybersecurity training session. The online training session will be held on November 13, 2019 from 12:00 p.m. – 1:00 p.m. (EDT). Register here.
New Required “Notices to Consumers”
The Proposed Regulations require that companies provide three new “Notices to Consumers” regarding the “headline” rights under the CCPA. These Notices must be clearly visible on the company’s website, any mobile application(s), and paper materials used by the company to interact with consumers, including:
Notice at Collection
The Notice details the company’s data collection practices, including the categories of data collected and the commercial purpose for collection, as well as a disclosure of the consumer’s right to opt out of collection.
Notice of Right to Opt Out
This Notice is the webpage to which the consumer is directed upon clicking the “Do Not Sell My Personal Information Link” on the company’s website or mobile application. If online, the Notice must include a webform used to make the opt-out request. If the business substantially interacts with consumers offline, the business also must make the Notice and ability to exercise the opt-out option readily available to consumers offline. The Notice must explain the consumer’s right to opt-out and provide instructions for completing the opt-out form. The Notice of Right to Opt Out is not required if the business does not “sell” personal information (defined in the CCPA to include any exchange for monetary or other valuable consideration) and states in its privacy policy that it does not and will not sell personal information.
Notice of Financial Incentive
This Notice explains to the consumer any “financial incentives” the company might provide to allow it to continue collecting, selling, or retaining data. The Notice must state the terms of the incentives, a “good faith estimate” of the value of the consumer’s data, and the method by which the value was calculated. Not surprisingly, and raising more questions, the term “financial incentive” has a broad definition in the Proposed Regulations. One question is whether the offer of a modest benefit, such as access to the results of a survey or a whitepaper, constitutes a financial incentive program. Businesses frequently make offers of modest benefits to begin or maintain their own marketing relationship with a consumer, and not for purposes of selling the data to third parties. Whether these direct, for own use marketing programs require a Notice of Financial Incentive appears to require further clarification by the rule-makers.
Common Elements for the Notices to Consumers
Presentation Requirements
Certain elements are common to all Notices; they must be:
- Easy to read and understandable to an average consumer.
- Use plain, non-technical language that provides the reader with a “meaningful understanding” of the content
- Formatted to draw attention to the Notice
- Readable on small screens (i.e. mobile apps)
- Available in the languages customarily used by the business for communicating with consumers.
In addition, the Notices must be accessible to consumers with disabilities or, at a minimum, provide information about how to access the Notice in an alternative format.
Links to Privacy Policy for Content Requirements
The Proposed Regulations also confirm that many of the disclosures required in the three Notices may be presented by means of a link in the webform to the pertinent sections of the company’s online privacy policy if they cover all the required information. Businesses may want to take advantage of this cross-referencing presentation because it will centralize the required content in one location (the privacy policy) thereby streamlining the process of making future updates and revisions to the Notices. This will have the interesting side effect of enabling all consumers, regardless of residence, to have access to a company’s CCPA-mandated disclosures even though their own states’ laws do not require that level of disclosure and even though the company may limit the ability to exercise the CCPA-granted consumer rights to California residents only.
New Method for Consumers to Opt Out: User-Enabled Privacy Controls
In a potentially game-changing addition, the Proposed Regulations provide that consumers may exercise their right to opt out of the sale of their personal information through “user-enabled privacy controls” such as a browser plugin or privacy setting.
Elections made by user-enabled privacy controls have the potential for greatly increasing the number of consumers who opt-out of data sales, because individuals using browser plugins or privacy settings may be able to make broad opt-out elections rather than having to submit a separate opt-out to each organization collecting their data. In the explanatory information published with the Proposed Regulations, the reason given for introducing this opt-in mechanism is to stimulate “innovation” by the browser and device industry to develop mechanisms to further the purposes of the CCPA and to goad businesses to pay attention consumer tools. (The drafters may have in mind the voluntary Do Not Track option, which has not been widely adopted.)
Currently, user-enabled privacy controls are built into some operating systems; for example, “Limit Ad Tracking” (restricts the amount of information uploaded to advertisers about usage of the device), “Prevent Cross-Site Tracking” (prohibits advertisers and other third party content providers from tracking a user from one site to another), and to block “Cookies” (gathers data about individuals who visit a website). But, developers and businesses will need to address the novel practical and technical considerations presented by the CCPA. A “Do Not Sell” signal embedded in the settings of a device or browser could be sent to a website when the user accesses that website and block the data collected by internet technologies so those data cannot be sold to a third party. But, how will a business be alerted to an opt-out that a consumer makes at the device or browser level so that the business can recognize and honor the opt-out for information collected and used in other ways, or for information collected before the opt-out was made? We will continue to follow this proposed new method of submitting a “Do Not Sell May Personal Information” direction as it is debated throughout the Notice and comment process for the Proposed Regulations.
New Record Keeping Requirements
A business must maintain – for 24 months – detailed records of how they handled and responded to each consumer request received. This information can be maintained in a ticket or log that details the manner of request and the business’s response.
In addition, businesses that “receive” personal information from at least 4,000,000 consumers annually are now required to collect metrics on:
- The number of each type of request received and “complied with” (i.e., Requests to Know, Deletion Requests, and Opt-Out Requests).
- The median number of days within which the business substantively responded to each type of request.
- If a request is denied in whole or in part, the basis for denial.
The metrics must be disclosed in the business’s privacy policy, whether directly or through, a link included in the privacy policy. It is not clear, however, how the 4,000,000 consumer number is to be measured. For example, are individual website visitors to be counted if only internet tracking data is collected (e.g., cookies but no other identifying information)? What about repeat visitors? The Proposed Regulations are unclear as to who precisely would be included and which users count towards this minimum user requirement.
Clarification of Service Provider Responsibilities
Recall that a “service provider,” by definition, is exempt from most of the CCPA with respect to personal information it processes solely on behalf of a business for a business purpose of that business if prescribed restrictions on the service provider’s use of the personal information are memorialized in a written contract. The Proposed Regulations clarify what responsibilities a service provider has to respond to a direct consumer request to know or a request to delete personal information in its hands. The service provider must either:
- Comply with the request or explain the reason for denying the request.
- Direct the consumer to the business for which the service provider processes the consumer’s information.
Given this latitude, businesses should carefully consider the contractual obligations of service providers and whether allowing (or, alternatively, requiring) service providers to fulfill a consumer’s request is desirable.
Additional Notable Clarifications
In addition to the changes discussed above, the Proposed Regulations include both guidance and mandates about what a business needs to do to meet some of the requirements of the CCPA, including (but not limited to) the following:
1. Procedures by which Consumers may Submit Requests
- Requirement to provide at least two methods for consumers to submit Right to Know or Right to Delete, including a toll-free telephone number and webform (for businesses with an online presence) for a Right to Know request (subject to increase depending on how the business normally interacts with a consumer).
- A two-step process for a consumer to confirm a Right to Delete request.
- Extension of the staff training requirement of the CCPA to cover training about the Regulations and how to direct consumers to exercise their right under the Regulations and the CCPA. Although not specifically required, businesses would be wise to keep records of the trainings and staff participation.
2. Requirements Related to a Business’s Response to Consumer Requests
- Requirement to confirm – within 10 days – receipt of a consumer’s Right to Know or Right to Delete request.
- Detailed requirements for what must be included in the response to a consumer request and when a generic form of response is permitted.
- Details on how to verify the identity of a consumer who submits a request—which are more or less stringent depending on the sensitivity of the information requested and whether the consumer has a password-protected account.
- Procedures on what to do if the business has reason to decline to honor all or part of a consumer request.
- Clarification that service providers are directly responsible for violations of CCPA.
3. Substantive Clarifications of Previously Ambiguous Issues
- Eight non-exclusive methods for calculating the “value of a consumer’s data” in order to establish that a price or service-benefit offered in exchange for the consumer data is non-discriminatory (and therefore permitted under the CCPA).
- Clarification that a business is prohibited from sending sensitive personally identifiable information in a Right to Know response.
- Clarification that service providers are directly responsible for violations of CCPA.
- Clarification about what is a “household” and how to handle a request to delete Right to Know or Right to Delete request involving household information.
- Details on what is necessary for a person to be designated as an “authorized agent” acting on behalf of a consumer.
- Clarification about what is required to obtain consent to collect information about a minor.
We anticipate the CCPA regulations will continue to evolve before going into effect on January 1, 2020. Buchanan’s Cybersecurity team is committed to closely monitoring the changes and will continue to provide you with information regarding the most recent developments.