California AG Issues Long-Awaited CCPA Implementation Regulations

10/11/2019
Client Alert

With just over two months until the California Consumer Privacy Act of 2018 (CCPA) becomes operative, California Attorney General (AG) Xavier Becerra has issued draft regulations to guide covered businesses’ implementation of the groundbreaking privacy law. The proposed regulations address several CCPA provisions that explicitly call for the AG’s input, as well as others that have been the subject of confusion, criticism, or discussion (see our recaps of public forums that AG Becerra held throughout the state, here).

In announcing the release of the regulations at a press conference on October 10, 2019, AG Becerra noted that they seek to clarify five specific components of the CCPA – required notices to consumers, handling consumers’ CCPA rights requests, verifying consumers’ identities, protecting minors’ data, and antidiscrimination and financial incentives – and that they are designed to give businesses a “degree of flexibility” in developing their own compliance procedures and processes.  

Below, we provide a high-level overview of the five CCPA components covered under the draft regulations, including select highlights under each.

1. Notice to Consumers

The draft regulations set forth several requirements for CCPA-related notices – notice at the point of collection of a consumer’s personal information (PI), notice of a consumer’s right to opt out of the sale of PI, notice of financial incentive, and privacy policy – including their required format, contents, and timing. Select highlights include:

Presentation of notices. Under the regulations, a business must draft and present its required CCPA notices to consumers in a way that is easy to read and understand, e.g.:

  • Use plain, straightforward language and avoid technical or legal jargon;
  • Use a format that draws the consumer’s attention and makes the notice readable, including on smaller screens;
  • Make notices available in the languages in which the business ordinarily provides consumers with other information;
  • Make notices accessible to consumers with disabilities;
  • Make such notice visible or accessible before PI is collected (in the case of a notice of collection) or before the consumer opts into a financial incentive or price/service difference (in the case of a notice of financial incentive); and
  • With respect to a business’s privacy policy, make it available in a printable format.

Consent to new use.  The regulations further specify that, if a business intends to use a consumer’s PI for a purpose that was not disclosed to the consumer at the point of collection, the business must notify the consumer of the new purpose and obtain explicit consent from the consumer for the new use. 

Notice of financial incentive.  A notice of financial incentive must include a good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive (or price or service differential), as well as the method used to calculate that value.

2. Handling Consumer Requests

The draft regulations go into considerable detail with regard to handling consumer requests under the CCPA, covering: methods for submitting requests; responding to requests; training individuals responsible for handling requests; record-keeping; and requests regarding household information.  Select highlights include:

Mechanisms for submitting requests. The regulations specify that a business must provide at least two mechanisms by which consumers may submit CCPA requests: 

  • With respect to requests to know, these must include, at a minimum, a toll-free telephone number and an interactive web form (if the business operates a website).
  • For opt out of sale requests, the mechanisms must include, at a minimum, an interactive webform.
  • By contrast, the regulations do not prescribe specific mechanisms for the submission of deletion requests, but list acceptable methods, such as a toll-free telephone number, an online web link or form, an email address, or a physical form.

Reflecting interactions with consumers. The regulations additionally provide that mechanisms for receiving consumer requests to know should reflect the methods by which a business primarily interacts with consumers, even if that means implementing more than two designated mechanisms. By way of example, a retailer that operates a website but primarily interacts with individuals at a retail location must implement a toll-free telephone number, an interactive web form, and a form that can be submitted in person at the retail location.

Timing of responses. The proposed regulations specify that businesses must confirm receipt of a request to know or a deletion request within 10 days, and that a business must “act upon” a request to opt out of sale no later than 15 days from date it receives the request.

Security of PI.  Under the draft regulations, a business would be prohibited from disclosing certain high-risk PI to a consumer (implicitly, in response to a request to know), including Social Security numbers, driver’s license numbers, financial account numbers, health insurance or medical IDs, or account passwords. Businesses must also use reasonable security measures when transmitting PI to a consumer.

3. Verifying Consumers’ Identity

Processes and methods for verifying a consumer’s identity are covered under the proposed regulations, which lay out general rules regarding verification, in addition to specific provisions related to verifying holders of password-protected accounts and non-accountholders. Select highlights include:

Establishing a verification method.  Under the proposed regulations, a business must establish, document, and comply with a “reasonable” method for verifying that a consumer making a CCPA-related request is the same person about whom it has collected PI. The regulations outline factors to consider when establishing a verification method, such as: the type, sensitivity, and value of the PI maintained about the consumer; the risk of harm posed by unauthorized access or deletion; and the likelihood that fraudulent or malicious actors would seek the PI.

Verification of accountholders and non-accountholders. The regulations set forth a bifurcated approach to identity verification for consumers with password-protected accounts and non-account holding consumers, e.g.:

  • If a business maintains a password-protected account for a consumer, the business may verify the consumer’s identity through its existing authentication practices for the consumer’s account. The business must also require consumers to re-authenticate themselves before disclosing or deleting their PI.
  • With respect to non-account holding consumers, a business must verify the consumer’s identity to a “reasonable degree of certainty” before granting that consumer’s request to know the categories of PI the business has collected about the consumer. By contrast, the business must verify the consumer’s identity to a “reasonably high degree of certainty” before granting the consumer’s request for the specific pieces of PI that the business maintains about the consumer.

4. Protecting Minors’ Data

Specific provisions aimed at the protection of minors’ data are included in the proposed regulations. Select highlights include:

Minors under 13. The regulations provide that a business with actual knowledge that it collects or maintains the PI of children under 13 years of age must establish, document, and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child, including by way of a consent form, government-issued ID, online payment system that notifies the primary account holder of each transaction, toll-free telephone number, or video conference. 

Notice of opt-out right. When certain businesses receive a request to opt in to sale, those businesses must inform the minor (or parent/guardian, if the minor is under 13) of the right to opt out of the sale of the minor’s PI at a later date and the process for doing so.

5. Antidiscrimination and Financial Incentives

The draft regulations seek to clarify the CCPA’s antidiscrimination provisions, and they specify methods by which a business must calculate the value of a consumer’s data when offering a financial incentive. Select highlights include:

Discriminatory practices. The regulations offer the following illustrative examples:

  • A music streaming business offers a free service and a premium service that costs $5 per month. If only the consumers who pay for the music streaming service are allowed to opt out of the sale of their personal information, then the practice is discriminatory, unless the $5 monthly payment is reasonably related to the value of the consumer’s data to the business.
  • A retail store offers discounted prices to consumers who sign up to be on their mailing list. If the consumer on the mailing list can continue to receive discounted prices even after he or she has made a request to know, request to delete, and/or request to opt out, the differing price level is not discriminatory.

Value of consumer data.  The proposed regulations specify that a business offering a financial incentive or price/service difference must use and document its method(s) for calculating the value of a consumer’s data.  The regulations also provide a list of approved methods for such calculation.

Next Steps

California’s Administrative Procedure Act provides for a mandatory 45-day public comment period following the issuance of draft implementing regulations, as well as optional public hearings.  AG Becerra announced that he will hold four public hearings in early December to give interested parties an opportunity to comment on the proposed regulations:

  • Sacramento—December 2, 2019, 10:00 a.m.
    CalEPA Building
    Coastal Room, 2nd Floor
    1001 I Street
    Sacramento, CA 95814
  • Los Angeles—December 3, 2019, 10:00 a.m.
    Ronald Reagan Building
    Auditorium, 1st Floor
    300 S. Spring Street
    Los Angeles, CA 90013
  • San Francisco—December 4, 2019, 10:00 a.m.
    Milton Marks Conference Center
    Lower Level
    455 Golden Gate Ave.
    San Francisco, CA 94102
  • Fresno—December 5, 2019, 10:00 a.m.
    Fresno Hugh Burns Building
    Assembly Room #1036
    2550 Mariposa Mall
    Fresno, CA 93721

The AG will accept written comments on the draft regulations until December 6, 2019, at 5:00 p.m. PST.  Interested parties may submit their comments at the hearings, by mail, or by email.  If substantial changes are introduced after the public comment period, another 15-day comment period will be required before the AG may issue final regulations. 

Though the CCPA becomes operative on January 1, 2020, the AG cannot bring an enforcement action until either July 1, 2020 or six months after the final regulations are issued, whichever comes first.

Our team will continue to track developments related to the draft regulations and the public forums. You can monitor our coverage and access our full suite of CCPA compliance tools and resources on MoFo’s CCPA Resource Center.

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

©1996-2019 Morrison & Foerster LLP. All rights reserved.