Robert N. Famigletti, Mary Race, and Christine E. Lyon
Privacy + Data Security
With just over two months until the California Consumer Privacy Act of 2018 (CCPA) becomes operative, California Attorney General (AG) Xavier Becerra has issued draft regulations to guide covered businesses’ implementation of the groundbreaking privacy law. The proposed regulations address several CCPA provisions that explicitly call for the AG’s input, as well as others that have been the subject of confusion, criticism, or discussion (see our recaps of public forums that AG Becerra held throughout the state, here).
In announcing the release of the regulations at a press conference on October 10, 2019, AG Becerra noted that they seek to clarify five specific components of the CCPA – required notices to consumers, handling consumers’ CCPA rights requests, verifying consumers’ identities, protecting minors’ data, and antidiscrimination and financial incentives – and that they are designed to give businesses a “degree of flexibility” in developing their own compliance procedures and processes.
Below, we provide a high-level overview of the five CCPA components covered under the draft regulations, including select highlights under each.
1. Notice to Consumers
Presentation of notices. Under the regulations, a business must draft and present its required CCPA notices to consumers in a way that is easy to read and understand, e.g.:
Consent to new use. The regulations further specify that, if a business intends to use a consumer’s PI for a purpose that was not disclosed to the consumer at the point of collection, the business must notify the consumer of the new purpose and obtain explicit consent from the consumer for the new use.
Notice of financial incentive. A notice of financial incentive must include a good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive (or price or service differential), as well as the method used to calculate that value.
2. Handling Consumer Requests
The draft regulations go into considerable detail with regard to handling consumer requests under the CCPA, covering: methods for submitting requests; responding to requests; training individuals responsible for handling requests; record-keeping; and requests regarding household information. Select highlights include:
Mechanisms for submitting requests. The regulations specify that a business must provide at least two mechanisms by which consumers may submit CCPA requests:
Reflecting interactions with consumers. The regulations additionally provide that mechanisms for receiving consumer requests to know should reflect the methods by which a business primarily interacts with consumers, even if that means implementing more than two designated mechanisms. By way of example, a retailer that operates a website but primarily interacts with individuals at a retail location must implement a toll-free telephone number, an interactive web form, and a form that can be submitted in person at the retail location.
Timing of responses. The proposed regulations specify that businesses must confirm receipt of a request to know or a deletion request within 10 days, and that a business must “act upon” a request to opt out of sale no later than 15 days from date it receives the request.
Security of PI. Under the draft regulations, a business would be prohibited from disclosing certain high-risk PI to a consumer (implicitly, in response to a request to know), including Social Security numbers, driver’s license numbers, financial account numbers, health insurance or medical IDs, or account passwords. Businesses must also use reasonable security measures when transmitting PI to a consumer.
3. Verifying Consumers’ Identity
Processes and methods for verifying a consumer’s identity are covered under the proposed regulations, which lay out general rules regarding verification, in addition to specific provisions related to verifying holders of password-protected accounts and non-accountholders. Select highlights include:
Establishing a verification method. Under the proposed regulations, a business must establish, document, and comply with a “reasonable” method for verifying that a consumer making a CCPA-related request is the same person about whom it has collected PI. The regulations outline factors to consider when establishing a verification method, such as: the type, sensitivity, and value of the PI maintained about the consumer; the risk of harm posed by unauthorized access or deletion; and the likelihood that fraudulent or malicious actors would seek the PI.
Verification of accountholders and non-accountholders. The regulations set forth a bifurcated approach to identity verification for consumers with password-protected accounts and non-account holding consumers, e.g.:
4. Protecting Minors’ Data
Specific provisions aimed at the protection of minors’ data are included in the proposed regulations. Select highlights include:
Minors under 13. The regulations provide that a business with actual knowledge that it collects or maintains the PI of children under 13 years of age must establish, document, and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child, including by way of a consent form, government-issued ID, online payment system that notifies the primary account holder of each transaction, toll-free telephone number, or video conference.
Notice of opt-out right. When certain businesses receive a request to opt in to sale, those businesses must inform the minor (or parent/guardian, if the minor is under 13) of the right to opt out of the sale of the minor’s PI at a later date and the process for doing so.
5. Antidiscrimination and Financial Incentives
The draft regulations seek to clarify the CCPA’s antidiscrimination provisions, and they specify methods by which a business must calculate the value of a consumer’s data when offering a financial incentive. Select highlights include:
Discriminatory practices. The regulations offer the following illustrative examples:
Value of consumer data. The proposed regulations specify that a business offering a financial incentive or price/service difference must use and document its method(s) for calculating the value of a consumer’s data. The regulations also provide a list of approved methods for such calculation.
California’s Administrative Procedure Act provides for a mandatory 45-day public comment period following the issuance of draft implementing regulations, as well as optional public hearings. AG Becerra announced that he will hold four public hearings in early December to give interested parties an opportunity to comment on the proposed regulations:
The AG will accept written comments on the draft regulations until December 6, 2019, at 5:00 p.m. PST. Interested parties may submit their comments at the hearings, by mail, or by email. If substantial changes are introduced after the public comment period, another 15-day comment period will be required before the AG may issue final regulations.
Though the CCPA becomes operative on January 1, 2020, the AG cannot bring an enforcement action until either July 1, 2020 or six months after the final regulations are issued, whichever comes first.
Our team will continue to track developments related to the draft regulations and the public forums. You can monitor our coverage and access our full suite of CCPA compliance tools and resources on MoFo’s CCPA Resource Center.
©1996-2019 Morrison & Foerster LLP. All rights reserved.