Blog
CCPA Amendments Signed and AG Releases Draft Regulations
Last week was an active one for the California Consumer Privacy Act of 2018 (“CCPA”). On October 11th, California’s governor announced that he signed all of the California Legislature’s CCPA amendments into law.
The CCPA authorizes the California Attorney General to adopt regulations to implement, interpret, and specify the requirements of the CCPA. These regulations have been highly anticipated since a number of CCPA compliance obligations could not be fully operationalized without the AG’s guidance. On October 10, 2019, the draft regulations finally arrived, and, at over 9,700 words long, they essentially double the content of the CCPA. Since a violation of the regulations carries the same legal consequences as a violation of any other provision of the CCPA, there is a lot of new information and requirements for companies to analyze and implement before the January 1, 2020 effective date. Below are some highlights:
Collection Notices, Privacy Policies, Financial Incentive Notices, and “Do Not Sell” Notices
The draft guidelines provide guidance on the presentation and content requirements for collection notices, privacy policies, financial incentive notices, and “Do Not Sell” notices. For each of these notices, businesses must present the notice in a conspicuously visible way that is “easy to read and understandable to an average consumer.” Notices also must be accessible to consumers with disabilities and available in languages in which the organization provides information or documentation to consumers in the ordinary course of business.
Businesses are prohibited from collecting personal information from consumers without providing notice at or before the point of collection, and businesses must obtain “explicit consent” from consumers if they decide to use that consumer’s personal information for a purpose that was not initially disclosed when the information was collected from the consumer.
New privacy policy requirements under the draft regulations include requiring companies to identify the categories of sources from which they collect personal information and the categories of third parties with whom they share personal information. The draft regulations also newly require companies to explain to consumers how to designate an authorized agent to make consumer rights requests on their behalf. Businesses that buy, receive, sell, or share for commercial purposes the personal information of more than four million consumers have additional privacy policy disclosure requirements.
Consumer Requests and Verification
The draft guidelines offer additional instructions for intaking, processing, and responding to consumer requests. The regulations mandate that at least one of the methods offered for consumers to submit requests “shall reflect the manner in which the business primarily interacts with the consumer.” Companies cannot ignore incorrectly submitted requests. Instead, they must treat the request as if correctly submitted, or else provide the consumer with information on how to cure a deficient request. Companies are now required to acknowledge receipt of consumer requests within ten days. Additionally, service providers who receive consumer requests are required to inform consumers that they should direct their requests directly to the business on whose behalf the service provider is processing the consumer’s personal information.
To verify the identity of the consumer making the request, the draft regulations suggest matching identifying information provided by the consumer with information already maintained by the business or using a third-party identity verification service. The draft regulations discourage collecting additional information from consumers in order to verify their identity. The draft regulations also suggest, for non-account holder requests for specific pieces of personal information, that businesses match at least three pieces of personal information provided by the consumer with information maintained by the business, and also obtain a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.
The draft regulations also contain a number of new security provisions related to consumer requests. In addition to offering guidance on how businesses should verify a requesting consumer’s identity, they also forbid businesses from responding to consumer requests where they are unable to verify a consumer’s identity or where responding would create an unreasonable security risk. Businesses are forbidden from ever disclosing certain sensitive data such as social security numbers, driver’s license numbers, financial account numbers, medical ID numbers, or account passwords in response to consumer requests.
The regulations require consumers to complete a two-step process for deletion requests: the initial request plus a confirmation from the consumer that they do, in fact, want to delete their information. After complying with a deletion request, businesses are now required to inform consumers of the manner in which they have deleted the consumer’s personal information.
The draft regulations impose new requirements for “Do Not Sell” requests, including requiring businesses to treat browser plugins or privacy settings as opt-out requests. They also require businesses to respond to “Do Not Sell” requests within 15 days.
What Else?
The foregoing scratches the surface, but the draft regulations cover a number of other requirements related to the above topics, as well as requirements for training and record-keeping, household information, authorized agents of consumers, minors, and calculating the value of consumer data for financial incentive purposes.
What’s Next?
The written comment period for the draft regulations is open until December 6, 2019, and the Attorney General will hold four public hearings from December 2nd through December 5th. Information about the hearings and how to submit comments is available here.
During a press conference addressing the draft regulations, Attorney General Becerra indicated that his office’s enforcement would begin on July 1, 2020. However, he emphasized that the law takes effect on January 1, 2020, and companies would be expected to comply as of that date. He indicated the enforcement delay would not be a safe harbor, stating, “If that were the rule, then you could murder someone today, and if we couldn’t figure out who did it for a month, would that mean you’d get to go scott-free? I don’t think so. The law is the law.”