Privacy Regulations Proposed for CCPA by CA Attorney General
By Procopio Senior Counsel Elaine F. Harwell, CIPP/US
With the landmark California Consumer Privacy Act (CCPA) set to take effect January 1, 2020, the California Attorney General’s office finally issued long-awaited regulations on October 10, 2019. The CCPA creates new consumer rights relating to the access to, deletion of, and sharing of personal information collected by businesses. Of interest to any company doing business in California, the proposed regulations impose a number of new requirements not contained within the CCPA.
The CCPA, signed into law in 2018, tasked the Attorney General with adopting regulations on key areas of the law. On October 10 the Attorney General published the proposed regulations and will hold a series of public hearings in December 2019 to solicit public comments.
While intended to operationalize the CCPA and provide clarity and specificity to businesses implementing the law, the following highlights some of the more significant new obligations imposed on businesses by the proposed regulations. [Please also see our articles on CCPA notice requirements and the challenge of confirming identity of consumers making personal data requests.]
New obligations for required content within privacy policies or other disclosure notices:
- Disclosures regarding what information will be needed from a consumer to verify a consumer request;
- An explanation of how a consumer can designate an authorized agent to make a request under the CCPA on the consumer’s behalf;
- Metrics for the previous calendar year disclosing the number of requests to know, delete, and opt-out, and the median number of days to respond to such requests, if the business receives or shares the personal information of 4,000,000 or more consumers;
- For each category of personal information that is collected, businesses must disclose the business or commercial purpose for which it will be used.
- The business’s online and offline privacy practices;
- A designated contact to answer consumers’ questions on the business’s privacy policies and practices;
- The date it was last updated.
New obligations for access and deletion requests and the business’s response thereto:
- For businesses that operate a website, but primarily interact with customers in person at a retail store, the business may need to offer consumers three methods to submit requests: a toll-free number, an online form, and a form that can be submitted in person at a retail store.
- For deletion and right to know requests, a business must acknowledge receipt within 10 days and provide additional information about how the business will process the request;
- If a business cannot verify the identity of a consumer making a request for specific pieces of information, the business must treat the request as if it is seeking the disclosure of categories of personal information about the consumer;
- If a business cannot verify the identity of a consumer making a deletion request, the business must treat the request as a request to opt out of the sale of data.
New operational obligations in complying with “do not sell” requests:
- Upon receipt of a request, a business shall “act upon” the request as soon as feasible, but no later than 15 days after receipt;
- Notification to all third parties to whom personal information has been sold of the consumer’s do-not-sell request within 90 days of the business’s receipt of the request; and then a subsequent notification to the consumer once the task has been completed;
- Requests to opt-in (both for sale of minor’s personal information and for obtaining consent from a consumer who previously opted out) must use a two-step opt-in process whereby the consumer first opts-in and then a second separate step to confirm their opt-in choice.
Other new obligations:
- Maintaining records of consumer requests and how the business responded to said requests for at least 24 months;
- Implementing reasonable security measures to detect fraudulent identity-verification activity to prevent unauthorized access to or deletion of a consumer’s personal information;
- Treating user-enabled online privacy controls (e.g., browser plugins or privacy settings) that communicate or signal a consumer’s choice to opt-out of the sale of their personal information as a valid request to opt-out for that browser, device or, if known, consumer;
- Where a business offers a financial incentive or price or service difference, the business must document and show its reasonable and good faith method for calculating the value of the consumer’s data.
The proposed regulations also broadly discuss and provide guidance on several key areas of the law, including: notice at collection, privacy policies, proposed notice of opt-out and response methods, requests to know and delete, and verification & security. Stay tuned for upcoming articles from us on those key topics.
Despite the Attorney General’s efforts to clarify the law, there are still numerous ambiguities and questions surrounding compliance with the CCPA. The timing of the regulations and public comment period likely indicate that enforcement of the law will not begin until July 1, 2020. The Attorney General, however, implied at a recent press conference that businesses can be held accountable for noncompliance as of January 1, 2020. Thus, businesses should act quickly to move towards compliance.
Elaine F. Harwell is a Senior Counsel with Procopio and a member of its Privacy and Cybersecurity Practice Group. She is an experienced business litigation attorney and a trained privacy professional. Her practice is focused on representing clients in cybersecurity and data privacy matters, including litigating claims involving privacy issues, helping clients manage emerging risks and conduct privacy risk assessments, and advising on regulatory issues. Elaine has also been involved in numerous trials as well as arbitration proceedings related to contract and general business disputes, complex unfair competition and business practice claims, and professional liability. She has earned the ANSI-accredited Certified Information Privacy Professional/United States (CIPP/US) credential through the International Association of Privacy Professionals (IAPP).