Cyber Security, Data Breach, Legislative Updates, Privacy

The Wait is Over: Proposed Regulations Implementing the CCPA are Released

By Suzanne Gainey and Tandy Mathis.  On October 10, California Attorney General Xavier Becerra announced that the long-awaited proposed regulations implementing the California Consumer Privacy Act (“CCPA”) are available for public comment.  Although the regulations are not yet final, they do provide some visibility into what the Attorney General will expect from businesses that are subject to the CCPA.  While the proposed regulations add some clarity to the (sometimes unclear) language of the CCPA, the regulations also raise new questions about the application of the CCPA and fail to address issues that many have worried about since the CCPA was passed (e.g., the very broad scope of applicability of the CCPA). 

The proposed regulations largely focus on (1) notices required to be provided to consumers, (2) processes a business must follow to respond to consumer requests, and (3) methods for verifying that a consumer making a request is who they say they are.   

A.       Notices Required to be Provided to Consumers

In addition to expanding on the necessary contents of a business’s privacy policy, the proposed regulations address the contents of notices to be provided to consumers (a) at or before the collection of personal information, (b) related to the right to opt-out of the sale of personal information, and (c) explaining any financial incentives available to the consumer. 

In general, these notices must be easy to read and easy for the average consumer to understand.  The notices may not use technical or legal jargon, and must be in a format that draws the consumer’s attention.  The notices must also be accessible to consumers with disabilities, at a minimum providing information on how the consumer may access the notice in an alternative format.

New under the proposed regulations is the requirement that businesses also provide notice and obtain explicit consent from consumers for using any category of personal information for a purpose not disclosed at the time at collection.  At the same time, the proposed regulations require that the business list the categories of personal information collected in a manner that provides consumers a “meaningful understanding” of the information.  Drafting notices that are broad enough to avoid needing to obtain consent in the future while still providing consumers with “meaningful understanding” will be challenging.

B.       Responding to Consumer Requests

The proposed regulations also provide detailed requirements for submitting and responding to consumer requests.  In particular, two or more methods must be made available to consumers for submitting requests to know (i.e., requests that the business disclose what information related to the consumer the business collects, uses, discloses and sells) and requests to delete (i.e., requests that the business delete information collected), including a toll-free phone number.  Additional methods may be required depending on how the business typically interacts with consumers (e.g., for retail establishments, three methods may be required – a toll-free phone number, a webform on the business’s website, and a form that can be submitted in person).

The business must confirm receipt of all requests to know and requests to delete within 10 days, and provide information regarding how the request will be processed.  A full response to any requests to know and requests to delete must be provided within 45 days of receipt (or up to 90 days if the business notifies the consumer and provides an explanation of why the business needs more time to respond), regardless of how long it takes to verify the identity of the consumer (see Part C below).

Similar to requests to know and requests to delete, two or more methods must be made available to consumers to submit requests to opt-out of the sale of personal information, including an interactive webform accessible via a link entitled “Do Not Sell My Personal Information”.  The business must act on any opt-out request as soon as feasibly possible, but no later than 15 days after receipt, and must notify all third parties to whom it has sold personal information of the relevant consumer within 90 days prior to the business’s receipt of the request. 

C.       Verifying the Identity of a Consumer

The proposed regulations emphasize that businesses must establish and comply with a reasonable method for verifying the identity of the consumer making a request in order to avoid any unauthorized disclosure or deletion of personal information.  The robustness of the method for verification depends on many factors, including the sensitivity of the personal information at issue and the risk of harm to the consumer of any unauthorized access or deletion of such information. 

Businesses should generally avoid asking the consumer for additional personal information in order to verify the consumer’s identity, but may do so if necessary.  If additional personal information is requested, it may be used only for verification purposes and must be deleted as soon as practical after processing the request (except if required to be kept for record-keeping purposes).

D.       Additional Topics Addressed

In addition to the topics above, the proposed regulations also address:

      • additional requirements and processes related to the collection and use of personal information of minors;
      • new disclosure requirements for businesses that collect the personal information of more than 4 million consumers;
      • the CCPA’s prohibition on discrimination of consumers and methods for valuing consumer data when offering a price or service difference to a consumer where permitted under the CCPA;
      • the process for using an agent to submit consumer requests;
      • clarifications regarding entities that will be considered a service provider under the CCPA;
      • training of employees regarding a business’s obligations under the CCPA; and
      • record-keeping requirements for consumer requests.

Written comments regarding the proposed regulations may be submitted until December 6, 2019, at 5:00 pm PST, and public hearings will be held December 2, 2019 through December 5, 2019. The CCPA will go into effect on January 1, 2020, but the proposed regulations (including any modifications) are not expected to become final until the first half of 2020, meaning enforcement is not likely to commence until July 1, 2020.  While there will be a gap in time between the CCPA’s effective date and the date on which Attorney General Becerra is empowered to enforce the CCPA, the Attorney General has indicated that there will be no safe harbor for non-compliance.  Therefore, it will be important for businesses to have appropriate training, procedures, and compliance frameworks in place prior to January 1, 2020.

______________________________________________________________

About the Authors:

Suzanne Gainey is an associate in the Charlotte office of Moore & Van Allen.  She works in both the Commercial & Technology Transactions and Privacy & Data Security groups. Her practice involves a wide-range of technology, intellectual property and privacy matters, with a focus on transactional work. Before practicing law, Gainey studied mechanical engineering at the University of Illinois and worked as a technology analyst in the financial services industry. She also has experience analyzing patent portfolios, conducting intellectual property due diligence, and negotiating technology and commercial agreements.

Tandy Mathis practices on Moore & Van Allen’s Litigation and Privacy & Data Security groups, focusing primarily on information management issues, including discovery, privacy, and data security. With more than a decade of experience, she helps clients understand their obligations to protect data and advises on how they can lawfully collect, use, and share personal information.

Suzanne Gainey

About Suzanne Gainey

Suzanne Gainey is an associate in the Charlotte office of Moore & Van Allen.  She works in both the Commercial & Technology Transactions and Privacy & Data Security groups. Her practice involves a wide-range of technology, intellectual property and privacy matters, with a focus on transactional work. Before practicing law, Gainey studied mechanical engineering at the University of Illinois and worked as a technology analyst in the financial services industry. She also has experience analyzing patent portfolios, conducting intellectual property due diligence, and negotiating technology and commercial agreements. View Ms. Gainey's full bio.

Discussion

No comments yet.

Leave a comment

Your email address will not be published. Required fields are marked *

Welcome to Data Points!

The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. Moore & Van Allen’s Privacy & Data Security Group recognizes the challenges clients face in the effort to stay abreast of such volatility. “Data Points” seeks to educate by providing transparent and cutting-edge insight on the most critical issues and dynamics. Our goal is to inform business decision-makers who are navigating these waters about the information they must protect, and what to do if/when security is breached.

Connect To Recent Authors

  • Karin McGinnis:  View Karin McGinnis' Bio View Karin McGinnis' LinkedIn profile
  • Todd Taylor:  View Todd Taylor's Bio View Todd Taylor's LinkedIn profile
  • Brandon Gaskins:  View Brandon Gaskins' Bio View Brandon Gaskins’ LinkedIn profile
  • Robert Sumner:  View Robert Sumner’s Bio
  • Carol Bowen:  View Carol Bowen's Bio View Carol Bowen’s LinkedIn profile

  • Subscribe to Blog via Email

    Follow MVA

    Facebooktwitterlinkedinrss

    Blog Topics

    Archives

    Interested In Other Topics?

    Tell us what else you are interested in here.

    Our Privacy & Data Security Practice

    Moore & Van Allen has a Privacy & Data Security practice with the depth and breadth to advise the multitude of business industries and practices impacted, including sales, human resources, data maintenance and storage, IT, legal and compliance, labor and employment, health care, finance, cross-border transactions, energy and litigation. All require careful attention to protecting the privacy of personal information as well as preserving the integrity of company, customer or third party data. To help our clients successfully navigate their data security challenges and manage their risk in these areas, our multi-disciplinary team draws on their deep experience in addressing data privacy and information security obligations and disputes. Read More About Our Practice and Meet the MVA Privacy & Data Security Team.

    Disclaimer

    No Attorney-Client Relationship Created by Use of this Website: Neither your receipt of information from this website, nor your use of this website to contact Moore & Van Allen or one of its attorneys creates an attorney-client relationship between you and Moore & Van Allen. As a matter of policy, Moore & Van Allen does not accept a new client without first investigating for possible conflicts of interests and obtaining a signed engagement letter. (Moore & Van Allen may, for example, already represent another party involved in your matter.) Accordingly, you should not use this website to provide confidential information about a legal matter of yours to Moore & Van Allen.


    No Legal Advice Intended: This website includes information about legal issues and legal developments. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances. You should contact an attorney for advice on specific legal problems. (Read All)