By Suzanne Gainey and Tandy Mathis. On October 10, California Attorney General Xavier Becerra announced that the long-awaited proposed regulations implementing the California Consumer Privacy Act (“CCPA”) are available for public comment. Although the regulations are not yet final, they do provide some visibility into what the Attorney General will expect from businesses that are subject to the CCPA. While the proposed regulations add some clarity to the (sometimes unclear) language of the CCPA, the regulations also raise new questions about the application of the CCPA and fail to address issues that many have worried about since the CCPA was passed (e.g., the very broad scope of applicability of the CCPA).
The proposed regulations largely focus on (1) notices required to be provided to consumers, (2) processes a business must follow to respond to consumer requests, and (3) methods for verifying that a consumer making a request is who they say they are.
A. Notices Required to be Provided to Consumers
In general, these notices must be easy to read and easy for the average consumer to understand. The notices may not use technical or legal jargon, and must be in a format that draws the consumer’s attention. The notices must also be accessible to consumers with disabilities, at a minimum providing information on how the consumer may access the notice in an alternative format.
New under the proposed regulations is the requirement that businesses also provide notice and obtain explicit consent from consumers for using any category of personal information for a purpose not disclosed at the time at collection. At the same time, the proposed regulations require that the business list the categories of personal information collected in a manner that provides consumers a “meaningful understanding” of the information. Drafting notices that are broad enough to avoid needing to obtain consent in the future while still providing consumers with “meaningful understanding” will be challenging.
B. Responding to Consumer Requests
The proposed regulations also provide detailed requirements for submitting and responding to consumer requests. In particular, two or more methods must be made available to consumers for submitting requests to know (i.e., requests that the business disclose what information related to the consumer the business collects, uses, discloses and sells) and requests to delete (i.e., requests that the business delete information collected), including a toll-free phone number. Additional methods may be required depending on how the business typically interacts with consumers (e.g., for retail establishments, three methods may be required – a toll-free phone number, a webform on the business’s website, and a form that can be submitted in person).
The business must confirm receipt of all requests to know and requests to delete within 10 days, and provide information regarding how the request will be processed. A full response to any requests to know and requests to delete must be provided within 45 days of receipt (or up to 90 days if the business notifies the consumer and provides an explanation of why the business needs more time to respond), regardless of how long it takes to verify the identity of the consumer (see Part C below).
Similar to requests to know and requests to delete, two or more methods must be made available to consumers to submit requests to opt-out of the sale of personal information, including an interactive webform accessible via a link entitled “Do Not Sell My Personal Information”. The business must act on any opt-out request as soon as feasibly possible, but no later than 15 days after receipt, and must notify all third parties to whom it has sold personal information of the relevant consumer within 90 days prior to the business’s receipt of the request.
C. Verifying the Identity of a Consumer
The proposed regulations emphasize that businesses must establish and comply with a reasonable method for verifying the identity of the consumer making a request in order to avoid any unauthorized disclosure or deletion of personal information. The robustness of the method for verification depends on many factors, including the sensitivity of the personal information at issue and the risk of harm to the consumer of any unauthorized access or deletion of such information.
Businesses should generally avoid asking the consumer for additional personal information in order to verify the consumer’s identity, but may do so if necessary. If additional personal information is requested, it may be used only for verification purposes and must be deleted as soon as practical after processing the request (except if required to be kept for record-keeping purposes).
D. Additional Topics Addressed
In addition to the topics above, the proposed regulations also address:
- additional requirements and processes related to the collection and use of personal information of minors;
- new disclosure requirements for businesses that collect the personal information of more than 4 million consumers;
- the CCPA’s prohibition on discrimination of consumers and methods for valuing consumer data when offering a price or service difference to a consumer where permitted under the CCPA;
- the process for using an agent to submit consumer requests;
- clarifications regarding entities that will be considered a service provider under the CCPA;
- training of employees regarding a business’s obligations under the CCPA; and
- record-keeping requirements for consumer requests.
Written comments regarding the proposed regulations may be submitted until December 6, 2019, at 5:00 pm PST, and public hearings will be held December 2, 2019 through December 5, 2019. The CCPA will go into effect on January 1, 2020, but the proposed regulations (including any modifications) are not expected to become final until the first half of 2020, meaning enforcement is not likely to commence until July 1, 2020. While there will be a gap in time between the CCPA’s effective date and the date on which Attorney General Becerra is empowered to enforce the CCPA, the Attorney General has indicated that there will be no safe harbor for non-compliance. Therefore, it will be important for businesses to have appropriate training, procedures, and compliance frameworks in place prior to January 1, 2020.
About the Authors:
Suzanne Gainey is an associate in the Charlotte office of Moore & Van Allen. She works in both the Commercial & Technology Transactions and Privacy & Data Security groups. Her practice involves a wide-range of technology, intellectual property and privacy matters, with a focus on transactional work. Before practicing law, Gainey studied mechanical engineering at the University of Illinois and worked as a technology analyst in the financial services industry. She also has experience analyzing patent portfolios, conducting intellectual property due diligence, and negotiating technology and commercial agreements.
Tandy Mathis practices on Moore & Van Allen’s Litigation and Privacy & Data Security groups, focusing primarily on information management issues, including discovery, privacy, and data security. With more than a decade of experience, she helps clients understand their obligations to protect data and advises on how they can lawfully collect, use, and share personal information.