On Oct. 10, 2019, privacy law watchers eagerly signed on to view a live press conference announcing the highly anticipated draft regulations interpreting the California Consumer Privacy Act (CCPA). The attorney general's Notice of Proposed Rulemaking Action kicked off a comment and discussion process that will affect how the CCPA is implemented and enforced.
The draft regulations answer some of the many questions surrounding the CCPA—but will undoubtedly provoke additional questions and further discussion. Highlights include the following.
Clarifying Notice Requirements
The CCPA requires businesses to provide notice before collecting additional categories of personal information or using personal information already collected for other purposes. The draft regulations specify that businesses must "directly notify" consumers of new uses and "obtain explicit consent" to use personal information for new purposes, as well as notify consumers if they plan to collect additional categories of personal information.
However, the regulations state that businesses that do not have a direct relationship with consumers are only required to provide notice when they sell personal information. Prior to the sale, the businesses may contact either the consumer (to provide notice and an opt-out) or the source of the information (to confirm that notice and an opt-out was provided, evidenced by a signed attestation).
The draft regulations would also require businesses to provide consumers with a "notice of financial incentive" before opting in to a financial incentive or price or service difference.
Implementing Requests for Access to Personal Information
Many businesses are still determining how they will verify consumer requests for access to or disclosure of consumers' personal information (see below). The draft regulations require businesses to use "reasonable security measures" when providing personal information to consumers and prohibit businesses from disclosing:
- Social Security numbers;
- Driver's license numbers or other government-issued identification numbers;
- Financial account numbers;
- Health insurance or medical identification numbers;
- Account passwords; or
- Security questions and answers.
Implementing the Right to Opt Out of the Sale of Personal Information
One aspect of the CCPA that has generated a lot of buzz is the right of consumers to opt out of the sale of their personal information (or, in certain circumstances, opt in). The draft regulations provide more detail on how businesses should make this right available to consumers and what they should do when consumers opt out.
Meanwhile, a standardized "opt-out button or logo" (as required by the original statute) will be proposed in a modified version of the regulations and available for public comment at a later time.
- Opt-Out Options. The draft regulations would allow businesses to present consumers with the choice to opt out of sales of certain categories of personal information, but they must present a "global option" to opt out of the sale of all personal information—and this option must be presented "more prominently" than the other, more granular choices.
- The Return of "Do Not Track"? The draft regulations also specify that "user-enabled privacy controls," such as a browser plugin, privacy setting, or another mechanism that communicates or signals the consumer's choice to opt out, would be valid opt-out requests under the CCPA. The draft regulations consider these requests to originate directly from consumers and not from an "authorized agent" as otherwise addressed in the draft regulations.
- Opt-Out Timeline. The draft regulations elaborate on what businesses should do when faced with an opt-out request. After a consumer opts out, businesses must act "as soon as feasibly possible, but no later than 15 days" from the date they receive the request. Businesses then must notify all third parties to which they have sold the personal information of the opt-out request and instruct them not to further sell the personal information. This must take place within 90 days of the receipt of the request. Businesses are required to notify the consumer when they have completed all of these steps.
Verifying Consumer Requests
Under the CCPA, businesses must establish, document, and comply with a "reasonable method" for verifying consumers' identities before fulfilling consumer requests. (The verification problem arises when somebody contacts a business saying they are John Doe and asking for John's information. How does the business know that the person asking really is John and, therefore, entitled to see John's information?)
The draft regulations specify that, where feasible, verification methods should match identifying information provided by the consumer with the personal information already maintained by the business about the consumer. Furthermore, businesses should "generally avoid" requesting additional information for the purpose of identity verification unless they cannot verify consumers' identities from the information they already maintain.
Clarifying the Role of Service Providers
The draft regulations clarify that an entity is a "service provider" for CCPA purposes where it provides services to a person or entity that is not a business (e.g., because it is a nonprofit or government entity) and otherwise meets the requirements to be a "service provider." Service providers also have some flexibility to combine and use personal information for the limited purposes of detecting data-security incidents or protecting against fraudulent or illegal activity.
Requiring Larger Businesses to Post Statistics
The draft regulations also would require businesses that, alone or in combination, annually buy, sell, receive, or share for commercial purposes the personal information of more than 4 million consumers to include certain metrics in their privacy policies. Specifically, these businesses must post the median number of requests to know, delete, and opt out that they receive annually, as well as the number of days within which the business responded to such requests.
According to the draft regulations, this is designed to help consumers, policymakers, academics, and regulators evaluate the effectiveness of businesses' practices and compliance efforts.
The draft regulations provide a helpful overview of how the attorney general interprets the CCPA's requirements. However, the regulations are still subject to discussion and are likely to change. Stakeholders including businesses, consumers, and other organizations now have an opportunity to share their thoughts.
The attorney general held a series of public hearings in early December, and the deadline to submit written comments on the proposed draft regulations was Dec. 6, 2019. Under the CCPA, the attorney general must issue the final regulations on or before July 1, 2020.