On October 10, 2019, CCPA watchers eagerly tuned in to view a live online press conference held by California Attorney General Xavier Becerra, who presented the highly anticipated draft regulations interpreting the California Consumer Privacy Act (CCPA). The Attorney General’s Notice of Proposed Rulemaking Action kicks off a process of comment and discussion that will affect how the CCPA is implemented and enforced.

The draft regulations answer some of the many questions surrounding the CCPA—but will no doubt provoke additional questions and further discussion. The draft regulations cover a lot of ground, but selected highlights include provisions on the following:

Clarifying Notice Requirements

The CCPA requires businesses to provide notice before collecting additional categories of personal information or using personal information already collected for additional purposes. The draft regulations specify that businesses must “directly notify” consumers of new uses and “obtain explicit consent” to use personal information for new purposes, as well as notify consumers if they plan to collect additional categories of personal information.

However, the regulations state that businesses that do not have a direct relationship with consumers are only required to provide notice when they sell personal information. Prior to the sale, the businesses may contact either the consumer (to provide notice and an opt-out) or the source of the information (to confirm that notice and an opt-out was provided, per a signed attestation).

The draft regulations would also require businesses to provide consumers with a “notice of financial incentive” before opting in to a financial incentive or price or service difference.

Implementing Requests for Access to Personal Information

Many businesses are still in the process of determining how they will verify consumer requests for access to or disclosure of consumers’ personal information (see below). The draft regulations require businesses to use “reasonable security measures” when providing personal information to consumers and to prohibit businesses from disclosing:

  • Social Security numbers;
  • Driver’s license numbers or other government-issued identification numbers;
  • Financial account numbers;
  • Any health insurance or medical identification number;
  • An account password; or
  • Security questions and answers.

Implementing the Right to Opt Out of the Sale of Personal Information

One aspect of the CCPA that has generated a lot of buzz is the right of consumers to opt out of the sale of their personal information (or, in certain circumstances, opt in to the sale). The draft regulations provide more detail on how businesses should make this right available to consumers and what they should do when consumers opt out.

Meanwhile, a standardized “opt-out button or logo” (as required by the original statute) will be proposed in a modified version of the regulations and available for public comment at a later time.

  • Opt-Out Options. The draft regulations would allow businesses to present consumers with the choice to opt out of sales of certain categories of personal information, but must present a “global option” to opt out of the sale of all personal information—and this option must be presented “more prominently” than the other, more granular choices.
  • The Return of “Do Not Track?” The draft regulations would also specify that “user-enabled privacy controls” such as a browser plugin, privacy setting, or another mechanism that communicates or signals the consumer’s choice to opt out, are valid opt-out requests under the CCPA. The draft regulations consider these requests to originate directly from consumers and not from an “authorized agent” as otherwise addressed in the draft regulations.
  • Opt-Out Timeline. The draft regulations elaborate on what businesses should do when faced with an opt-out request. After a consumer opts out, businesses must act “as soon as feasibly possible, but no later than 15 days” from the date they receive the request.

    Businesses then must notify all third parties to which they have sold the personal information of the opt-out request and instruct them not to further sell the personal information. This must take place within 90 days of the receipt of the request. Businesses are required to notify the consumer when they have completed all of these steps.

Verifying Consumer Requests

Under the CCPA, businesses must establish, document, and comply with a “reasonable method” for verifying consumers’ identities before fulfilling consumer requests. (The verification problem arises when somebody contacts a business, saying they are John Doe, and asking for John’s information. How does the business know that the person asking really is John, and, therefore, really entitled to see John’s information?)

The draft regulations specify that, where feasible, verification methods should match identifying information provided by the consumer with the personal information of the consumer already maintained by the business. Furthermore, businesses should “generally avoid” requesting additional information for the purpose of identity verification, unless they cannot verify consumers’ identities from the information they already maintain.

Clarifying the Role of Service Providers

The draft regulations clarify that an entity is a “service provider” for CCPA purposes where it provides services to a person or entity that is not a business (e.g., because it is a non-profit or government entity) and otherwise meets the requirements to be a “service provider.” Service providers also have some flexibility to combine and use personal information for the limited purposes of detecting data security incidents or protecting against fraudulent or illegal activity.

Requiring Larger Businesses to Post Statistics

The draft regulations also would require businesses that, alone or in combination, annually buy, sell, receive, or share for commercial purposes the personal information of more than 4 million consumers, to include certain metrics in their privacy policies. Specifically, these businesses must post the median number of requests to know, delete, and opt out that they receive annually, as well as the number of days within which the business responded to such requests.

According to the draft regulations, this is designed to help consumers, policymakers, academics, and regulators evaluate the effectiveness of businesses’ practices and compliance efforts.

The draft regulations provide a helpful overview of how the Attorney General interprets the requirements of the CCPA. However, the regulations are still subject to discussion and are likely to change. Stakeholders including businesses, consumers, and other organizations now have an opportunity to share their thoughts.

The Attorney General will hold a series of public hearings in early December, and the deadline to submit written comments on the proposed draft regulations is December 6, 2019. Under the CCPA, the Attorney General must issue the final regulations on or before July 1, 2020.