Appearing in CEP Magazine – February 2020
On October 10, 2019, the California Attorney General’s office published draft regulations to operationalize the California Consumer Privacy Act (CCPA). Although the draft regulations are still subject to comment and will not be in final, enforceable form until July 2020, they provide helpful insights into how the final regulations are likely to look. And they are the only guidance that companies have as they start to implement the now-effective CCPA. These are the key takeaways from the draft regulations that companies should consider as their CCPA compliance programs go into effect.
Expect initial compliance costs to be high
In conjunction with the draft regulations, the California Department of Justice published an Economic Impact Statement that recognizes that the CCPA will have a large impact. The attorney general projects that it will initially cost the “typical” business $75,000 to come into compliance with the CCPA. Annual ongoing costs (for “typical” businesses) are predicted to be $2,500 per year. For small businesses, the initial costs are predicted to be $25,000, and the ongoing costs are predicted to be $1,500 per year. These numbers are an indication of how seriously businesses are expected to take their obligations. For compliance professionals who are having trouble obtaining adequate resources to implement effective CCPA compliance programs, citation to the attorney general’s expectations may be helpful to their arguments.
How to comply with notice obligations: Consult the regulations
easy to read, understandable to the average consumer, posted conspicuously and in an attention- getting format, accessible to consumers with disabilities, and available in the languages in which the business provides other information to consumers. The contents of the notices are specified by the draft regulations.
Notice at collection
- A list of categories of PI that is collected about consumers;
- For each of the categories, the business or commercial purpose for which the information will be used;
- If the business sells PI, a link titled either “Do Not Sell My Personal Information” or “Do Not Sell My Info.” (In the case of offline notices, provide the web address for the webpage to which the “Do Not Sell” link directs consumers); and
Notice of right to opt-out of sale of PI
- A description of the opt-out right;
- The web form by which the consumer can submit their request to opt out online or, if the business does not operate a website, the offline method by which the consumer can submit an opt-out request;
- Instructions for any other method by which to request to opt out;
- Any proof required when a consumer uses an authorized agent to exercise the opt-out right— or, in the case of a printed form containing the notice, a web page, online location, or URL where consumers can get information about authorized agents (the possibility of consumers exercising rights through an authorized agent is mentioned several times in the draft regulations; companies need to anticipate that this may be common); and
Notice of financial incentive
If the business offers a financial incentive or price or service difference (a “financial incentive”) in connection with obtaining PI, the business must post a notice with the following information:
- A “succinct” summary of the financial incentive;
- A description of the material terms, including the categories of PI that are implicated;
- How the consumer can opt in;
- The consumer’s right to withdraw at any time and how to exercise that right; and
- An explanation of why the financial incentive is permitted under the CCPA, including a good faith estimate of the value of the consumer’s data and how that value was calculated.
- Be available in an additional format that a consumer can print out as a separate document, and
- Advise consumers about their CCPA rights;
- Provide instructions about how consumers can exercise their rights and describe the verification process;
- List the categories of PI the business has collected in the preceding 12 months and, for each category, provide:
- The business or commercial purpose for collecting the PI.
- The “categories of third parties” with whom the PI is shared. According to the draft regulations, categories of third parties means “types of entities that do not collect personal information directly from consumers including but not limited to advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and consumer data resellers.”
- State whether or not the business sells the PI of minors under 16 years old without affirmative authorization;
- State whether the business has disclosed or sold any PI to third parties for a business or commercial purpose in the preceding 12 months and, if PI has been sold or disclosed, list the categories of PI disclosed or sold;
- Explain how a consumer can designate an authorized agent to make CCPA requests on the consumer’s behalf;
- Provide a contact for questions or concerns using a method that reflects the manner in which the business primarily interacts with consumers;
- If the business annually buys, receives, sells, or shares the PI of 4 million or more consumers, disclose certain metrics regarding the number of CCPA requests and the median number of days that it took the business to respond.
For businesses’ data practices, transparency will be difficult to avoid
In general, the draft regulations reflect an effort to encourage businesses to be more transparent about their data practices and make it easy for consumers to exercise their CCPA rights. In several instances, the draft regulations close what might otherwise be “loopholes” for businesses. A consumer request that is close but not quite technically correct under the statute will be “deemed” to count as a proper request to which businesses are obligated to respond. In other words, “close” counts in horseshoes and the CCPA, but only if you are a consumer.
For example, businesses cannot ignore right-to-know or delete requests that are submitted in a manner that is not one of the methods designated by the business, or are deficient in some respect unrelated to the verification process. Instead, the business must either (a) treat the request as if it had been submitted by the designated manner or (b) provide the consumer with specific directions
on how to submit the request or remedy any deficiencies.
In some cases, a business is not permitted to require the consumer to resubmit the request or correct deficiencies before the business is obligated to provide a substantive response. Instead, the consumer’s technically deficient request is “close enough” to be “deemed” to count as a different request. Here are three examples:
- If a business denies a consumer’s request to delete personal information because the consumer’s identity cannot be adequately verified, the request for deletion is “deemed” to be an exercise of the right to opt out of the sale of PI.In other words, the denial of a request for deletion (on verification grounds) must be treated as if the consumer had clicked on the “Do Not Sell My Personal Information” link.
- If a business cannot verify a consumer’s request forspecific pieces of PI, the business must treat the request as if it were, instead, a request for categories of PI.
- Businesses that collect PI online must treat user-enabled privacy controls, such as a browser login or privacy setting or other mechanism, as if they were statutory requests to opt out.This is a significant new compliance obligation that will be technologically challenging. Whatever system is put in place to receive and respond to opt-out requests will have to be technologically capable of recognizing, at the point where a consumer is entering PI, privacy settings of all sorts and processing them as opt-out requests (which can be reversed only by a
confirmed affirmative choice to opt back in, not a simple change in the privacy settings during a subsequent visit to the website). If the CCPA did already adequately incentivize businesses to stop selling data, the complexity of this regulation may do the trick.
Finally, the draft regulations require businesses to maintain records of all CCPA consumer requests and how the business responded to those requests. Businesses may use a ticket or log format so long as the documentation includes the date, nature, and manner of the request; the date and nature of the business’s response; and the basis for any denial (in whole or in part). This information must be maintained for 24 months, and this retention will not cause the business to violate the CCPA.
Don’t forget about data security
Compliance with the CCPA disclosure requirements will result in two new points of data breach vulnerability: disclosure of PI (because PI may be inadvertently disclosed to the wrong person) and transmission of the PI (if the transmission method is not adequately secure). Although the draft regulations favor transparency about business data practices, the same is not true for consumer PI. In short, the proposed regulations “balance the consumer’s right to know with the harm that can result from the inappropriate disclosure of information” and attempt to “reduce the risk that a business will violate another privacy law.”
The attorney general emphasizes that verification of the consumer’s identity before providing PI in response to a request is critical. Any missteps at this point in the process can result in data breaches.
The draft regulations require businesses to establish, document, and comply with a “reasonable method” for verifying the requesting consumer’s identity. When determining verification methods, businesses should follow the guiding principles outlined in the draft regulations and should consider certain identified factors. One guiding principle is that businesses should verify consumer identity either by matching information provided by the consumer to information that the business already possesses or by using a third-party verification service. Businesses should not collect additional PI in order to verify identity unless it is necessary to do so, in which case the additional PI should be deleted as soon as possible.
The draft regulations provide guidance, examples, and a “baseline” of what would constitute a reasonable method for verifying consumer identity before responding to requests to know and to delete, depending upon whether the consumer holds a password-protected account with the business. Additionally, the draft regulations require a two-step process before processing certain requests. Regardless of what method businesses choose to use for verification, the draft regulations require that the business also implements “reasonable security measures” to detect fraudulent identity verification activity. Additionally, when transmitting PI in response to a verified request, the business must employ “reasonable security measures.”
Finally, in some cases, the attorney general has determined that the risks are simply too high to permit disclosure, no matter what the CCPA says. Specifically, the draft regulations prohibit— regardless of verification and no matter what method is used—disclosure of any of the following: Social Security numbers, driver’s license numbers or other government-issued identification numbers, financial account numbers, health insurance or medical identification numbers, account passwords, or security questions and answers (the “Highly Sensitive PI”). Businesses will need to be vigilant about this. When a consumer requests specific pieces of information, the Highly Sensitive PI will have to be redacted.
Table 1 outlines the verification guidelines and business response requirements and options per the draft regulations.