State Attorney General Proposes Final Regulations in Connection with California Consumer Protection Act
The California Attorney General’s Office (California AG) submitted final proposed regulations (Regulations) under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (CA OAL) on June 1, 2020. The submission marks the culmination of a lengthy process that began in October 2019, during which the California AG issued multiple draft versions of proposed regulations for public notice and comment. The package submitted to the CA OAL also contained a Final Statement of Reasons that explains changes from the prior drafts of the regulations (Submission Package). The CA OAL typically has 30 working days during which to review a Submission Package for consistency with the California Administrative Procedure Act; however, due to an Executive Order issued by California Governor Gavin Newsom on March 30, 2020 related to the COVID-19 pandemic, the CA OAL will have an additional 60 calendar days, beyond the initial 30 working-day period, to review the Submission Package. The California AG nonetheless has requested that the CA OAL engage in an expedited review of the Regulations during the traditional 30 working-day period. Once approved by the CA OAL, the Regulations will be filed with the California Secretary of State and become enforceable by law. It is unclear whether the Regulations will be approved before the July 1, 2020 CCPA enforcement date.
This Dechert OnPoint summarizes the key aspects of the Regulations and provides a list of next-steps that firms should consider in light of the Regulations.1
In general, all notices are required to:
- “Use plain, straightforward language and avoid technical or legal jargon;”
- “Use a format that draws the consumer’s attention to the notice and makes it ‘readable,’ including on smaller screens;”
- Be available in the languages that the businesses ordinarily uses to provide information to California consumers; and
- Be “reasonably accessible to consumers with disabilities” which, for notices provided online, involves the use of “generally recognized industry standards, such as the Web Content Accessibility Guidelines.”
Notice at Collection
The Notice at Collection is meant to “provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them and the purposes for which [it] will be used.”
The Regulations make clear that the Notice at Collection must include the following information:
- A list of the categories of personal information a business collects and the purposes for which it is used;
- The business’s “Do Not Sell My Personal Information” link, if it sells personal information.
The Regulations state that businesses are not permitted to use personal information in ways that are materially different from those disclosed in the Notice at Collection, without first notifying the consumer and obtaining his or her “explicit consent” to that new use. Similarly, if a business wants to collect new categories of personal information other than those already disclosed in the Notice at Collection, the business must deliver an updated Notice at Collection. Businesses that do not deliver a Notice at Collection to consumers generally are not permitted to collect personal information from those consumers, although businesses that do not collect personal information directly from consumers are not required to deliver a Notice at Collection.
January 1, 2021.
Disclosure of Prior Collection, Use and Sharing
- The “categories of personal information the business has collected about consumers”;
- The “categories of sources from which the personal information is collected”;
- The “business or commercial purpose” for collecting or selling personal information;
- The “categories of personal information” that the business has disclosed or sold to third parties, if any, and for each category of personal information, the “categories of third parties” to whom it was sold or disclosed; and
- Whether the business sells personal information and whether it “has actual knowledge that it sells the personal information of minors under 16 years of age.”
Disclosure of CCPA Privacy Rights and How to Submit Requests
- “to request that the business disclose what personal information it collects, uses, discloses, and sells” (Request to Know);
- “to request the deletion of their personal information collected by the business” (Request to Delete);
- “to opt-out of the sale of their personal information by a business” (Request to Opt-Out); and
- “not to receive discriminatory treatment by the business” for exercising their privacy rights conferred by the CCPA.
With respect to the Request to Know and the Request to Delete, a business must also include: (i) instructions explaining how consumers can submit such a request; (ii) links to “an online request form or portal” for consumers to submit such a request, if such links are offered by the business; and (iii) a general description of how the business will verify the identity of consumers submitting such requests.
The Regulations also require businesses to let consumers know how an “authorized agent” can submit a request on their behalf.
Additional Disclosure Requirements
Notice of the Right to Opt-Out
The Notice of the Right to Opt-Out must include:
- A description of the Right to Opt-Out;
- An “interactive form” by which consumers can submit their Request to Opt-Out online, or for businesses that do not operate a website, the offline method for submitting a request to opt-out; and
- Instructions for any other method to submit a Request to Opt-Out.
If a business collected personal information during a time when the business did not post a Notice of the Right to Opt-Out, such personal information cannot be sold without first obtaining “the affirmative authorization of the consumer.” It is worth noting that for businesses that have both “online” sales (e.g., sales related to the use of certain cookies) and “offline” sales, there may be some obstacles to providing both types of opt-outs via a single form. It may be necessary to create a landing page on which “offline” requests can be submitted and where cookie preferences can be altered.
Submitting Consumer Requests
The Regulations set out the mechanisms that a business must make available to consumers who want to submit Requests to Know, Requests to Delete and Requests to Opt-Out. The requirements vary based on the type of request and whether or not a business operates “exclusively online”. In some cases, a business will be required to provide consumers with two or more designated methods for submitting requests. When choosing a “second” request method, the Regulations make clear that businesses must consider the means by which they generally interact with consumers and only designate methods that are consistent with those interactions.
Business That Operate “Exclusively Online”
Businesses that operate “exclusively online” and have a “direct relationship” with the consumers from whom they collect personal information need to make a designated email address available to consumers for them to submit Requests to Know. Such a business must still provide two designated methods for consumers to submit Requests to Delete and, if such a business sells personal information, two designated methods to submit Requests to Opt-Out, including a link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info,” which must lead to an interactive form by which consumers can submit Requests to Opt-Out.
Submitting Requests to Know
Businesses that do not operate exclusively online must provide two or more designated methods for submitting Requests to Know, one of which must be a toll-free telephone number. The Regulations list examples of other acceptable methods, which include:
- A designated email address;
- A form submitted in person; and
- A form submitted through mail.
Submitting Requests to Delete
The Regulations require businesses to provide consumers with two or more designated methods for submitting Requests to Delete. Such methods include:
- A toll-free number;
- A link or form on the business’s website;
- A designated email address;
- A form submitted in person; and
- A form submitted through the mail.
Submitting Requests to Opt-Out
If a business sells personal information, the businesses must provide consumers with at least two methods for opting-out of the sale of their personal information, one of which must be an “interactive form” on the business’s website or mobile application. Businesses can choose the second method, which may include a toll-free number, email address, or a form submitted in person. In determining which methods to use, the Regulations make clear that a business must consider a variety of factors, including:
- The methods by which it regularly interacts with consumers;
- The manner in which it sells personal information to third parties;
- Available technology; and
- The ease of use by the consumer.
At least one of the chosen opt-out methods must reflect the manner in which the business primarily interacts with the consumer. Regardless of the methods chosen, the Regulations set out that a consumer should encounter “minimal steps” in order to effectuate the Request to Opt-Out, and that the request cannot be “designed with the purpose to,” nor have a “substantial effect” of “subverting or impairing a consumer’s decision to opt-out.”
Improperly Submitted Requests
If a consumer submits a request in a manner that is inconsistent with the methods designated by a business, or is otherwise deficient, the Regulations provide that the business can either treat the request as if it was properly submitted, or provide the consumer with information on how to remedy the submission.
Verifying Consumer Requests
The Regulations require businesses to “establish, document, and comply with a reasonable method” for verifying the identity of a consumer who has submitted a Request to Know or Request to Delete. In determining what constitutes a “reasonable method” for verifying the identity of consumers, the Regulations require that, “whenever feasible,” businesses should match the consumer’s identifying information to personal information “already maintained by the business” or, alternatively, “use a third-party identity verification service” that complies with requirements under the Regulations. The Regulations state that businesses should generally “avoid requesting additional information” from a consumer for purposes of verification. However, if a business cannot verify the identity of a consumer from the information that the business already maintains, the business may request additional information from that consumer. Additionally, the Regulations state that businesses should avoid collecting the certain types of personal information for verification purposes, including:
- Social security number;
- Driver’s license or California identification card number; and
- Account number or credit card number.
Under the Regulations, any additional information that a business collects about a consumer in order to verify the consumer’s identity for a consumer request under the CCPA must only be used “for the purposes of verifying the identity of the consumer.” The business must delete the personal information that it collects for consumer verification purposes “as soon as practical” unless the business is otherwise required to maintain such information under the Regulations’ record-keeping requirements.
The Regulations also:
- Restrict businesses from requiring consumers or their authorized agents to pay a fee for the verification of their consumer requests;
- Require all business to “implement reasonable security measures to detect fraudulent identity-verification activity and prevent unauthorized access to or deletion of a consumer’s personal information;” and
- Set forth various factors that businesses should consider when attempting to verify a consumer’s identity, which include, (i) the “type, sensitivity and value of the personal information collected”, (ii) the “risk of harm to the consumer posed by any unauthorized access or deletion” and (iii) the “likelihood that fraudulent or malicious actors would seek the personal information.”
Verification for Password Protected Accounts
When a business maintains a password-protected account with a consumer, the business “may” use its “existing authentication practices” for the account to verify a consumer’s identity, provided that the business: still adheres to the Regulations’ general requirements for verification, as described above; and requires consumers to “re-authenticate themselves” before the business executes a Request to Know or a Request to Delete. Businesses that “suspect fraudulent or malicious activity” associated with an account are required to use “further verification procedures” to authenticate the identity of the consumer making the consumer request before responding to it.
Verification for Non-Password Protected Accounts
Requests to Know
The Regulations divide Requests to Know into two buckets: requests to know “categories” of personal information (e.g., categories of personal information collected, categories of sources from which collected, and categories of third parties with whom shared); and requests to know “specific pieces of personal information.” Requests to know specific pieces of personal information are commonly referred to as “access requests,” as, subject to certain limitations described herein, such requests typically require a business to respond by providing the actual personal information it has about the consumer.
Request to Know Categories of Personal Information
Request to Know Specific Pieces of Personal Information
The verification standard is higher when an individual submits a request to know “specific pieces” of personal information. The Regulations make clear that in such cases, the business must verify the request with a “reasonably high degree of certainty.” A business may do so by: matching “at least three pieces of personal information” from the consumer with those maintained by the business that are reliable for verification purposes; and obtaining a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is being sought. If the business cannot verify the requestor’s identity, it must deny the request to know “specific pieces” of personal information and treat it as a request to know “categories” of personal information (discussed above), which has a lower verification standard.
Requests to Delete
For Requests to Delete, the Regulations make clear that a business must verify a consumer’s identity with a “reasonable degree” or “reasonably high degree” of certainty. The business must determine in “good faith” which standard to use, depending on: (i) the “sensitivity of the personal information”; and (ii) the risk of harm that unauthorized deletion would pose to the consumer. When there is “no reasonable method” to verify a request, the business must explain to the requestor why this is the case.
Requests to Opt-Out
Pursuant to the Regulations, a business is not required to verify a Request to Opt-Out unless it has a “good-faith, reasonable and documented belief” that the request is fraudulent. In such cases, the business may deny the request and must provide the requestor with notice and an explanation of its denial.
Responding to Consumer Requests to Know and Delete
The Regulations provide helpful information for businesses regarding how they must go about responding to California consumers’ Requests to Know and Requests to Delete.
General Information and Timing
A business must acknowledge its receipt of a Request to Know or Request to Delete within 10 business days of receiving it, by providing the requestor with information regarding:
- How the business will process the request;
- Its verification process; and
- When the requestor should expect a response.
The Regulations state that the method that the business uses to notify the requestor of its receipt of the request “may” mirror the method by which it was received.
Regarding timing, businesses have 45 calendar days to respond to Requests to Know and Requests to Delete. Consistent with the CCPA, this period may be extended by an additional 45 calendar days if the business provides the consumer with a notice of and explanation for the extension. If the business cannot verify the request within 45 days, it may deny the request. This means that businesses have a total of 90 calendar days to respond to a Request to Know or Request to Delete.
As discussed below, the timeframe for responding to Requests to Opt-Out is shorter: 15 business days.
Responding to Requests to Know
Similar to the verification process for Requests to Know, the Regulations provide different instructions for a business to respond to requests to know categories of personal information, versus a request to know specific pieces of personal information. However, certain requirements apply to all responses to Requests to Know, such as the requirement that a business use “reasonable security measures” when transmitting personal information to the consumer.
Responding to Requests to Know Specific Pieces of Personal Information
The Regulations prohibit a business from disclosing certain information in response to requests to know specific pieces of personal information due to the sensitive nature of the information. For example, a business cannot provide a requestor with his or her Social Security number, driver’s license number or other government-issued identification numbers. Instead, the business must inform consumers “with sufficient particularity” that it collects those categories of personal information. For example, the business could state that it has the individual’s Social Security Number rather than disclosing the actual Social Security Number. If a business denies a request to know specific pieces of personal information “in whole or in part” due to “a conflict with federal or state law, or an exception to the CCPA,” the business shall so inform the requestor and explain the basis for the denial. When a request is denied in part, the business must comply with the remainder of the request.
Responding to Requests to Know Categories of Personal Information
When responding to a request to know “categories” of personal information, a business must generally provide an “individualized response to each consumer.” The Regulations provide that a business must respond to a request to know categories of personal information with the following, looking back 12-months from the date on which the business received the consumer’s request:
- “The categories of personal information the business has collected about the consumer in the preceding 12 months;
- The categories of sources from which the personal information was collected;
- The business or commercial purpose for which it collected or sold the personal information;
- The categories of third parties with which the business shared personal information;
- The categories of personal information that the business sold in the preceding 12 months, and for each category identified, the categories of third parties to which it sold that particular category of personal information; and
- The categories of personal information that the business disclosed for a business purpose in the preceding 12 months, and for each category identified, the categories of third parties to whom it disclosed that particular category of personal information.”
In responding to a Request to Know, the Regulations provide that a business is not required to search for personal information if all the following conditions are met:
- “The business does not maintain the personal information in a searchable or reasonably accessible format;
- The business maintains the personal information solely for legal or compliance purposes;
- The business does not sell the personal information and does not use it for any commercial purpose; and
- The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.”
Responding to Requests to Delete
The Regulations provide that a business that honors a Request to Delete must do the following to appropriately comply with the request:
- “Permanently and completely erase the personal information on existing systems with the exception of archived or back-up systems;
- De-identify the personal information; or
- Aggregate the consumer information.”
The business is required to inform the consumer whether or not it has complied with their request and that it will maintain a record of the Request to Delete.
When a business denies a Request to Delete, the business must:
- Tell the consumer that it will not comply with request, including the basis for the denial;
- “Delete the consumer’s personal information that is not subject to the exception;” and
- Not use the personal information it retains for any purpose other than the purpose of the exception.
Furthermore, if a business that sells personal information denies a consumer’s request to delete, the Regulations make clear that the business must ask the consumer if they would like to opt-out of the sale of their personal information by including “either the contents of, or a link to, the notice of right to opt-out” in the response.
Responding to Requests to Opt-Out
The Regulations require that a business must comply with a Request to Opt-Out of the sale of personal information “as soon as feasibly possible,” and no later than 15 business days from the date that the business receives the request.
If a business sells a consumer’s personal information to a third party after receiving a consumer’s request to opt-out, but before responding to such consumer request, then the business must notify the third party that the consumer has made a request to opt-out of the sale of their personal information and must direct the third party not to sell that consumer’s personal information.
User-Enabled Global Privacy Controls
For businesses that collect personal information online, the Regulations require such businesses to treat “user-enabled global privacy controls” as a valid request to opt-out of the sale of personal information. User-enabled global privacy controls include “browser plug-ins or browser privacy settings, device settings, or any other mechanism that communicates the consumer’s choice to opt-out of the sale of their personal information.” Firms should determine whether certain third-party consent management providers can honor such global controls through existing settings.
If a consumer has existing privacy settings with a business or participates in a business’s financial incentive program and the business-specific privacy settings or financial incentive program conflict with a global privacy control, the business must “respect the global privacy control.” In such cases, the business may notify the consumer and give them the choice to confirm the business-specific privacy setting.
In responding to a consumer’s request to opt-out, a business may “provide the choice to opt-out of the sale for only certain types of personal information,” but only if the “global option” to opt-out of the sale of all personal information is “more prominently presented.”
For requests to opt-in to the sale of personal information, after consumers have already submitted a request to out-out, businesses must use a two-step opt-in process. Under this two-step opt-in process, consumers must: (i) “clearly request” to opt-in to the sale of personal information; and (ii) separately confirm their choice to opt-in.
Service Provider Relationships
The Regulations add to the circumstances under which a service provider can use personal information it processes on behalf of the business while still qualifying as a “service provider” for purposes of the CCPA.2 For example, the Regulations enable a service provider to use personal information to, among other things:
- “[P]rocess or maintain personal information on behalf of that business and in compliance with the written contract for services, as required under the CCPA;
- Retain and employ another service provider as a “subcontractor” where the subcontractor meets the requirements of a service provider under the CCPA;
- Improve the quality of the service provider’s services, subject to certain exceptions:
- Detect data security incidents; and
- Comply with federal, state or local laws.
The Regulations also make clear that if a service provider receives a Request to Know or a Request to Delete from a consumer, the service provider must either act on behalf of the business in responding to the consumer request or otherwise notify the consumer that it cannot act on the request because it was sent to a service provider.
Training and Recordkeeping
Under the Regulations, businesses must ensure that all individuals who are “responsible for handling consumer inquiries about the business’s privacy practices” or are responsible for the business’s compliance with the CCPA, are informed of all the requirements in the CCPA and the Regulations, and are informed about how to direct consumers to exercise their rights under CCPA.
The Regulations also impose certain recordkeeping requirements. For at least 24 months, businesses must maintain records of all CCPA consumer requests and how the business responded to each request (Consumer Request Records). Businesses also must implement and maintain “reasonable security procedure and practices” with respect to the Consumer Request Records.
The Consumer Request Records may be maintained in a ticket or log format, provided that the ticket or log includes the following information:
- The date and nature of the request;
- The manner in which the request was made;
- The date and nature of the business’s response; and
- The basis for the denial of the request if the request is denied in whole or in part.
Information maintained for the Consumer Request Records may not be used for any other purpose, except as “reasonably necessary” for businesses to review and improve their processes for CCPA compliance. Information maintained for the Consumer Request Records also may not be shared with third parties, unless necessary to comply with a legal obligation.
For businesses that buy, sell, or receive/share for a commercial purpose the personal information of 10 million or more consumers in a calendar year, the businesses are required to maintain additional documentation, metrics and training protocols related to the CCPA and the Regulations.
Firms subject to the CCPA should assess the modifications that will need to be made to their CCPA compliance programs and policies in anticipation of the Regulations being approved by the CA OAL and taking effect. Aspects of the Regulations that allow for more flexibility than that provided for under the statutory terms of the CCPA should be relied upon cautiously until the Regulations are finalized, but firms should work to implement the additional requirements imposed by the Regulations into their CCPA compliance programs in the near-term. Action items related to this review may include, but are not limited to:
- Making any updates to disclosure document user interfaces to meet the “readability” and “accessibility” standards required by the Regulations;
- Updating any “Do Not Sell” links with the required disclosures set out in the Regulations;
- Reviewing template contractual terms prepared to establish CCPA “service provider” relationships to account for the additional information-sharing purposes contemplated by the Regulations;
- Adopting policies and procedures that set out the methods for verifying and responding to consumer requests in a manner that is consistent with requirements set out in the Regulations;
- Preparing training materials and finalizing who within the firm’s organization will be responsible for handling consumer requests and the associated documentation;
- Ensuring that CCPA rights request submission methodologies are consistent with the provisions set out in the Regulations; and
- Confirming that the request intake protocols that the firm uses allow appropriate records of requests to be retained.
1) It should be noted that not all personal information of California residents is covered by the CCPA and the Regulations. The CCPA includes many exemptions, which exclude certain types of personal information from being subject to the CCPA and the Regulations. Some of the most notable exemptions include: (i) personal information that is collected, processed or sold pursuant to the federal Gramm-Leach-Bliley Act; (ii) personal information that is collected in a business-to-business context; and (iii) personal information collected from current or former employees or job applicants, when acting in such roles. The exemptions set forth in (ii) and (iii) are set to expire on January 1, 2021.
2) The designation of a “service provider” is significant under the CCPA because businesses may share consumers’ personal information with “service providers” without such sharing being considered a sale under the CCPA, provided that such sharing is necessary to perform a business purpose and the service provider does not further collect, sell, or use the consumers’ personal information, except as necessary to perform that business purpose. If a business shares personal information with a third party that does not qualify as a “service provider” under the CCPA, doing so could be deemed a sale of personal information under the CCPA’s broad definition of “sale.”