The California Consumer Privacy Act of 2018 (“CCPA”) established new privacy rights for California consumers but left many unanswered questions on how businesses should implement the new obligations imposed on them. With the CCPA’s effective date quickly approaching on January 1, 2020, the California Attorney General finally issued the long-awaited Proposed Regulations with the promise of providing clarity and specificity so businesses and their vendors (“Service Providers”) can effectively implement the CCPA. This alert summarizes some of the key takeaways from the Proposed Regulations and other rulemaking activity documents issued on October 10th (collectively, “Proposed Regulations”). The deadline to submit written comments to the Proposed Regulations is December 6 at 5:00 p.m.
- Notice to Consumers: Businesses must provide a notice to consumers, at the point of collection, stating what type of personal information is collected, for what purposes and whether any financial incentive is offered in exchange for using the personal information. For businesses that sell personal information, the Proposed Regulations provide guidance on how to provide an “opt-out” button for the sale of a consumer’s personal information.
- Handling Consumer Requests: Businesses that handle the personal information of more than four million California consumers must pay special attention to the training and record-keeping requirements added by the Proposed Regulations. For businesses selling personal information, the Proposed Regulations introduce a 90-day lookback requirement - so business must notify any third party they sold personal information to in the past 90 days, if a consumer withdraws their consent.
- Verifying Requests: The Proposed Regulations separate verifying consumer requests into two categories and processes: (1) when the consumer has a password-protected account with that business; and (2) when the consumer does not have an account with that business. In the first scenario, the business may verify the consumer’s identity through its existing authentication practices, as long as the business uses reasonable data security standards. In the second scenario, depending on the nature of the consumer’s request, the business should verify the identity of the non-accountholder to a “reasonable degree of certainty,” or to a “reasonable high degree of certainty.” A “reasonable degree of certainty” may include matching at least two data points provided by the consumer with data points maintained by the business. Before responding a consumer’s request to know specific pieces of personal information (as opposed to categories of personal information), a business should verify the identity of the requestor using the higher standard of a “reasonably high degree of certainty.” When facing requests to delete personal information, the Proposed Regulations give businesses flexibility to choose between these two verification standards, so long as the business considers the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion.
- Discriminatory Practices and the Value of Data: According to the Proposed Regulations, price or service differences “reasonably related to the value of the consumer’s data” will not be considered discriminatory practices. Businesses may use any of the seven methods outlined by the Proposed Regulations to calculate the value of consumer’s data, or use “any other practical and reliable method of calculation used in good faith.” This method used must be documented in the event of an investigation by the Attorney General.
- Service Provider Contracts: The Proposed Regulations offer additional guidance and creates new rules Service Providers must follow when performing services:
Acknowledging the CCPA was unclear as to what “reasonably necessary and proportionate” means when Service Providers use personal information to provide services to a business, the Proposed Regulations clarify that Service Providers may not use personal information collected from one business to provide services to another business – as this is outside the bounds of “necessary and proportionate” and doing so would be advancing the “Commercial Purpose” of the Service Provider rather than the “Business Purpose” of the business. The only exception to this rule is for security and anti-fraud purposes. As a result of this clarification, companies may want to add the this language to their Service Provider contracts: “A Service Provider shall not use personal information received either from a person or entity it services or from a consumer’s direct interaction with the Service Provider for the purpose of providing services to another person or entity. A Service Provider may, however, combine personal information received from one or more entities to which it is a Service Provider, on behalf of such businesses, to the extent necessary to detect data security incidents, or protect against fraudulent or illegal activity.”
Acknowledging the need to present Service Providers with clear instructions on how to respond to consumer requests, the Proposed Regulations instruct Service Providers on how they should respond to a consumer’s request - by directing the consumer to the business who hired them and who is in control of the consumer’s personal information. As a result of this clarification, companies may want to add the following language to their Service Provider contracts: “If a Service Provider receives a request to know or a request to delete from a consumer regarding personal information that the Service Provider collects, maintains, or sells on behalf of the business it services, and does not comply with the request, it shall explain the basis for the denial. The Service Provider shall also inform the consumer that it should submit the request directly to the business on whose behalf the Service Provider processes the information and, when feasible, provide the consumer with contact information for that business."