On October 10, 2019, with no prior notice, the California Attorney General held a press conference announcing the publication of his office’s proposed regulations (set forth at §§ 999.300-999.341 of Title 11, Division 1, Chapter 20 of the California Code of Regulations) to implement the California Consumer Privacy Protection Act or the CCPA (the “Regulations”). The following day, the California Governor signed all five of the legislature’s proposed CCPA amendments and squeezed in sign-off of an amendment to California’s data breach law (expanding the definition of “personal information” to include biometric data, tax ID, passport and other government-issued ID numbers). The Regulations are open to public comment until December 6, 2019 and therefore subject to further changes just weeks before the CCPA goes into effect January 1, 2020. Although the Attorney General stated that his office will not begin CCPA enforcement until July 2020, the CCPA includes a 12-month lookback period. Therefore, while businesses now have freshly inked CCPA amendments to consider final, the Regulations are still to be determined. Nonetheless, businesses should use the remaining 69 days to continue implementing compliance mechanisms and the Regulations do give perspective as to the general interpretation of the CCPA from the office responsible for enforcing the new law.
NOTICES TO CONSUMERS
The Regulations reinforce that businesses must provide notice to consumers at or before the point of data collection, regardless of whether data are collected online or offline (e.g., in-person at the point of sale (“POS”), over the phone, via hard-copy forms). The Regulations also set forth specific parameters for the timing, form and format of notice, including requirements similar to express consent concepts that appear across many privacy laws, intended to ensure consumers are fully aware of and understand how their data will be processed. While these guideposts may generally seem straightforward, businesses will need to consider competing requirements across legal regimes balanced against business and operational compliance strategies.
Content . The notice must include:
-
Descriptions of the categories of personal information to be collected
-
The business or commercial purposes for which the personal information will be used
-
A link to or web address (for offline notice) of the site where the business’s privacy policy is posted (if a business sells personal information, the notice must also include a link to or web address for the consumer to opt-out of the sale of personal information)
Form and Format . The notice must:
-
Use plain language, avoiding overly technical language or legalese and descriptive enough for consumers to understand the categories of data collected, uses and purposes
-
Provide notice in a format that draws consumers’ attention and is clearly visible (even on POS displays, mobile devices, or other small screens), or otherwise perceivable to visually impaired and other ADA protected populations
-
Be available in the language in which the business executes contracts, provides disclaimers, or other information to consumers and accessible to consumers with disabilities
Timing . Businesses must ensure the notice is clearly visible so that consumers will see the notice before any personal information is collected. The Regulations include specific examples of how to address this requirement:
-
Online: Post a link on the website homepage (or all pages where data are collected) and on the download page for mobile applications
-
Offline: Include notice within the paper form that collects personal information, provide printed copies of the notice at the point of collection, or display prominent signs directing consumers to the website notice
If a business receives personal information from another source (i.e., does not collect personal information directly from consumers), the business is not required to provide notice at the point of data collection unless the business plans to sell the information. In such case, the business must either contact the consumer and provide the opportunity to opt-out of the sale or verify that the data source provided appropriate notice. Assuming most businesses will not want to contact consumers directly, the business must not only confirm that the data source provided notice as required by the CCPA and the Regulations, but also obtain a signed attestation from the data source that includes a copy of the notice and describes how notice was provided (subject to a 2-year retention period and must be made available to consumers upon request).
Restrictions on Other Data Collection and Uses . Once notice is provided, businesses must stick to the confines of the data collection and processing described in the notice. For example, businesses must provide a new notice to consumers (at the point of data collection) if the business intends to collect categories of personal information other than those described in the initial notice. Similarly, businesses cannot use or disclose consumers’ personal information except as described in the notice unless the business notifies the consumer of the new use or disclosure and obtains explicit consent.
Notice of Financial Incentives / Valuating Consumer Data
The CCPA prohibits businesses from discriminating against a consumer for exercising their CCPA rights. Discriminating behavior includes denying goods or services, charging different prices or rates for goods or services (including discounts or other benefits or imposing penalties), providing a different level or quality of goods or services to the consumer, or even suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
However, a business can still charge a different rate or provide a different level or quality of service if that difference is reasonably related to the value of the consumer’s data. A business can also offer financial incentives (e.g., coupons, rebates, loyalty programs or other benefits) for the collection of personal information, sale of information, or deletion, assuming the business provides adequate notice and permits consumers to opt-in to the financial incentive program.
The Regulations give two examples of financial incentives:
-
Example 1: A music streaming business offers a free service and a premium service costing $5/month. If only the consumers that use the premium service are permitted to exercise an opt-out right, this practice is discriminatory, unless the $5/month is reasonably related to the value of the consumer’s data to the business.
-
Example 2: A retailer offers discounts to consumers who sign up for an email list. If a consumer can continue to receive discounts, even after making a request to know, request to delete, and or request to opt-out, then the differing price level is not discriminatory.
Businesses must notify consumers of financial incentive programs and permit consumers to opt-in to the financial incentive program. The Regulations set out rules for what must be in these notices to consumers. A “notice of financial incentives” must meet the same form, format, and timing parameters required for notice generally and include all of the following:
-
A concise summary of the financial incentive or price or service difference offered
-
A description of the material terms of the financial incentive or price or service difference, including the categories of personal information that are implicated by the financial incentive or price or service difference
-
How the consumer can opt-in to the financial incentive or price or service difference
-
Notification of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right
-
Explanation of why the financial incentive or price or service difference is permitted under the CCPA, including: (i) a good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference, and (ii) a description of the method the business used to calculate the value of the consumer’s data
Businesses must use and document a reasonable and good-faith method to calculate the value of consumer data to the business, to include at least one of the following:
-
The marginal value to the business of the sale, collection or deletion of a consumer’s data or a typical consumer’s data
-
The average value to the business of the sale, collection or deletion of a consumer’s data or a typical consumer’s data
-
Revenue or profit generated by the business from separate tiers, categories, or classes of consumers or typical consumers whose data provides differing value
-
Revenue generated by the business from sale, collection or retention of consumers’ personal information
-
Expenses related to the sale, collection or retention of consumers’ personal information
-
Expenses related to the offer, provision or imposition of any financial incentive or price or service difference
-
Profit generated by the business from sale, collection or retention of consumers’ personal information
-
Any other practical or reliable method of calculation used in good faith.
Privacy Policy Requirements
Overlapping and supplemental to the notice at collection and notice of financial incentive requirements discussed above, businesses must document privacy policies detailing data collection and processing activities (in most cases, limited to the last 12 months of activities). The privacy policy must describe the business’s online and offline data practices and individual consumer rights. The same form and format specifications required for notice apply to the approach and display for privacy policies. Businesses must post a conspicuous link to the privacy policy on the website home page or download page (for mobile apps) and the link must include the word “privacy.” Businesses without a website still must make the privacy policy conspicuously available.
Privacy policies must contain:
-
The categories of sources from which personal information was collected and categories of third parties to whom the business discloses personal information
-
A list of consumers’ rights, instructions for exercising those rights, and where applicable, limitations on the rights, including:
-
Right to know (individually) what information the business collects, discloses and sells
-
Right to request deletion of personal information
-
Right to opt-out of sale of personal information (including required notice content or link to the opt-out notice)
-
Right to not be discriminated against for exercising rights
-
A statement of whether the business sells the personal information of children under age 16 without affirmative authorization
-
A statement of whether the business sold or disclosed personal information to third parties for a business or commercial purpose and if so, the categories of third-party recipients
-
Who to contact for questions or concerns, including a contact method aligned with how the business primarily interacts with consumers
-
The date the privacy policy was last updated
If the business sells, buys or receives personal information for commercial purposes about 4 million or more California consumers, the business must also include the required metrics related to data processing activities for the previous calendar year (see Transparency and Metrics for Big Data Brokers section below).
CONSUMER RIGHTS AND REQUESTS
The Regulations include examples and additional details on how businesses must notify consumers of their data rights, acceptable methods for consumers to submit their requests, and requirements for businesses to respond to those requests, including new timelines to give consumers notice that the business received their request.
Right to Know Requests
Consumers have the right to request to know information about any or all of the following business practices applicable to the 12-month period prior to the request:
-
Categories of personal information collected about them (i.e., what is collected)
-
The business or commercial purpose for which it was collected (i.e., how it will be used)
-
Categories of sources from which the information was collected (i.e., where was it collected)
-
Categories of personal information sold or disclosed for a business purpose about them (i.e., what is disclosed)
-
Categories of third parties to whom the personal information was sold or disclosed (i.e., to whom is it disclosed)
-
The business or commercial purpose for which it was sold or disclosed (i.e., why it was used)
When honoring these requests, a business must prepare an individualized response to the consumer and must not refer to the business’s general practices outlined in the privacy policy unless the response would be the same for all consumers. The 12-month period covered by a request runs from the date the business receives the request (regardless of the time required to verify).
Under the Regulations, businesses have 10 days to acknowledge receipt of a right to know request and to give more information about how the business will process the request, including a description of the verification process. Businesses have 45 days to respond to a right to know request (regardless of how long it takes to verify), and may extend that period by 45 days if it gives the individual notice of the extension and an explanation for the delay. A business is only required to honor a “verifiable consumer request.” If a business cannot verify the identity of a requestor, the business cannot deny the request. The business must inform the requestor that the business could not verify their identity.
Right to Access (or Copy)
Consumers have the right to request a copy of their personal information held by a business. Upon verifiable consumer request, the business must deliver, by mail or electronically, free of charge, the categories and specific pieces of personal information collected on the consumer covering the 12-month period preceding the request.
A business must use reasonable security measures when transmitting personal information to the consumer. If a business maintains a password-protected account with the consumer, it may use a secure self-service portal for consumers to access, view, and receive a portable copy of their personal information if the portal fully discloses the personal information that the consumer is entitled to, uses reasonable data security controls, and complies with the verification requirements in the Regulations
Businesses can limit their responses to these requests to address risk of fraud or risk of security. Specifically, the Regulations prohibit businesses from providing a consumer with specific pieces of information if the disclosure creates substantial, articulable and unreasonable risk to the security of the personal information, the consumer’s account with the business or the security of the business’s systems or networks. Further, the business must not provide the Social Security number, driver license number or any government ID, financial account number, health insurance or medical ID number, account passwords, and security questions and answers in response to a request for specific pieces of information.
Under the Regulations, businesses have 10 days to acknowledge receipt of a right of access request and to give more information about how the business will process the request, including a description of the verification process. Businesses have 45 days to respond to a right of access request (regardless of how long it takes to verify), and may extend that period by 45 days if it gives the individual notice of the extension and an explanation for the delay.
If a business denies a request to access specific pieces of information, in whole or in part, because of a conflict with applicable law or an exception to the CCPA, the business must inform the requestor and explain the basis for the denial. If a business cannot verify the identity of a requestor, the business cannot deny the request. The business must inform the requestor that the business could not verify their identity.
Right to Deletion
Businesses must honor verifiable consumer requests to delete the consumer’s personal information from its records and direct all of its service providers to do the same, subject to several exceptions. Businesses must provide instructions for submitting a verifiable consumer request to delete and provide links to an online request form or portal for making the request. Businesses must also describe the process the business will use to verify the consumer request, including the information the consumer needs to provide.
The Regulations require businesses to provide two or more designated methods for submitting requests to delete. Acceptable methods explicitly mentioned in the Regulations include a toll-free phone number, a link or form available online through a business’s website, a designated e-mail address, a form submitted in person, and a form submitted through the mail. At least one of the methods used to receive right to delete requests must reflect the manner in which the business primarily interacts with the consumer. The Regulations provide the example of a business that has a website but primarily interacts with customers in person at the business’s retail location which should provide a form that can be submitted in person at a retail location. Under the Regulations, businesses have 10 days to acknowledge receipt of right to delete request and to give more information about how the business will process the request, including a description of the verification process. Businesses have 45 days to respond to a right to delete request (regardless of how long it takes to verify), and may extend that period by 45 days if it gives the individual notice of the extension and an explanation for the delay.
Consumer requests made through a password-protected account may be verified through the business’s existing authentication practices for the consumer’s account. However, the consumer must re-authenticate themselves before their personal information is deleted. When a consumer does not hold an account, the Regulations provide a risk-based scale for verification of the consumer in a right to delete request of either a reasonable degree of certainty or a reasonably high degree of certainty. The sliding scale is based on a business’s good faith assessment of the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion. If a business is unable to verify the individual, the business must treat the request as an opt-out request instead of a deletion request.
A verified request to delete may be satisfied by permanently erasing personal information on a business’s systems with exception for backup systems, or by de-identifying or aggregating the consumer’s personal information. Personal information is considered de-identified when it cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer. Information that has been aggregated are data that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including using a device.
When responding to the consumer, businesses must disclose the method by which it complied with the consumer request. If consumers submit a deficient request to delete, the business can treat the request as if it was correct in form or the consumer can be provided additional direction and an opportunity to cure the defect.
When a business denies a deletion request, it must notify the consumer and provide the basis for rejecting the request. There are several exceptions to the right to deletion, including several scenarios where a business needs the consumer’s personal information for valid reasons such as:
(1) providing goods or services to the consumer
(2) identifying/resolving functionality or security issues
(3) complying with other legal obligations
(4) conducting legitimate research in the public interest
(5) protecting the exercise of free speech or another’s exercise of free speech
(6) using the information for internal purposes that the consumer should expect
Right to Opt-Out of Sale
As should be clear from the preceding section on Notices to Consumers, the CCPA model is largely one of opt-out rights, as opposed to mandating that everything from browser cookies onward requires an opt-in. Nonetheless, there are some ins and outs that can be more complicated.
Opting Out
The CCPA grants consumers the right to opt-out of having their personal information “sold” by a business and direct each covered business to include a clear statement of the right to opt out in the privacy notice presented to the consumer when personal information is being collected. The Regulations require businesses to give a “notice of right to opt-out”. The request to opt-out does not apply with respect to how an individual business uses the consumer’s information but rather whether that business will be permitted to “sell” the consumer’s information to third parties for that recipient’s own use and benefit.
The privacy policy content required by the Regulations mandates that each business selling personal information provide a hyperlink titled “Do Not Sell My Personal Information” or “Do Not Sell My Info”. In the future, the AG’s office anticipates presenting a presumably standardized opt-out button or logo in lieu of the quoted wording above.
To exercise an opt-out request, a consumer would click the linked words, button, or logo that businesses must present either within their privacy policy or on a separate landing page (whether for website or mobile app), explaining how an individual may exercise an opt-out request. Beyond the clearly visible and ADA-accessible requirements of the privacy notice generally, the opt-out instructions must:
-
Explain the consumer’s opt-out right;
-
Present a webform for online requests or the offline method available from those businesses that do not operate a website;
-
Instruct on any alternative methods to submit the request;
-
Explain the proof required when a consumer request is submitted by an authorized agent; and
-
Link to or provide the URL of the business’s main privacy policy.
Businesses are not required to provide the opt-out link if they do not sell or intend to sell consumer information and include a statement to that express effect in the privacy policy.
Opting In (or Back In)
Opt-in applies in two circumstances. First, when the business has actual knowledge that it collects or maintains the personal information of children under the age of 16, and second, when a consumer is opting in after previously having opted out. For the former, the opt-in applies with respect to the business’s intention to sell the minor’s personal information as further described below in the Special Rules for Minors section. Similarly, if the business targets consumers under 16 but has no intention of selling this information, there is no need to provide any subsequent opt-out notice. Finally, a consumer who has previously opted-out from the sale of their information or has previously not opted-in (such as those under 16 or their parent/legal guardian) has the right to communicate a request to opt-in.
VERIFIABLE REQUESTS
Businesses must only honor verifiable consumer requests for the right to know, right to access, and right to delete. A “verifiable consumer request” is “a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify.”
Businesses must establish, document, and comply with a reasonable method for verifying that the person making a request is the consumer about whom the business has collected information. The Regulations state that businesses should match consumer-provided identifying information to the personal information maintained by the business or use a third-party identity verification service.
In defining its reasonable methods for verification, businesses should take into account the:
-
Ability to match identifying information provided by the consumer with personal information held by the business
-
Sensitivity of the personal information covered by the request
-
Particular risk of harm from unauthorized access or deletion
-
Likelihood that requests are made by fraudulent or malicious actors, or are spoofed or fabricated
-
Context of the business’s relationship with the customer
Businesses should avoid collecting new or additional personal information from the consumer for purposes of verification.
Businesses have different verification requirements when consumers use a password-protected account versus when consumers call a toll-free number or complete a publicly-available website form. If a business maintains a password-protected account with the consumer, the entity may verify the consumer’s identity through the existing authentication practices for the account. However, even those consumers must be re-authenticated before a business can disclose information or delete their information.
For non-account holders, the Regulations set standards depending on the type of request exercised. When a consumer exercises a right to know request about the categories of personal information collected about them, businesses must verify the identity of the consumer to a “ reasonable degree of certainty.” The Regulations suggest businesses match at least two consumer-provided data points with business-maintained data points. When a consumer requests to know specific pieces of personal information, businesses will have to verify the identity of the consumer to a “reasonably high degree of certainty,”---a stricter bar. A “reasonably high degree of certainty” would be met if the business: (i) matches at least three consumer-provided data points with three business-maintained data points, and (ii) gets a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. These declarations should be maintained as part of a business’ record keeping obligations
The CCPA and the Regulations also create a sliding-scale standard for verifying consumers who exercise their right to delete. Businesses must use good faith to either verify the identity of the consumer to a reasonable degree or a reasonably high degree of certainty, depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion. The Regulations provide the example of deleting photographs and documents to require a reasonably high degree of certainty, while deleting browser history requires only a reasonable degree of certainty.
The Regulations also state that when consumers use an authorized agent (with written permission) to submit a request to know or a request to delete, the business may require the consumer to verify their own identity directly with the business. This suggests businesses should take steps to verify the identity of the consumer and that the agent has authority to act as the consumer’s agent.
Authorized agents can submit requests to opt-out on behalf of consumers, but consumers must give written permission to the authorized agent. A request to opt-out is not subject to scrutiny as a verifiable consumer request. This means that requests to opt-out are not subject to either the reasonable degree of certainty or the reasonably high degree of certainty standards. However, if the business has a “good faith, reasonable, and documented belief” that an opt-out request is fraudulent, the business may deny the request. If a business makes the good faith, reasonable and documented belief that the opt-out request is fraudulent, the business must notify the requestor that the business will not comply with the request and explain why the request is believed to be fraudulent.
The Regulations instruct businesses what to do when businesses cannot verify consumers. When businesses cannot verify requests for specific pieces of information, the business must treat the request as if it is seeking the disclosure of categories of personal information about the consumer instead. Businesses should direct consumers to the privacy policy if they cannot verify right to know requests about categories of personal information collected. For deletion requests, an unverifiable request must be treated an opt-out of sale.
SERVICE PROVIDERS
The Regulations attempt to clarify who is and is not a service provider and indicate that the definition of “service providers” includes vendors that provide services to a person or organization not considered a “business” subject to the CCPA (e.g., non-profits and government entities) but which otherwise meet the “service provider” definition. Therefore, while the recipient of services may not be subject to the CCPA, the CCPA may apply to their service provider as a service provider under the CCPA. The original “service provider” definition contemplated that the service provider will receive personal information from the business it serves (and not that it could also directly collect information on behalf of the business). The Regulations clarify that a vendor that collects personal information directly from consumers and meets all other requirements of a “service provider” under the CCPA will be defined as a service provider for purposes of the CCPA.
The Regulations also clarify the following matters with regard to service providers:
-
Service provider are prohibited from using the personal information they collect from or for one of its customers to serve another customer, except for data security purposes or to protect against fraud or illegal activity. It is unclear how this exception will play out but may be helpful for service provides that typically compile data across customers to enhance the ability to detect and prevent fraud (e.g., financial services vendors that prevent credit card fraud).
-
A vendor that considers itself both a business subject to the CCPA and a service provider under the CCPA must comply with the CCPA and the Regulations concerning any personal information it collects, maintains, or sells outside of its role as a service provider.
-
If a service provider receives a consumer request to know or delete personal information the service provider collects, maintains or sells on behalf of its customer and does not comply with the request, the service provider will explain why the request was denied and inform the consumer to contact the service provider’s customer directly.
TRAINING AND RECORD KEEPING
The Regulations also emphasize the importance of properly training employees responsible for CCPA implementation and compliance, as well as those responsible for receiving and responding to consumer questions and requests. All employees responsible for any of the activities required by the CCPA should be trained on how to respond to consumer inquiries and requests, how to document requests and responses, procedures for validating requests, how to instruct consumers on exercising their rights, and other requirements of the CCPA and the Regulations. While many commercial training products will likely result from this requirement, it is important for businesses to ensure employees are also trained on policies and procedures specific to the business and that training completion is tracked and documented.
Businesses must also maintain (for at least two years) records of consumer requests received pursuant to CCPA requirements and how the business responded to the requests. Under the Regulations, businesses can use ticketing systems or more manual logs to track these activities as long as the records include the: (i) date and manner of request, (ii) date and nature of the business’s response, and (iii) the basis for denial (as applicable). The Regulations also clarify that a business is not required to maintain personal information just to fulfill consumer requests and that information maintained for compliance with the record-keeping requirements will not violate the CCPA or its regulations if only used for such record-keeping purposes. This means businesses should still only retain personal information as long as necessary to fulfill the intended, permissible purpose (data minimization) but can retain certain personal information as necessary to demonstrate its response to consumer requests.
TRANSPARENCY AND METRICS FOR BIG DATA BROKERS
In addition to the record-keeping requirements, the Regulations also impose requirements that apply only to businesses that (on an annual basis) buy, receive, sell, or share the personal information of 4 million or more California consumers for commercial purposes. Such businesses must compile metrics related to data processing for the previous calendar year and post it in the business’s privacy policy or on another website page that is linked from the privacy policy. The metrics must include:
-
The number of requests related to the right to know, right to delete, and right to opt-out (separate numbers per category) the business received, complied with (in whole or in part) or denied in the last 12 months
-
The median number of days it took the business to resolve the requests (not just respond to acknowledge receipt) over the last 12 months
Businesses subject to these requirements must also document a training policy to ensure employees responsible for handling such requests or the business’s compliance with the CCPA are appropriately aware of and trained on the CCPA and the Regulations.
SPECIAL RULES FOR MINORS
Under the CCPA, minors under age 13 must have a parent or legal guardian opt-in or consent to the sale of the minor’s personal information. Minors between 13 and 15 years of age are required to opt-in themselves, in order for their personal information to be lawfully sold. For the under 13 age group, the Regulations require businesses with actual knowledge that they collect or maintain information from children under 13 that intend to sell that data to a third party, to establish, document, and use a reasonable method to determine if the consenting individual is indeed the child’s parent/legal guardian. The Regulations propose several methods that “are reasonably calculated to ensure” verification of the parent/legal guardian consent, but offer no safe harbor or enforcement exemption if an enumerated method fails to ensure verification. The methods have a lot in common with methods used to verify parent/legal guardian consent under the Children’s Online Privacy Protection Act (“COPPA”). However, the Regulations state that the consent required for CCPA purposes should be considered in addition to consent required under the COPPA. This could perhaps result in using the same method to obtain consent under both statutes, subject to making sure that the parent/legal guardian affirmatively gives a tailored consent for both COPPA and CCPA purposes rather than giving a generic or blanket consent. For the 13 to 15 age group, the Regulations only require that businesses intending to sell children’s data to establish a reasonable process for such minors to opt-in to the sale of their personal information (using a two-step process where the minor opts-in and confirms their choice to opt-in) and provide details on how they may exercise the right to opt-out. The Regulations require businesses to describe how minors or their parents/legal guardians may opt-in to the sale of their personal information in the business’s privacy policy.