The long wait is over. The Attorney General of California has finally issued his proposed regulations on the California Consumer Privacy Act (CCPA), and for privacy professionals, it feels like Christmas morning. The sense of anticipation in unwrapping the regs has been visceral—are they akin to that bright and shiny toy we’ve been yearning for, or more like underwear and socks from Aunt Bernice? At first blush, they’re a little bit of both.
When the legislature passed the CCPA, there were aspects of the law that needed to be fleshed out by regulatory guidance. Toward that end, Civil Code §1798.185(a) specifically authorized the issuance of regulations on the following areas:
- Updating categories of "personal information" and definitions of "unique identifiers" to address changes in technology, data collection practices, and privacy concerns;
- Establishing exceptions in order to comply with state or federal law;
- Describing the mechanisms for consumers to submit, and businesses to process, opt-out requests from the sale of "personal information"; and
- Providing guidance on how businesses should determine how to authenticate and process "verifiable consumer requests."
More broadly, the Attorney General was authorized to adopt "additional regulations as necessary to further the purposes" of the statute. He has done so, and this article looks to highlight the regs as proposed.
Verifiable Consumer Requests
Since the CCPA was enacted, businesses have sought guidance concerning verifying the identity of consumers for purposes of processing a "verifiable consumer request." For their part, privacy and security advocates have expressed concern that if a business receives a request for access to a consumer's information but fails to adequately authenticate identity, consumer data could be yielded to identity thieves, resulting in a data breach. Hence the importance of authenticating a user's identity, which is made even more challenging when businesses collect only a small set of data against which they can attempt a match, creating a perverse incentive for companies to gather even more information arguably needed for verification purposes.
The AG’s regulations address general verification principles, including an ambiguous requirement that businesses "establish, document, and comply with a reasonable method for verifying that the person making a request to know or a request to delete is the consumer about whom the business has collected information." In that regard, businesses are encouraged to match identifying information supplied by the requestor against information already in their possession, or to use a third-party identity verification service. Interestingly, the proposed regs recommend that companies avoid collecting the types of personal information identified in Civil Code §1798.81.5(d)—social security, driver's license, or account numbers or medical information and the like)—though presumably partial data sets of these information types would still be acceptable (read: the last four digits of and SSN). And while businesses are discouraged from collecting additional data to verify a consumer's identity, such information may be gathered if the business can’t otherwise confirm a user's identity, though the additional data may be used solely for purposes of verification.
For users with password-protected accounts, verification is simple: they should adhere to existing authentication practices (for instance, users should be required to provide a password before processing an information or deletion request). However, for consumers without password-protected accounts, authentication becomes more complicated. To address this, the regulations employ a sliding scale of verification based on the sensitivity of the data requested. For requests to know only the "categories" of personal information collected or processed, a business only needs to verify the requestor's identity with a "reasonable degree of certainty." This "may include matching at least two data points provided by the consumer with data points maintained by the business, which the business has determined to be reliable for the purpose of verifying the consumer."
On the other hand, when the requestor seeks "specific pieces of personal information," the business must verify his or her identity with a "reasonably high degree of certainty," which may include "matching at least three pieces of personal information" in addition to "a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request." For deletion requests, the verification method (reasonable v. reasonably high) is dependent on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion.
In addition to disclosing the categories of personal information that a business will collect and the categories of third parties with whom that personal information may be shared, the regulations as proposed require businesses to disclose the categories of personal information and whether they had disclosed personal information to third parties in the preceding 12 months. While this may seem unobjectionable where a business has been complying with the CCPA for several years and has already previously disclosed prior years' privacy practice, the mandate could be a problem for businesses seeking to comply beginning January 1, 2020, forcing them to publicly disclose data sharing in 2019 before they had become compliant. As such, comments to the Attorney General may suggest an effective date of January 1, 2021 for this additional requirement.
Transparency and Accessibility
In terms of what a businesses is required to disclose at the time it collects personal information, the AG’s regulations attempt to address issues of notice, transparency, and accessibility by requiring that privacy policies be accessible to consumers with disabilities and available in "languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers." For businesses already struggling with website ADA compliance, this mandate may pose an additional logistical hurdle; however, recognizing that one of the stated goals of the CCPA is to provide consumers with substantive notice of a business's privacy practices, the inclusion of this regulation wasn’t surprising.
Explicit Consent for Changes to Privacy Practices
One of the most substantive differences between the EU's General Data Protection Regulation (GDPR) and the CCPA is the role of consent. With respect to the GDPR, before personal information can be collected or processed, a controller or processor must be able to establish one of the six lawful bases for doing so. Conversely, the CCPA follows the "notice and opt-out" model similar to the federal Gramm-Leach-Bliley Act (GLBA), requiring businesses to provide consumers with notice of privacy practices and the opportunity to opt-out of the sale of their data.
But what happens when a business decides to change its privacy practices? Many such policies drafted pre-CCPA relied on an "implied consent" model—in other words, they left open the possibility of amendment over time and stated that if consumers continued to interact with a given business after privacy policies changed, it was implied that the consumers consented to those modifications. However, considering that most consumers don't bother reading privacy policies in the first place, it may have been unrealistic to expect that they check up on a policy’s status and pick up on subtle changes over time.
Opt-Out Without Consumer Relationship
In the world of mass storage and big data analytics, there are many businesses that collect consumers' personal information without any direct contact with them whatsoever. Yet how are these businesses expected to provide notice and offer opt-outs before selling personal information if they have no relationship with their customers?
The regulations make clear that any business in such a situation does not need to provide notice to consumers at the time of collection. Nevertheless, before it sells personal information, the business first needs to: 1) contact the consumer directly and provide notice of his or her right to opt-out of the sale; or 2) contact the source of the personal information, confirm that it provided CCPA notice at the time of collection, and "[o]btain signed attestations from the source describing how [it] gave notice at collection" (including an example of the notice). These attestations must be retained for at least two years and made available to the consumer on request.
What's a Financial Incentive Worth Nowadays?
To protect consumers, the CCPA explicitly prohibits businesses from discriminating against those exercising their statutory privacy rights. Specifically, businesses may not deny goods or services, or charge different prices for goods or services, to such consumers. Nonetheless, the CCPA does allow businesses to offer financial incentives relating to the collection, sale, or deletion of personal information (or where the difference in price is directly related to the value of the data collected). However, prior notice is to be given and consumers must be allowed to opt-in (and opt-out) at any time.
The regulations address the required content of the financial incentive notice, which must include: 1) a succinct summary of the financial incentive; 2) a description of its material terms, including the categories of personal information implicated by the financial incentive program; 3) information on how the consumer can opt-in to the incentive; 4) notice of the consumer's right to withdraw and how that right may be exercised; and 5) an explanation of why the financial incentive is permitted under the CCPA, which must include a good faith estimate of the value of the relevant consumer's data and a description of the method the business uses to calculate that value.
Translation: if a business intends to monetize consumers' personal information as part of a financial incentive program, it needs to disclose the relative value of that data. No doubt, there may be some companies that choose to discontinue these programs out of reluctance to share the "secret sauce" of their monetization with consumers.
Another aspect of the CCPA regarded with scrutiny is the allowance for verifiable consumer requests to be made by a consumer's "authorized agent," defined in the proposed regs as "a natural person or a business entity registered with the Secretary of State that a consumer has authorized to act on their behalf . . ." According to the AG, CCPA-compliant privacy policies require businesses to explain how consumers can designate an authorized agent to make requests on their behalf. Also, in processing requests from authorized agents, businesses may ask consumers to provide written permission for their authorized agents to submit requests on their behalf and to verify the consumers’ identity directly.
Responding to Knowledge and Deletion Requests
The CCPA mandates businesses to provide at least two designated methods for submitting requests for information, including at least a toll-free telephone number and, if the business maintains a website, a website address or portal. The proposed regulations identify other acceptable methods, including a designated email address or form submitted in person or through the mail. At least one method offered "shall reflect the manner in which the business primarily interacts with the consumer, even if it requires a business to offer three methods of submitting requests to know." For requests that do not match one of the designated methods, businesses must either treat the request as properly submitted or provide the consumer with specific directions how to submit the request or remedy any deficiencies. Also, deletion requests now require a two-step confirmation process (read: the submission of the request followed by a separate confirmation), presumably to avoid accidental deletions.
Once a request has been received, a business has 10 days to confirm its receipt to the consumer and provide information on how the request will be processed, including an expected response date. Responses must be processed within 45 days; however, if necessary, a business can take up to an additional 45 days to respond (for a total of 90 days), provided the consumer is notified of the delay and an explanation for it is provided.
Consumer requests are contingent on the strength of the verification, which can depend on the sensitivity of the data being requested. If a business is unable to verify a requestor's identity for specific information with a "reasonably high degree of certainty," it has the option of either denying the request or (if a "reasonable degree of certainty" is obtained), it can disclose the categories of information collected. The regs also contain a catch-all, providing that a business shall not disclose specific pieces of information if the disclosure "creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer's account with the business, or the security of the business's systems or networks." Regardless of the degree of verification, businesses are instructed not to disclose, at any time, "a consumer's Social Security number, driver's license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers." If a request is denied (including based on state or federal law), the requestor shall be notified of the denial and the basis therefore.
From a technical perspective, the prospect of deletion requests has given IT professionals heartburn, both under GDPR and now CCPA. Still, the proposed regulations provide some partial relief, clarifying that archives and back-up systems are initially excepted from the deletion request; businesses may delay compliance with these systems "until the archived or backup system is next accessed or used." From a practical standpoint, for a business engaging in incremental daily backups that does not access those backups during a two-year retention period, this may mean that deletion requests will not be processed on backup systems and the backups will ultimately be deleted with the consumer's data still present. However, what's unclear is to what degree backups will need to be modified if accessed for only a partial data recovery; for example, if a user's email folder needs to be recovered as a result of a data corruption or deletion. If that folder is stored in the contents of a full server backup, does accessing that folder's data trigger an avalanche of pending CCPA requests? While the intent of this provision may have been only the requirement to process CCPA requests when specific data sets on archive or backup servers are accessed and subject to CCPA requests, the proposed regs are unclear.
Deletion requests may be processed in multiple ways: 1) deletion of the record (obviously); 2) de-identification of the personal information (that is, all identifying information is fully or partially deleted such that it can no longer be attributed to an identifiable person; for instance, a consumer's name, address, and unique identifiers are deleted, leaving only general demographic information); or 3) aggregation (the consumer's personal information is de-identified and grouped with the data of other consumers). When a deletion request is processed, the requestor must be notified that the business will retain a record of the request. Like knowledge requests, if the deletion request is denied, the requestor must be notified of the basis for the denial, yet personal information that would not be subject to an exception to the deletion request must still be deleted. If a deletion request is denied because the requestor's identity couldn’t be verified, the business is directed to instead treat the request as an opt-out request relating to the sale of personal information.
One of the much-debated questions about the CCPA is whether a party qualifies as a "business," a "service provider," or a "third party." In this complicated world of data collection and data sharing, lines between these definitions are frequently blurred and may vary from case to case (query this: are sub-processors providing services to processors without a direct relationship with a business service providers or third parties?). While businesses are much freer in sharing personal information with their service providers, there are substantial constraints on such providers' use of the data entrusted to them.
The AG’s regulations add some context to this discussion, clarifying that a person or entity who provides services to a person or organization that isn’t a business, but whom would otherwise meet the definition of a "service provider" (e.g., a sub-processor), shall also be deemed a service provider. In addition, a person or entity that collects personal information for a business directly from a consumer and otherwise meets the definition of a "service provider" shall also be deemed a service provider. Both these and other service providers are instructed to forward all CCPA requests to the businesses that it services and provide requestors with contact information for the business and notice explaining why the service provider is denying CCPA requests.
In addition, the proposed regulations address the requirement of service providers to "silo" personal information, explicitly prohibiting service providers from using personal information collected on behalf of one business to any other business that it services.
Web Browser Opt-Outs
While the CCPA is relatively clear how businesses should provide notice and the opportunity for consumers to opt-out of the sale of their personal information, the regs add an additional twist: user-enabled privacy controls. Specifically, if a business collects personal information from consumers online, "the business shall treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism that communicate or signal the consumer's choice to opt-out of the sale of their personal information, as a valid request . . ." In this regard, the regulation clearly poses more questions than it answers.
While there’s been some original discussion whether this implicated the "do not track" web browser setting whose standardization was terminated in January 2019 by the W3C Tracking Protection Working Group, it's not clear whether this technology would apply. The proposed regulation is limited to privacy controls that signal or communicate a consumer's choice to opt-out of the sale of information. Accordingly, the DNT flag would not apply to the extent it relates to the collection of tracking data, not its subsequent sale (though an argument could be made that its prohibition is implied from the prohibition on its collection). However, nothing prevents the development of a browser extension allowing users to toggle their opt-out decisions, which begs the question: how many of such web browser extensions are websites expected to support? Absent standardization, it's unclear how businesses can effectively respond to the various potential plug-ins and browser settings that may be made available to users.
For the time being, enforcement of the CCPA's privacy provisions is left solely in the hands of the California Attorney General. And if the AG’s office sends a request for compliance information, it's critical that businesses maintain sufficient records to demonstrate both compliance and due diligence.
To that end, businesses are required to maintain records of CCPA consumer requests and responses for at least 24 months. In addition, a business that "alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes" the personal information of four million or more consumers must compile metrics on the number of CCPA knowledge, deletion, and opt-out requests received in the previous calendar year. Further, such businesses must collect data on the median number of days within which they substantively responded to CCPA requests and disclose all of this information in their website privacy policies.
Getting the Last Word
It’s important to understand that the proposed regulations are not yet final. In fact, four public hearings will take place in Sacramento, Los Angeles, San Francisco, and Fresno on December 2, 3, 4, and 5, accordingly. Likewise, written public comments may be submitted to the office of the AG through December 6, 2019. Of course, we’ll continue to follow the regulatory process and provide any significant updates.
Be aware that the select provisions addressed here are only highlights of the new regs. Because each business's data collection and processing practices are unique, and given the complexities of the CCPA, companies are strongly encouraged to contact Michelman & Robinson, LLP for guidance. Scott Lyon, the firm’s privacy guru, can be reached at firstname.lastname@example.org or (714) 557-7990.
This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.