On Oct. 10, the California Office of the Attorney General issued a draft of their long-awaited regulations pursuant to the California Consumer Privacy Act. The draft rules do more than simply fill in gaps in the CCPA regarding how businesses should implement CCPA rights; they also contain substantial additional requirements not found in the statute.

There are significant “new” aspects of the draft rules, which will be open for public comment until Dec. 6, 2019. The attorney general's office indicated that it will update the rules to reflect 2019 CCPA amendments that are signed by Gov. Gavin Newsom, D-Calif. Final rules are not expected until spring of 2020, and the attorney general’s office will able to enforce the rules starting July 1, 2020.

Additional notice and privacy policy elements

The CCPA sets forth requirements both for the notice that must be provided at or before the point of collection of personal information (the “initial notice”), as well as in the business’ privacy policy. The draft rules would add requirements that go materially beyond what the statute requires. As many businesses are well along on drafting their CCPA notices and privacy policies, the draft rules would require these businesses to re-draft their notices and privacy policies.

Initial notice

The CCPA requires that the initial notice disclose the categories of personal information collected and the purposes for which the categories of personal information shall be used. The draft rules, by contrast, would require a list of the categories of personal information be provided and, for each category, the business or commercial purposes (as well as a link to the business’s "Do Not Sell My Info" page and privacy policy).

Further, the draft rules would require that — prior to using any category of personal information for an additional business or commercial purpose — a business provide notice and obtain explicit consent from consumers.

The draft rules do clarify that businesses that do not collect personal information directly from consumers are not required to provide the initial notice to consumers but would require that, prior to selling such personal information, these businesses directly contact consumers to notify them of their right to opt out or obtain specific assurances from the source of the personal information as to how initial notice and opt-out was provided to such consumers.

In addition to increasing requirements for initial notices, the draft rules impose materially new requirements on the contents of a business’s privacy policy, including that:

For each category of personal information collected provide (a) the categories of sources from which that information was collected; (b) the business or commercial purpose(s) for which the information was collected; and (c) the categories of third parties with whom the business shares personal information.

An explanation of how a consumer can designate an authorized agent to make a request under the CCPA on the consumer’s behalf. Importantly, this requirement appears to go beyond simply stating that a consumer can use a third party agent to opt out of the sale of PI — it implies that a business must provide a method for facilitating a third-party opt-out, as well.

For businesses that collect or share personal information about more than 4 million California consumers, include the reporting metrics for the previous calendar year on the number of requests to know, delete and opt-out that the business has received, complied with in whole or in part and denied, and the median number of days within which the business substantively responded to requests to know, requests to delete and requests to opt out.

State whether the business sold PI to third parties for a business or commercial purpose in the preceding 12 months.

State whether the business sells the PI of minors under 16 years old without affirmative authorization.

The draft rules further provide that the initial notice and privacy policy must meet minimum requirements for form, including (a) avoiding the use of “technical or legal jargon”; (b) using a format that “draws the consumer’s attention to the notice” and “makes the notice readable, including on smaller screens”; (c) be provided in multiple languages if the business does so for other notices; (d) be accessible for disabled consumers; and (e) to make the notice available to consumers prior to collection of personal information.

While intended to create uniformity among policies, the regulations would lengthen the policies and arguably may make them harder to follow.

Responding to right to know and right to delete requests

These sections of the draft rules do go beyond the text of the CCPA, setting forth in detail both how businesses should facilitate these requests and how they must respond.

Right to know

This section requires that, when responding to a verifiable request, a business list the categories of PI the business has collected in the preceding 12 months (and be written “in a manner that provides consumers a meaningful understanding” of the PI a business collects, with regard to the specific consumer). The CCPA currently requires that the response also include the categories of sources of personal information, the business or commercial purpose(s) for which the information was collected, and the categories of third parties with whom the business shares personal information. The draft rules would extend the requirement so that this information must be provided specifically for each category of personal information collected.

Right to deletion

This section requires that deletion requests can be completed by permanently erasing PI on a business’s systems (except for backup or archival systems), or by deidentifying or aggregating the consumer’s PI. Further, a business must specify in its response to the consumer the method by which it complied with the consumer request, and where a business denies a deletion request, it may state the basis for such denial. Further, if a consumer submits a request that is deficient in form, the business must either respond to the request as if it was correct in form or provide the consumer with additional direction. And where the business is unable to verify the individual, it must treat the request as an opt-out request instead of a deletion request.

Submitting requests

The draft rules do not yet accord with the recent amendment relieving businesses that conduct their activities solely online from maintaining a toll-free telephone number dedicated to rights requests.

In addition, the draft rules require that “at least one method offered shall reflect the manner in which the business primarily interacts with the consumer” and gives as an example a business that sells primarily through retail stores, stating that such business should make available a form in-store for consumers to submit requests.

Additional notable new requirements include:

Timeline to respond : The draft rules establish particular timelines with respect to each right. For the deletion and right to know requests, a business must acknowledge receipt within 10 days, providing additional information about how the business will process the request; a business must respond within the 45-day deadline set forth in the CCPA (with an additional 45-day extension if necessary), but the draft rules clarify that the timeline begins to run upon receipt of the request, “regardless of time required to verify the request.”

Inability to verify : The draft rules go far beyond the corners of the CCPA text here and impose new requirements on business, effectively nullifying a business’s ability to outright refuse to provide a consumer information when that consumer cannot be verified.

If a business cannot verify the identity of a consumer making a request for specific pieces of information, the business must treat the request as if it is seeking the disclosure of categories of PI about the consumer. For requests that seek the disclosure of categories of PI, the business must direct the consumer to its general privacy practices set forth in its privacy policy. For deletion requests, a business that cannot verify a consumer’s identity must treat the request as a request to opt out of sale.

Cybersecurity risk : If the business can identify a “substantial, articulable, and unreasonable risk” to the security of the consumer’s PI or account or the security of the business’s systems or networks, the business need not grant the consumer’s request for specific pieces of information. The regulations also provide that at no time shall a business provide sensitive data — a consumer’s Social Security number, government ID number, financial account number, health insurance or medical ID number, an account password, or security questions and answers.

Do not sell

The draft rules would impose some operationally significant obligations regarding how businesses must comply with opt-out requests.

Most significantly, the draft rules require businesses to treat “user-enabled privacy controls, such as a browser plugin or privacy setting,” as a valid opt-out request for a particular browser or device or for the consumer if known. This would be a major change from the requirements of the statute itself. It is unclear how this requirement could be operationalized quickly after the rules are finalized in the spring of 2020.

Moreover, there are several considerations that are unclear as a consequence of this provision, for instance, whether a change in these device or browser settings in fact indicates a choice to opt in; whether a business must wait for the 12-month period specified in the CCPA before asking a user if they want to change these controls; whether, if a business knows that a user is under 16, the business must provide the double opt-in process in order to change these settings; and whether the business would need to communicate this browser-based opt-out request to all third parties to whom the business has sold the personal information in the prior 90 days.

Significantly, the draft rules also would impose a 15-day response from the date of receipt of the request. They would further require notice to all third parties to whom the business has sold the personal information within 90 days before the request that they may not further sell that information and notice to the consumer when this notice has been completed.

In addition, the draft rules require a double opt-in process for consent to the sale of minor’s personal information, as well as for obtaining consent to sell from consumers who have previously opted out of the sale of their personal information.

The draft rules would allow presenting more qualified sale opt-out choices other than a complete opt-out, provided that this “global option” is “more prominently presented” than the other choices. They would also allow businesses to deny requests if they have a “good-faith, reasonable, documented belief” that the request is fraudulent and explains to the requester why it believes the request is fraudulent.

Minors and opt-in requirements

The draft rules impose an additional requirement over and above the U.S. Children's Online Privacy Protect Act to “establish, document, and comply with a reasonable” method to verify that the person authorizing data sale of a child under age 13 is the child’s parent or guardian.

For minors age 13 to 15, businesses would be required to obtain consent through a two-step process in which the consumer must clearly request to opt in and then confirm that choice. After receiving the authorization from a parent or guardian or from a minor age 13 to 15, businesses would be required to inform the parent of their right to opt out and the process for doing so.

Businesses that “exclusively” target offers directly to consumers under age 16 and do not sell the personal information of those minors without affirmative authorization would not need to provide notice of the opt-out right.

Verification of requests

Right to know requests

The CCPA provides guidance on factors that the attorney general should consider in his rulemaking and specifies that requests may be made through a password-protected account but otherwise leaves the attorney general broad discretion in setting out verification requirements.

These proposed requirements are not found in the statute and are worth summarizing. Commenters had noted risks of abuse of access requests by fraudsters and the proposed rules attempt to address this but also appear to impose additional affirmative security requirements.

Article 4 of the draft rules would specify that (1) verification should “wherever possible” match identifying information provided by the consumer with information maintained by the business or use a compliant third-party verification service; (2) businesses should avoid collecting personal information subject to breach notification, unless necessary; and (3) in determining how extensive verification should be, business should consider the sensitivity of the data, potential harm from unauthorized access or deletion, whether the identity verification is sufficiently robust in light of risk of fraudulent requests, how the business interacts with consumers and available technology.

The draft rules would also impose an affirmative obligation not found in the statute to maintain reasonable security measures to detect fraudulent identity verification activity.

Password-protected accounts

The draft rules would permit a business to authenticate account holders through established account verification methods that the business currently uses but specifies re-authentication is required prior to disclosing or deleting customer data. It also requires further verification in the event that a business “suspects fraudulent or malicious activity” through a password-protected account.

Verification for non-account holders

The CCPA also requires a method for submitting requests without opening an account. For these requests, the draft rules set out three categories of required authentication:

For requests for categories of personal information, businesses would need to verify identity “to a reasonable degree of certainty.” This would include at least matching two data points provided by the consumer with reliable data held by the business.

For requests to obtain actual data held, verification would need to be verified “to a reasonably high degree of certainty.” This would include matching at least three data points and obtaining a signed declaration under penalty of perjury.

For requests for deletion, the degree of verification would vary based upon the sensitivity of the personal data and the risk of harm posed by unauthorized deletion (for example, for deletion of family photographs or documents, as opposed to browsing history). Prior to deleting personal information, the business must provide a double opt-in process to confirm the deletion request.

If there is “no reasonable method” to verify the requester, businesses would be required to respond with a statement that this is the case. If this is true for all consumers, the business would need to state this in its privacy policy, review this determination annually and document it.

Further, the draft rules set forth rules on verifying requests regarding data that is not associated with a particular consumer’s name, stating that businesses may require a consumer verify that they are the sole consumer associated with such no-name data (e.g., browsing history, log files), which may require the business to conduct a “fact-based” verification process that takes into account the risk considerations set forth in the rules.

Authorized agent requests

The proposed rules allow businesses to require the consumer to provide written permission to the agent and verify their identity directly with the business, unless the consumer provides the agent with a power of attorney.

Record-keeping

Beyond the CCPA’s statutory requirements to train business personnel in compliance, the draft rules would impose new record-keeping requirements for all consumer requests under the CCPA, including how the business responded.

Records would need to be retained for at least 24 months and include request data, nature of request, manner of submission and basis for any denial. In addition, businesses that “alone or in combination” (a term that is unclear) receive or share records of 4 million or more California residents would be required to compile detailed metrics on value of different requests under the statute and median number of days to respond to each, as well as any signed declarations obtained from consumers as part of the consumer verification process.

This information would need to be posted in their privacy policies or linked to from their privacy policies — which would be a novel requirement in U.S. privacy law.

Household information access and deletion requests

The draft rules would address the privacy dilemma of household data access and deletion requests in two ways.

First, in the absence of a password-protected account, businesses could provide aggregate household information. Second, if there is a joint request of all household members to delete personal information, a business would be required to respond if it can individually verify that all affected household members made the request.

Service providers

The draft rules would provide some helpful clarifications around when entities may be deemed “service providers” and add some substantive requirements regarding service providers.

While the CCPA statute indicates that a service provider need not reply to consumer rights requests, the draft rules imply the opposite by stating service providers must provide the specific basis for denying requests from consumers regarding their personal information collected or maintained by the service provider on behalf of the business. The draft rules also would require that service providers direct consumers to submit their requests to the relevant business and to provide the consumer with the contact information for that business “when feasible.”

The draft rules clarify that a service provider may “combine personal information received from one or more entities … to detect data security incidents, or protect against fraudulent or illegal activity.”

They also helpfully clarify that an entity can be a service provider to the extent it collects personal information from consumers as directed by a business and where the service provider acts on behalf of another entity that is not a “business” under the CCPA, provided the entity otherwise meets the requirements for a service provider.

'Non-discrimination' and incentives

The draft rules would define discriminatory incentives very broadly as those that treat consumers differently because they exercised a right under the CCPA or its regulations. It would create exemptions for a price or service difference that “is reasonably related to the value of the consumer’s data” or for denials of consumer rights or charging reasonable fees for excessive requests that are permitted by the CCPA.

The draft rules would require businesses to provide notice of each financial incentive or price or service difference subject to the CCPA requirements that the business may offer (even if it is not, in fact, offered) subject to the same requirements for privacy notices.

Significantly, they would require explanations not mentioned in the statute, including an explanation of why the financial incentive or price differential is permitted and a good faith estimate of the value of the consumer’s data and the method used to calculate that value. It is unclear how as a practical matter it could be customized to individual consumers in a general notice required to be posted in a website or presented succinctly amid the list of all financial incentives that the proposal would require.

The draft rules would require businesses to use and document a reasonable method for calculating the value of consumer data sale, collection or deletion from one or more of a set list of valuation methods, including marginal value, average value, revenue or profit generated, expenses related to the data or the program, profit or “[a]ny other practical and reliable method used in good faith.”

Conclusion

Perhaps the most significant question raised by these draft new requirements is how businesses can comply with them by the time that the final rules will be enforced — July 1, 2020 — when the requirements will not be set until the rules are finalized in the spring 2020. Comments are due Dec. 6 at 5:00 p.m. PT, with public hearings scheduled Dec. 2 through 5 in four cities around the state.

The CCPA takes effect Jan. 1, 2020, and given the likely timing of the final regulations, that attorney general's office will not be able to enforce the CCPA until July 1, 2020. Notably, in an Oct. 10 news conference, Attorney General Xavier Becerra seemed to imply that his office may take enforcement action for noncompliance between Jan. 1 and July 1, 2020.

Photo by Giammarco Boscaro on Unsplash