On October 10, 2019, the California Attorney General (“AG”) issued the long-awaited proposed regulations under the California Consumer Protection Act (“CCPA”). Written comments may be submitted to the AG now until December 6, 2019, and the AG will hold four public hearings at the beginning of December to consider public comments. We expect the final regulations will be published in Spring of 2020 with the CCPA being enforceable July 1, 2020.
Our hope was that the regulations would clarify many of the somewhat nebulous provisions of the CCPA. Now, arguably, the regulations not only clarify some terms of the CCPA, they also add several obligations to companies that are subject to the CCPA. It is clearer than ever, given the regulations, that a great deal of effort will be required to draft appropriate privacy notices, implement seamless opt-out and opt-in mechanisms, and maintain records that demonstrate compliance with CCPA.
Most notably, the regulations indicate the following salient points:
Privacy Notice Requirements:
- Privacy Notices must be accessible to those with disabilities – or at the very least provide information on how a consumer with a disability may access the notice in an alternative format. The WC3 web accessibility guidelines have typically been the default standard on web accessibility. Now, companies will need to consider ensuring that their privacy notice can be read, heard or viewed, as applicable, through different methods.
- Privacy Notices must include disclosures of the categories of personal information collected as well as the following in relation to each category of personal information: categories of sources of personal information and categories of third parties to whom personal information is disclosed.
- If a company offers their website, sales or other communications in languages other than English, the Privacy Notice must also be offered in that language.
- Brick and mortar companies must offer copies of their Privacy Notice at their place of business or have a prominent sign that offers a website for consumers to find the Privacy Notice. This particular “clarification” dispels the somewhat unspoken myth that brick and mortar companies, such as retailers or hospitality groups, are less impacted by privacy laws. It is now clear that they must comply with privacy rules to the same level as technology companies.
- If a business does not “sell” personal information within the meaning of the CCPA, the business must indicate this in their Privacy Notice.
- Businesses generally are prohibited from discriminating against consumers that have exercised a right under the CCPA. However, businesses may offer a different level or service or a benefit if the value of the personal information is reasonably tied to the higher service level or benefit. If a business offers a different level of service or a benefit – a “financial incentive” – to consumers who have not requested the deletion of their data or have not opted-out (or opted-in for children) of the sale of their information, the business must also publish a Notice of Financial Incentive. Such notice may be included in the Privacy Notice. Consumers must have the choice to opt-in to receive the financial incentive and may revoke their choice at any time. If the business takes this approach, the business must also have conducted an internal analysis based on at least one of the methods designated in the CCPA regulations as to how the value was calculated.
Administration of Consumer Rights:
- To verify consumers’ identity when they request access to their data or request to have their data deleted, the business should try not to collect more information than the business already has.
- Opt-in consent for children’s personal information to be sold will be handled as follows: (i) for children between the ages of 13- 16, double opt-in will be required for parents to opt-in to allow their children’s personal information to be sold with a preliminary opt-in and follow up confirmation, and (ii) for children under age 13, consent must be received in one of the same methods as permitted by the Children’s Online Privacy Protection Act.
- Requests to opt-out of the sale of personal information can be implemented through a user’s browser or privacy settings, or browser plug-in. This means a browser do not track setting may need to be read as an opt-out.
- If a business changes its practices as to how the business uses or discloses personal information, the business must notify the consumer and get opt-in consent to the changed use or disclosure. This clarification appears to provide a purpose limitation requirement, very much in line with the EU’s GDPR.
- Consumers can register with the Secretary of State to have an agent administer their consumer rights and make requests on their behalf. Businesses must include information as to how to designate an agent in their Privacy Notice.
- Requests to opt-out of the sale of personal information must be handled within 15 days. Requests to receive access to personal information or for deletion of personal information must be handled within 45 days (unless extended as allowable).
Particular Requirements for Certain Businesses:
- Businesses that collect or disclose personal information about more than 4 million consumers must include the following in their Privacy Notices: metrics for the past calendar year of the number of requests to know (access), delete and opt-out. Such information must be presented in a manner to distinguish between the number of requests received, number of requests complied with or denied and median number of days for the business to respond.
- One notable point for the advertising industry, which lobbied heavily to strip down CCPA, is that a service provider may combine personal information it receives from one or more entities to which it is a service provider, on behalf of such businesses, but only to the extent necessary to detect security incidents, or protect against fraudulent or illegal activity. This leaves a wide open question with respect to advertising intermediaries, and the combination of personal information in connection with targeted advertising and real-time bidding.
We will be closely monitoring this process for finalizing the CCPA regulations and attending the hearings for public comment.