On Oct. 10, the California Attorney General's office published its long-awaited proposed California Consumer Privacy Act (CCPA) regulations. The proposed regulations were published shortly after the California legislature finished its amendments to the CCPA on Sept. 13 and, in fact, were published before the California governor even signed those amendments. The Attorney General's office will host a series of public hearings on the proposed regulations and will allow written comments to be submitted until Dec. 6.

The regulations are divided into seven articles. We provide an overview of six of those articles in the following analysis. The seventh article is merely a severability clause, which requires no further analysis.

In general, although the proposed regulations provide some much-needed clarity, they will leave businesses wanting more.

Article 1. General Provisions

Article 1 is divided into two categories: title/scope and definitions. Of note, the scope provision clarifies that a violation of the regulations also constitutes a violation of the CCPA and is subject to the same remedies. In other words, violations of the regulations can expose businesses to a fine of $2,500 for each violation or $7,500 for each intentional violation.

The definitions section sets forth 21 new definitions. Some of those definitions are for terms used (but not defined) in the CCPA while other definitions are for terms used in the regulations. Of note, the regulations provide a definition for "household." That term has caused many businesses headaches during their compliance efforts. The regulations chose a rather straight-forward definition, namely, "a person or group of people occupying a single dwelling."

Businesses also will be interested to learn that the proposed regulations do not modify of clarify the CCPA's definition of "business" and do not provide any guidance on what it means to be "doing business" in California.

Article 2. Notices to Consumers

Article 2 provides welcome guidance on the types and contents of the various notices that must be provided to consumers pursuant to the CCPA. Specifically, the regulations provide guidance on the notices that must be provided at the point of collection, to inform consumers of their right to opt-out of the sale of their personal information, to notify consumers of financial incentives, and to inform consumers of a business' online and offline privacy practices.

Although there are differences in the information that must be provided for the individual notices, each notice is required to use plain, straightforward language, use a format that is readable, be available in the languages that the business ordinarily uses and be accessible to consumers with disabilities.

The regulations also provide specific guidance on the types of disclosures that must be provided with each notice. For example, the regulations identify four categories of information that must be provided to consumers in the notice at point of collection, including a list of categories of personal information about the consumer that are to be collected and, for each category, the business or commercial purpose(s) for which the personal information will be used.

Of particular note, the regulations note that if a business fails to provide the notice at the time of collection, it appears to be considered a de facto violation of the CCPA to collect and use any personal information of a California consumer. Moreover, if a business fails to provide the notice and mechanism regarding the opt-out of the sale of personal information, the regulations state that the business shall consider all consumers as having opted out of the sale of personal information. In other words, if a business fails to provide the opt-out of sale notice and mechanism, any sale of personal information appears be a considered de facto violation of the CCPA.

The types of information that must be provided in the notices largely tracks the CCPA's requirements. However, businesses will want to work with legal counsel to understand the exact contours of what must be disclosed. Businesses also will need to keep in mind that the CCPA's notice requirements are only one piece of the puzzle. As may be applicable, consideration must be given to notice requirements in other California laws (e.g., the California Online Privacy Protection Act), Nevada and Delaware's online privacy notice statutes, and the European Union's General Data Protection Regulation (GDPR).

Article 3. Business Practices for Handling Consumer Requests

As its name suggests, this article sets forth regulations for the handling of the CCPA's various verifiable consumer requests. Specifically, the article contains requirements for receiving, processing and responding to requests to know, requests to delete, requests to opt-out of the sale of personal information to third parties, requests to opt-in after opting-out, and requests to access or delete household information.

With respect to receiving those requests, the regulations identify the methods that the AG's office considers acceptable for each type of request. For example, businesses must provide two or more designated methods for receiving requests to know, which must include a toll-free telephone number and, if a business operates a website, an interactive web form. In comparison, no specific method is required for submitting requests to delete. Rather, the regulations provide that businesses must provide at least two methods, which may include a toll-free telephone number, a link or form available online, a designed email address, or a form submitted online or in person.

The time frames for responding to requests to know or delete are the same. Businesses must confirm receipt of the request within 10 days and provide information on how the business will process the request, including explaining the business' identity verification process. Businesses must then respond to the request within 45 days. They may take an additional 45 days to respond if they provide the consumer with notice and an explanation of the reason the business needs more time to respond.

Importantly, the regulations create new requirements for responding to requests to know specific pieces of information that are intended to protect against identity theft. First, the regulations provide that a business "shall not" respond to such a request if the disclosure "creates a substantial, articulable and unreasonable risk to the security of that personal information." Second, the regulations specifically forbid businesses from turning over certain types of sensitive personal information such as Social Security numbers, driver's license numbers and financial account numbers.

The regulations provide three options for complying with requests to delete: permanently and completely erasing the personal information on existing systems with the exception of archived or back-up systems, de-identifying the information or aggregating the information.

With respect to requests to opt-out, businesses are required to respond within 15 days from receipt of the request. Businesses also must notify all third parties to whom they have sold the consumer's personal information for the prior 90-day period and instruct them not to further sell the information.

In addition, Article 3 contains provisions on service providers and training and record-keeping requirements. Of particular note, the regulations create a new reporting requirement for businesses that alone, or in combination, annually buy, receive for the business' commercial purpose, sell, or share for commercial purposes the personal information of 4 million or more consumers. Among other things, those businesses will need to make disclosures in their online privacy policies regarding the number of requests that they have received, by type, and the median number of days it took to respond.

Article 4. Verification of Requests

Article 4 creates a "totality of the circumstances" analysis for verifying the identity of a consumer making the request. Specifically, the regulations provide that businesses must establish, document, and comply with a reasonable method for verifying identities and then identify a host of factors that businesses must consider. Those factors include analyzing whether the personal information is sensitive or valuable, the risk of harm to the consumer posed by unauthorized access or deletion, the feasibility of using a third-party identity verification service, and the risk of fraudulent activity.

The regulations also set forth specific requirements for instances in which the business maintains a password-protected account with the consumer. In that situation, the business still needs to comply with the totality of the circumstances analysis described above, but also may verify the consumer's identity through the business' existing authentication practices, subject to the business requiring the consumer to re-authenticate before disclosing or deleting the consumer's data.

If a consumer does not have or cannot access a password-protected account, the business must comply with the totality of the circumstances analysis and also take certain steps to confirm the consumer's identity against known data points. For example, to verify the identity of a consumer making a request to know categories of personal information, the business must verify the identity to a "reasonable degree of certainty." That may include matching at least two data points provided by the consumer with data points maintained by the business.

In comparison, to confirm the identity of an individual making a request to know the specific pieces of personal information, the business must verify the identity to a "reasonably high degree of certainty." That may include matching at least three data elements together with collecting a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.

Article 5. Special Rules Regarding Minors

This article establishes rules and procedures surrounding the use of personal information of children 16 years and younger. Businesses that have actual knowledge of collecting or maintaining personal information of children under 13 are required to establish a reasonable method for determining that the person affirmatively authorizing the sale of the personal information of the child is a parent or guardian of that child. For children 13 to 16 years of age, the business is required to establish a reasonable process for allowing minors to opt-in to the sale of their personal information.

Article 6. Nondiscrimination

This article provides some limited guidance on the CCPA's nondiscrimination provision. For example, it provides two examples of how different practices would be treated by the provision. It also provides an eight-factor method for how a business can calculate the value of a consumer's data.

Conclusion

While the above analysis provides an overview of the AG's proposed regulations, there is no doubt that businesses will be pondering these provisions for many weeks to come. Businesses also will need to keep in mind that these are only proposed regulations and, therefore, are susceptible to change. Nonetheless, they provide much-needed guidance on the CCPA's requirements, although still leaving many questions unanswered.

David M. Stauss is a partner at Husch Blackwell and co-leader of the firm's privacy and data security practice group. He regularly assists clients in preparing for and responding to data security incidents, including managing multistate breach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), and state information security statutes. Contact him at [email protected].

Robert J. Bowman is a Denver-based partner in the firm's technology, manufacturing and transportation industry group and a co-leader of the firm's internet of things team. Contact him at [email protected].