Analyzing the California Attorney General's Proposed CCPA Regulations
On Oct. 10, the California Attorney General's office published its long-awaited proposed California Consumer Privacy Act (CCPA) regulations.
October 21, 2019 at 12:24 PM
10 minute read
On Oct. 10, the California Attorney General's office published its long-awaited proposed California Consumer Privacy Act (CCPA) regulations. The proposed regulations were published shortly after the California legislature finished its amendments to the CCPA on Sept. 13 and, in fact, were published before the California governor even signed those amendments. The Attorney General's office will host a series of public hearings on the proposed regulations and will allow written comments to be submitted until Dec. 6.
The regulations are divided into seven articles. We provide an overview of six of those articles in the following analysis. The seventh article is merely a severability clause, which requires no further analysis.
In general, although the proposed regulations provide some much-needed clarity, they will leave businesses wanting more.
|Article 1. General Provisions
Article 1 is divided into two categories: title/scope and definitions. Of note, the scope provision clarifies that a violation of the regulations also constitutes a violation of the CCPA and is subject to the same remedies. In other words, violations of the regulations can expose businesses to a fine of $2,500 for each violation or $7,500 for each intentional violation.
The definitions section sets forth 21 new definitions. Some of those definitions are for terms used (but not defined) in the CCPA while other definitions are for terms used in the regulations. Of note, the regulations provide a definition for "household." That term has caused many businesses headaches during their compliance efforts. The regulations chose a rather straight-forward definition, namely, "a person or group of people occupying a single dwelling."
Businesses also will be interested to learn that the proposed regulations do not modify of clarify the CCPA's definition of "business" and do not provide any guidance on what it means to be "doing business" in California.
|Article 2. Notices to Consumers
Article 2 provides welcome guidance on the types and contents of the various notices that must be provided to consumers pursuant to the CCPA. Specifically, the regulations provide guidance on the notices that must be provided at the point of collection, to inform consumers of their right to opt-out of the sale of their personal information, to notify consumers of financial incentives, and to inform consumers of a business' online and offline privacy practices.
Although there are differences in the information that must be provided for the individual notices, each notice is required to use plain, straightforward language, use a format that is readable, be available in the languages that the business ordinarily uses and be accessible to consumers with disabilities.
The regulations also provide specific guidance on the types of disclosures that must be provided with each notice. For example, the regulations identify four categories of information that must be provided to consumers in the notice at point of collection, including a list of categories of personal information about the consumer that are to be collected and, for each category, the business or commercial purpose(s) for which the personal information will be used.
Of particular note, the regulations note that if a business fails to provide the notice at the time of collection, it appears to be considered a de facto violation of the CCPA to collect and use any personal information of a California consumer. Moreover, if a business fails to provide the notice and mechanism regarding the opt-out of the sale of personal information, the regulations state that the business shall consider all consumers as having opted out of the sale of personal information. In other words, if a business fails to provide the opt-out of sale notice and mechanism, any sale of personal information appears be a considered de facto violation of the CCPA.
The types of information that must be provided in the notices largely tracks the CCPA's requirements. However, businesses will want to work with legal counsel to understand the exact contours of what must be disclosed. Businesses also will need to keep in mind that the CCPA's notice requirements are only one piece of the puzzle. As may be applicable, consideration must be given to notice requirements in other California laws (e.g., the California Online Privacy Protection Act), Nevada and Delaware's online privacy notice statutes, and the European Union's General Data Protection Regulation (GDPR).
|Article 3. Business Practices for Handling Consumer Requests
As its name suggests, this article sets forth regulations for the handling of the CCPA's various verifiable consumer requests. Specifically, the article contains requirements for receiving, processing and responding to requests to know, requests to delete, requests to opt-out of the sale of personal information to third parties, requests to opt-in after opting-out, and requests to access or delete household information.
With respect to receiving those requests, the regulations identify the methods that the AG's office considers acceptable for each type of request. For example, businesses must provide two or more designated methods for receiving requests to know, which must include a toll-free telephone number and, if a business operates a website, an interactive web form. In comparison, no specific method is required for submitting requests to delete. Rather, the regulations provide that businesses must provide at least two methods, which may include a toll-free telephone number, a link or form available online, a designed email address, or a form submitted online or in person.
The time frames for responding to requests to know or delete are the same. Businesses must confirm receipt of the request within 10 days and provide information on how the business will process the request, including explaining the business' identity verification process. Businesses must then respond to the request within 45 days. They may take an additional 45 days to respond if they provide the consumer with notice and an explanation of the reason the business needs more time to respond.
Importantly, the regulations create new requirements for responding to requests to know specific pieces of information that are intended to protect against identity theft. First, the regulations provide that a business "shall not" respond to such a request if the disclosure "creates a substantial, articulable and unreasonable risk to the security of that personal information." Second, the regulations specifically forbid businesses from turning over certain types of sensitive personal information such as Social Security numbers, driver's license numbers and financial account numbers.
The regulations provide three options for complying with requests to delete: permanently and completely erasing the personal information on existing systems with the exception of archived or back-up systems, de-identifying the information or aggregating the information.
With respect to requests to opt-out, businesses are required to respond within 15 days from receipt of the request. Businesses also must notify all third parties to whom they have sold the consumer's personal information for the prior 90-day period and instruct them not to further sell the information.
In addition, Article 3 contains provisions on service providers and training and record-keeping requirements. Of particular note, the regulations create a new reporting requirement for businesses that alone, or in combination, annually buy, receive for the business' commercial purpose, sell, or share for commercial purposes the personal information of 4 million or more consumers. Among other things, those businesses will need to make disclosures in their online privacy policies regarding the number of requests that they have received, by type, and the median number of days it took to respond.
|Article 4. Verification of Requests
Article 4 creates a "totality of the circumstances" analysis for verifying the identity of a consumer making the request. Specifically, the regulations provide that businesses must establish, document, and comply with a reasonable method for verifying identities and then identify a host of factors that businesses must consider. Those factors include analyzing whether the personal information is sensitive or valuable, the risk of harm to the consumer posed by unauthorized access or deletion, the feasibility of using a third-party identity verification service, and the risk of fraudulent activity.
The regulations also set forth specific requirements for instances in which the business maintains a password-protected account with the consumer. In that situation, the business still needs to comply with the totality of the circumstances analysis described above, but also may verify the consumer's identity through the business' existing authentication practices, subject to the business requiring the consumer to re-authenticate before disclosing or deleting the consumer's data.
If a consumer does not have or cannot access a password-protected account, the business must comply with the totality of the circumstances analysis and also take certain steps to confirm the consumer's identity against known data points. For example, to verify the identity of a consumer making a request to know categories of personal information, the business must verify the identity to a "reasonable degree of certainty." That may include matching at least two data points provided by the consumer with data points maintained by the business.
In comparison, to confirm the identity of an individual making a request to know the specific pieces of personal information, the business must verify the identity to a "reasonably high degree of certainty." That may include matching at least three data elements together with collecting a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.
|Article 5. Special Rules Regarding Minors
This article establishes rules and procedures surrounding the use of personal information of children 16 years and younger. Businesses that have actual knowledge of collecting or maintaining personal information of children under 13 are required to establish a reasonable method for determining that the person affirmatively authorizing the sale of the personal information of the child is a parent or guardian of that child. For children 13 to 16 years of age, the business is required to establish a reasonable process for allowing minors to opt-in to the sale of their personal information.
|Article 6. Nondiscrimination
This article provides some limited guidance on the CCPA's nondiscrimination provision. For example, it provides two examples of how different practices would be treated by the provision. It also provides an eight-factor method for how a business can calculate the value of a consumer's data.
|Conclusion
While the above analysis provides an overview of the AG's proposed regulations, there is no doubt that businesses will be pondering these provisions for many weeks to come. Businesses also will need to keep in mind that these are only proposed regulations and, therefore, are susceptible to change. Nonetheless, they provide much-needed guidance on the CCPA's requirements, although still leaving many questions unanswered.
David M. Stauss is a partner at Husch Blackwell and co-leader of the firm's privacy and data security practice group. He regularly assists clients in preparing for and responding to data security incidents, including managing multistate breach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), and state information security statutes. Contact him at [email protected].
Robert J. Bowman is a Denver-based partner in the firm's technology, manufacturing and transportation industry group and a co-leader of the firm's internet of things team. Contact him at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllA Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute readThree Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Corporate Confidentiality Unlocked: Leveraging Common Interest Privilege for Effective Collaboration
11 minute readTrending Stories
- 1Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 2Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
- 3'It Refreshes Me': King & Spalding Privacy Leader Doubles as Equestrian Champ
- 4Class Action Filed Against Houston Health Savings Account Firm for Allegedly Confiscating Client Funds
- 5These 2 Lawyers Just Became Florida Judges
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250