California Attorney General Releases Proposed CCPA Regulations
On October 10, 2019, the California Attorney General Xavier Becerra released proposed regulations governing compliance with the California Consumer Privacy Act (the “CCPA”). The proposed regulations offer guidance regarding compliance obligations with respect to five main areas: notices to consumers; business practices for handling consumer requests; verification of requests; and special rules regarding minors and non-discrimination. The proposed regulations are open to a public notice and comment period until December 6, 2019, prior to possible modification and ultimate adoption of finalized rules. The proposed regulations are available here.
Summary of Proposed Regulations
The proposed regulations address the following five areas:
Of particular help to businesses that do not collect information directly from consumers (for example, by purchasing lists of personal information) is guidance that a business that does not collect information directly from consumers is not required to provide notice to the consumer at collection. Obligations would only attach if that business were itself to sell the personal information, in which case the business would be required to provide notice to the consumer first or confirm with the source of the information that such notice had been provided at the point of collection.
Of particular interest, the CCPA calls for the Attorney General to establish rules for the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt out of the sale of personal information. The proposed regulations, however, do not include this material element, noting that it is to be added in a modified version of the regulations and made available for public comment.
Business Practices for Handling Consumer Requests: A large portion of the proposed regulations is devoted to business practices for handling consumer requests, including requests to “know” (i.e., a request that a business disclose personal information that it has about the consumer), requests to delete and requests to opt out of the sale of personal information. The proposed regulations require a business to provide two or more designated methods for submitting requests to know.
It should be noted that at the time the proposed regulations were released (and as of this writing), an amendment (AB 1564) that would allow a business that operates exclusively online to provide only an email address for submitting requests for information was sitting on Governor Newsom’s desk for consideration. Unless the Governor vetoes the bill - which we do not expect to happen - the amendment will become law and the proposed regulations will need to be revised to address this point.
The regulations also clarify timing of response to requests, factors to consider when fulfilling requests and how businesses should respond to requests. For requests to know and requests to delete, 45 days is granted from the day the business receives the request, with a possible extension of up to an additional 45 days. The regulations suggest that a consumer can make requests to know and requests to delete directly to a service provider, who could comply with the request or deny it and inform the consumer to submit the request to the business directly.
Of note is the new requirement that businesses must maintain records of consumer requests made pursuant to the CCPA and how the business responded to such requests for at least 24 months. Aside from this recordkeeping purpose, a business is not required to retain personal information solely for the purpose of fulfilling a consumer request made under the CCPA. This may be another provision in tension with pending amendments, as AB 1355, which is also currently with the Governor, states that the CCPA shall not be construed to require a business to retain personal information for longer than it would otherwise retain such information in the ordinary course of its business. In addition, the regulations state that businesses that collect, buy or sell the personal information of more than four million consumers have additional recordkeeping and training obligations.
Verification of Requests: The regulations require businesses to establish, document and comply with a reasonable method for verifying the identity of persons making a request to know or a request to delete. There was some speculation prior to the release of the draft regulations that the guidance would dictate methods for verification. The proposed regulations, however, allow flexibility, requiring a business to consider a number of factors when determining the method by which the business will verify the consumer’s identity. Factors to consider include sensitivity of the personal information at issue and the risk of harm to the consumer posed by any unauthorized access or deletion.
Separate guidance is provided for verification for password-protected accounts and non-accountholders. Businesses may utilize their existing authentication practices with respect to consumers that have password-protected accounts, so long as they implement reasonable security measures to detect fraud. For non-accountholders, verification standards follow a sliding scale depending on the request – requests for disclosure of categories of information must be verified to a reasonable degree of certainty, while requests for specific pieces of personal information must be verified to a reasonably high degree of certainty. The verification for categories of information may be demonstrated by matching at least two data points provided by the consumer, while the verification of specific pieces of personal information requires at least three data points and a signed declaration under penalty of perjury.
The proposed regulations also state that, when a consumer uses an authorized agent to submit a request to know or a request to delete, the business may require (other than in some limited circumstances) that the consumer verify his or her own identity directly with the business. If businesses choose to exercise this requirement, this rule may eliminate some of the efficiencies for consumers of using an authorized agent under the CCPA, but it will provide more security for the information at issue.
Special Rules Regarding Minors: The proposed regulations set forth the rules and procedures that businesses must follow to obtain the opt-in authorization for the sale of personal information of minors under 16 years of age, including verification methods with respect to persons authorizing the sale of personal information of a child under 13 years of age.
Non-Discrimination: Responding to the CCPA’s requirement to establish rules regarding financial incentive offerings, the Attorney General defined “financial incentive” to mean a program, benefit, or other offering, including payments to consumers as compensation, for the disclosure, deletion or sale of personal information. The regulations also incorporate a related concept of “price or service difference,” which means any difference in the price or rate charged for any goods or services or any differences in the level or quality of any goods or services. Businesses must explain each financial incentive or price or service difference a business may offer in exchange for the retention or sale of a consumer’s personal information in its notice of financial incentive, but no business may engage in discriminatory practices with respect to financial incentives or price or service difference. Although the proposed rules provide some examples of what does and does not constitute a discriminatory practice under the CCPA, we expect that many businesses will face uncertainties in applying these rules. The regulations also give guidance on how to calculate the value of consumer data in connection with financial service offerings. The proposed methods are worthy of attention – while their theoretical economic rationale may be defensible, it remains to be seen how meaningful their application will be in practice. Overall, the non-discrimination provisions remain vague, and they will likely result in companies fearing an over-broad interpretation during an enforcement action.
Next Steps in the Regulatory Process
The proposed regulations were informed by seven statewide public fora and over 300 written comments submitted during the preliminary rulemaking stage. The proposed regulations are open to further public comment, and the Attorney General will hold four public hearings from December 2 to December 5, 2019. Interested parties may also submit written comments before December 6.
The Attorney General has pledged to consider all comments and may revise the regulations in response. Any revision to the proposed regulations will be subject to an additional 15-day public comment period, following which the Attorney General will submit the final text of the regulations. The Office of Administrative Law then has 30 working days to review the regulations, and, if approved, the rules will become effective.
The Attorney General cannot commence enforcement of the CCPA until the earlier of July 1, 2020 and six months after the final regulations are published. Given the present timeline, July 1, 2020 will mark the beginning of the AG’s enforcement powers. The core provisions of the CCPA become operational on January 1, 2020, however, and companies should account for the prospect that the Attorney General may look to bring enforcement actions after July 1, 2020 based on conduct that occurs between January 1, 2020 and July 1, 2020. Accordingly, companies should seek to achieve compliance by January 1, 2020.
Businesses grappling with the imprecisions of the CCPA have long awaited clarifying regulations from the Attorney General to inform their compliance efforts. The proposed rules released on October 10 go some way to address details with respect to five key aspects of the law. The disclosures accompanying the proposed regulations also indicate that the Attorney General has budgeted funds into 2021 to hire 23 additional full-time staff and expert consultants to enforce and defend the CCPA.
Areas of vagueness and uncertainty remain. While the five CCPA amendments before the Governor are expected to become law within days, the draft regulations may well change following the public notice period. A new California ballot initiative may substantially alter the CCPA’s requirements in 2020. Ropes & Gray’s recent Alerts describing the amendments and the ballot initiative are available here and here.
Despite this uncertainty, in-scope businesses should use the available time to work towards compliance with the CCPA, informed by the draft regulations to the extent feasible. Given the gaps and open questions about the final form of the CCPA and related regulations, companies seeking to implement compliance programs may wish to look to established international best practices until the final scope and requirements of the CCPA become settled.