On October 10, California Attorney General Xavier Becerra (CA AG) released proposed regulations to implement certain provisions of the California Consumer Privacy Act (CCPA). The CA AG also released a Notice of Proposed Rulemaking and Initial Statement of Reasons that provide drafting insights and outline considerations that likely will continue to guide the rulemaking process. The CA AG is accepting written comments from the public until 5:00pm (PST) on December 6, 2019.
The proposed regulations would create many new requirements. They provide clarifications to businesses and consumers in five key CCPA areas as summarized below:
1. Privacy Notice Requirements
Businesses that do not directly collect PI from consumers are exempted from the pre-collection notice obligation but are required, before engaging in a sale, to take certain steps such as providing a pre-sale notice to consumers or contacting the source of the information to confirm they provided notice at collection and to obtaining from the source a signed attestation about their notice.
2. Handling Consumer Requests
The proposed regulations would create training and record-keeping requirements and clarify acceptable methods for receiving and responding to consumer requests. Key provisions are listed below:
- Acceptable methods for receiving consumer requests
- Business’ means of interacting with consumers determine acceptable request methods.
- Businesses may need to comply with deficient consumer requests, or requests submitted through non-designated methods.
- Businesses must treat user-enabled privacy controls (e.g., browser plugins) as a valid method for submitting opt-out requests.
- Requirements for responding to consumer requests
- Businesses are prohibited from disclosing certain sensitive PI in response to a request under any circumstances (e.g., SSN, driver’s license number, health insurance or medical identification number).
- Sale opt-out requests have a 15 day deadline.
- Businesses must forward sale opt-out requests to all third parties to whom the business has sold the consumer’s PI in the past 90 days (and notify the consumer when this process is complete).
- Businesses may limit responses for access requests to household data.
- Deleting PI pursuant to consumer requests
- Businesses can “delete” PI via (1) outright deletion, (2) deidentificaiton, or (3) aggregation.
- Record keeping requirements
- Large businesses (annually processing PI of 4 million or more consumers) must compile and publish metrics on their receipt of and response to consumer requests.
3. Verification of Consumer Requests
The proposed regulations require businesses to adopt different standards for verifying consumer requests (“reasonable” vs. “reasonably high” degree of certainty) depending on the type of request received, the type of PI involved, and the business relationship with the consumer. “Reasonable” verification may involve matching two pieces of PI from the requestor to the business’s records, while “reasonably high” verification may involve matching three pieces of PI and obtaining a signed declaration from consumer. In addition, the proposed regulations require businesses to implement reasonable security measures to detect fraudulent identity verification activity and prevent unauthorized access and deletion of PI.
4. Rules Regarding Minors
The proposed regulations clarify that the CCPA’s requirement that businesses obtain consent from parents/guardians before selling the PI of children under 13 is separate from the consent required under the Children’s Online Privacy Protection Act (COPPA) and provides examples of reasonable methods for determining that the individual consenting to such sales is the child’s parent/guardian.
The proposed regulations allow businesses to treat consumers differently (including by denying certain CCPA rights) if the differential treatment is reasonably related to the value of the consumer’s data. They also provide businesses with examples of reasonable methods for calculating the value of consumer data (for financial incentive and differential treatment reasons).
Public Comment Hearings on the Proposed Regulations
The CA AG will also host four public forums in various California cities to solicit live feedback. The public forums are scheduled as follows:
Monday, Dec. 2, 2019, 10 a.m.
CalEPA Building, Coastal Room 2nd Floor, 1001 I St., Sacramento, CA 95814
Tuesday, Dec. 3, 2019, 10 a.m.
Ronald Reagan Building, Auditorium 1st Floor, 300 S. Spring St., Los Angeles, CA 90013
Wednesday, Dec. 4, 2019, 10 a.m.
Milton Marks Conference Center, Lower Level, 455 Golden Gate Ave., San Francisco, CA 94102
Thursday, Dec. 5, 2019, 10 a.m.
Hugh Burns Building, Assembly Room #1036, 2550 Mariposa Mall, Fresno, CA 93721