Recent Amendments and Regulations Set the Stage for the Statute’s Scope and Enforcement
October has been an exciting time for anyone keeping an eye on developments involving the California Consumer Privacy Act (“CCPA”), scheduled to go into effect on January 1, 2020. On October 10, California Attorney General Xavier Becerra released a draft of the long-awaited CCPA regulations, and the very next day Governor Gavin Newsom signed seven CCPA amendments into law. Although the draft regulations are subject to upcoming public comment and further revisions, the proposed regulations and amendments provide a near-final view of what the CCPA will ultimately require of businesses when it goes into effect on January 1, 2020, and when it is enforced by the Attorney General’s office starting July 1, 2020. You can read our previous overview of the duties and obligations businesses have under the CCPA here.
CCPA Amendments
Governor Newsom signed seven amendments that clarify various provisions and requirements of the CCPA:
- AB 25 – Excludes personal information collected from employees, job applicants, owners, directors, officers, or contractors to the extent the information is used solely within the employment context. However, employees must still be provided certain notice regarding the collection of personal information, and the employment exception to the CCPA only lasts until January 1, 2021, at which time the legislature is expected to have enacted a more comprehensive law regarding employee privacy rights.
- AB 874 – Redefines “personal information” to mean information that is “reasonably capable of being associated with a particular consumer or household.” Excludes deidentified or aggregate consumer information from the definition of “personal information.” Clarifies exclusion of “publicly available information.”
- AB 1130 – Expands categories of personal information that trigger data breach notification obligations to include unique biometric data (fingerprint, retina, iris, facial recognition, etc.), tax identification numbers, passport numbers, military identification numbers, and unique identification numbers on government documents.
- AB 1146 – Exempts personal information necessary to fulfill the terms of a warranty or product recall, or personal information shared between a new car dealer and a vehicle manufacturer for repairs related to warranty or recall, from consumers’ rights to request deletion or opt-out of the sale of such information, as long as the information is not used for any other purpose.
- AB 1202 – Requires data brokers to register with and provide certain information to the Attorney General. Data brokers are businesses “that knowingly collect and sell to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
- AB 1355 – Makes various corrections to the statute. Prohibits discrimination against consumers for exercising rights under the statute except if the differential treatment is “reasonably related” to value provided to the business by the consumer’s data. Clarifies that a consumer’s right of private action for a data breach requires that the information accessed be nonencrypted and Exempts, for one year, personal information in connection with communications or transactions between a business and a consumer where the consumer is acting on behalf of a company or agency in the context of due diligence or providing or receiving a product or service (the “B2B” exemption).
- AB 1564 – Clarifies that businesses that operate exclusively online and have a direct relationship with customers from whom they collect personal information are required only to provide an email address for submission of consumer requests. All other businesses must have two methods for requests, one of which must be a toll-free phone number and, if the business maintains a website, the business is also required to make their internet website address available to consumers to submit requests.
Proposed CCPA Regulations
Attorney General Becerra released proposed draft regulations under the following categories:
- Notices to Consumers – The proposed regulations identify four different “notices” to be provided to consumers, including: (1) notice at collection; (2) notice of the right to opt-out of sale of personal information; (3) notice of financial incentive; and (4) the privacy policy. The proposed regulations detail the purpose of each notice and describe the general format and content for the notices, including that they must all be easy for consumers to access, read, and understand.
The notice at collection is more limited than the privacy policy but must take into account the way a business interacts with consumers, including that, if the business collects personal information offline, it may need to use printed forms to provide notice or use posted signage directing consumers to the notice.
A business need not provide a notice of the right to opt-out of the sale of personal information if it does not and will not sell personal information and so states in its privacy policy.
The notice of financial incentive must explain to consumers the reason for any incentive or price or service differential offered in exchange for the retention or sale of consumers’ personal information, including that the business must provide a good faith estimate of the value of the consumers’ data that forms the basis for the incentive or price or service differential.
- Consumer Requests – The proposed regulations provide guidance to businesses for handling the various types of consumer requests under the statute, namely: (1) Requests to Know; (2) Requests to Delete; and (3) Requests to Opt-Out. In general, businesses must provide two or more methods for submitting requests, including, at a minimum, a toll-free telephone number and, if the business maintains a website, an interactive web form accessible through their website or mobile application. Businesses are instructed to consider additional methods that reflect the way the business primarily interacts with consumers.
Businesses must confirm receipt of Requests to Know or Requests to Delete within ten days and respond substantively within 45 days. Requests to Opt-Out must be acted upon within 15 days, and businesses are required to notify all third parties with whom they have shared the consumer’s personal information within the 90 days prior to the opt-out request.
Businesses must also keep documentation of consumer requests and the response to those requests for 24 months and ensure that all personnel handling consumer requests are informed of all CCPA rights and how to direct consumers to exercise those rights.
- Verification of Consumer Requests – The proposed regulations provide guidance regarding how businesses should attempt to verify consumer requests, noting that businesses should avoid, if possible, requesting or collecting new or additional personal information in order to verify a consumer. In general, businesses are instructed to consider the sensitivity of the data and the risk of fraud or harm to the consumer in determining how stringent the verification process for any request should be. The more sensitive the data, the more stringent the process should be. The proposed regulations state that, in no event, should a business disclose sensitive personal information such as social security number, driver’s license number, financial account number, health information, account password, or security questions and answers.
Where a business maintains a password-protected account with its consumers, the business may verify a consumer’s identity through the existing authentication practices for that account. Where a business or consumer does not have a password-protected account, the business must verify the consumer’s identity to a “reasonable degree of certainty” or a “reasonably high degree of certainty,” depending on the type of data involved, which may require matching up at least 2 or 3 pieces of personal data provided by the consumer with information maintained by the business. If the business cannot verify the consumer’s identity to the required level of certainty, it must deny the request and inform the consumer why the request was denied.
- Rules Regarding Minors – The proposed regulations provide certain additional requirements for businesses that have actual knowledge that they are collecting or maintaining the personal information of minors, including affirmative authorization for any sale of such information by the minor (if between ages 13-16) or by the parent or guardian (if under age 13).
- Non-Discrimination – The proposed regulations provide further details and guidance regarding when financial incentives or price or service differences violate or do not violate the statute, and also provide various methods by which businesses can estimate the value of consumers’ data for purposes of the financial incentive notice. Businesses can use any of the enumerated methods or any other “practical and reliable” method of calculation used in good faith.
Prepare Now
Although the proposed regulations are subject to further revision following public comment, the current draft provides enough guidance for businesses to take necessary steps now to be in compliance by January 1, 2020. Please contact Litigation and Data Privacy partner Scott Hall at shall@coblentzlaw.com or 415.772.5798 to discuss the CCPA’s requirements in greater detail and how we can help your business comply.
The information provided herein is informative only and not intended to be relied on as legal advice. Please contact us to discuss specific legal or compliance questions or concerns.
