On October 10, 2019, the California attorney general’s office released the long-awaited proposed regulations to the California Consumer Privacy Act (CCPA), which can be found here. The regulations are detailed and cover a lot of ground with respect to notice to consumers, handling and verifying consumer requests, rules regarding minors, and non-discrimination. Here are some notable provisions (assuming the regulations are adopted in current form):

  • Valuation to support a financial incentive requires a good faith estimate and a description of valuation method. If a business offers a financial incentive or a price or service difference, it would need to provide notice that includes, among other things, an explanation of why the financial incentive or price or service difference is permitted, including a “good-faith estimate of the value of the consumer’s data that forms the basis for offering” the incentive or difference and a “description of the method the business used to calculate the value of the consumer’s data.” [§ 999.307(b)(5)] The regulations clarify that the value of consumer’s data is the value that such data provides to the business, not to the consumer. To estimate the value of consumer data, a business would need to use and to document a reasonable and good-faith method for valuation. A business is required to use at least one of eight enumerated methods provided in the regulations (e.g., marginal value to the business of the sale, collection, or deletion of a consumer’s data). These requirements are of particular significance to retailers or other companies with loyalty programs.
  • Third parties may include ad networks, ISPs, data analytic providers, and data brokers. “Categories of third parties” is defined as types of entities that do not collect personal information (PI) directly from consumers, including “advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and consumer data resellers.” [§ 999.301(e)] If “third parties” as used in the statute is to be the equivalent of “third parties” as defined in the regulations, it would appear to thwart the ability of businesses to treat ad tech vendors as service providers so as to utilize the sale exception for service providers, and instead force businesses to treat such vendors as third parties for which a sale exception would be far more difficult (i.e., would require a consumer’s intentional interaction with the third party). The regulations appear to indicate that many ad tech companies would be required to provide a sale opt-out to consumers.
  • No notice is required for indirect collection of PI, but if the business sells the PI, it would need to either provide direct notice to the consumer or obtain certain information from the PI source. A business that does not collect PI directly, like a third party or service provider, is not required to provide notice at collection. But if it sells the PI, it would need to either contact the consumer directly to provide notice regarding the sale and opt-out right or to obtain “signed attestations from the source” about how the source gave the notice at collection, including an example of the notice. [§ 999.305(d)]
  • Specific pieces of PI are afforded heightened protection as compared to categories of PI. While a business may deny a request for disclosure of categories of PI if a request is not verifiable, a business must deny a request for disclosure of specific pieces of information if a request is not verifiable. Moreover, a business cannot provide specific pieces of PI if the disclosure would create a “substantial, articulable, and unreasonable” security risk to the PI, the consumer’s account, or the business’s systems or networks. [§ 999.313(c)(3)] Practically then, businesses should therefore thoroughly evaluate the level of security risks that may exist when disclosing specific pieces of PI. For a request to know specific pieces of PI for non-accountholders, a business is required to verify the consumer’s identity to a “reasonably high degree of certainty,” as compared to a “reasonable degree of certainty” for a request to know categories of PI. [Compare999.325(c) with § 999.325(b)] A “reasonably high degree of certainty” should include matching at least three pieces of PI provided by the consumer with PI maintained by the business, along with a signed declaration under penalty of perjury from the requesting consumer.
  • “Sensitive” PI is subject to even more stringent requirements. Certain types of specific pieces of PI are subject to even more rigorous protection under the regulations. A business would not be allowed to “at any time disclose a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers.” [§ 999.313(c)(4)(emphasis added)] While these pieces of PI are not expressly defined as sensitive by the referenced section, the regulations later indicate that the types of PI identified in Civil Code § 1798.81.5(d)—which largely overlap with such pieces of PI and include a person’s name combined with Social Security number, driver’s license number, etc.—are presumptively “sensitive” and warrant a “more stringent verification process.” [§ 999.323(b)(3)(a)]
  • A business that buys, receives, sells, or shares PI of 4 million-plus consumers annually would need to compile and disclose metrics relating to consumer requests and its responses to requests. The regulations impose a completely new obligation on businesses that, “alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers.” [§ 999.317(g)] Such a business would need to compile “metrics” for the previous calendar year that includes the number of requests to know, requests to delete, and requests to opt-out that it received, complied with in whole or in part, and denied, and the median number of days within which it substantively responded to such requests. These metrics are to be disclosed in the business’s privacy policy or posted on its website.
  • Do Not Track may be legislated in; user-enabled privacy controls are to be treated as sale opt-outs under certain circumstances. If a business collects PI from consumers online, the business is to treat “user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale” as a valid request for opt-out for that browser, device, or consumer (if known). [§ 999.315(c)] Even if a consumer uses an authorized agent to submit an opt-out request, such user-enabled privacy controls are to be treated as a request directly from the consumer, not through the authorized agent.
  • Webforms are required. If a business has a website, one of the designated methods for submitting a request to know would need to be an interactive webform. For requests to opt-out, businesses would need to provide an interactive webform accessible by the “Do Not Sell My Personal Information” (or “Do Not Sell My Info”) link on their website or mobile app. If a business has a website, the notice of sale opt-out would need to include the opt-out webform. Privacy policies would need to have links to “an online request form or portal” for making a request to know and request to delete, if offered by the business. [§ 999.308(b)(1)(b), § 999.308(b)(2)(b)]
  • Two-step process is required for online request to delete and for sale opt-in request after a sale opt-out. Before a business can delete a consumer’s PI in response to a request to delete submitted online, the consumer would first need to clearly submit the request to delete and then separately confirm that they want their PI deleted. Likewise, a request to opt-in to sale of PI after a sale opt-out would require the consumer to first clearly request to opt-in and then separately confirm their choice to opt-in.
  • Business would need to take some action even if a consumer request is deficient. Even if a consumer submits a request through a method that has not been designated by the business as a method for submission or the request is deficient in some other manner, the business would need to act by either treating the request as if it was properly submitted or providing the consumer with specific directions on how to submit the request or fix the deficiency.
  • Detailed guidance regarding privacy policy contents. The regulations provide detailed, specific guidance on what would need to be included and addressed in a privacy policy with respect to a consumer’s right to know, right to deletion, and right to opt-out of sale.
  • Recordkeeping obligations. A business would need to keep records of consumer requests and how it responded to the requests for at least 24 months. The records may be maintained in a ticket or log format, in which case the regulations impose certain content to be included, such as date of request and nature of request.

These are just some of the issues addressed in the draft regulations, which are subject to comments to be presented at the upcoming public hearings in December or to be submitted in writing up through December 6, 2019. Please contact us for a comprehensive analysis and recommendations on how to best implement the regulations for your business.