The Wait is Over: Proposed Regulations Implementing the CCPA are Released

Suzanne Gainey, Tandy Mathis
Moore & Van Allen PLLC
Contact
LinkedIn
Facebook
X
Send
Embed

Moore & Van Allen PLLC

On October 10, California Attorney General Xavier Becerra announced that the long-awaited proposed regulations implementing the California Consumer Privacy Act (“CCPA”) are available for public comment. Although the regulations are not yet final, they do provide some visibility into what the Attorney General will expect from businesses that are subject to the CCPA. While the proposed regulations add some clarity to the (sometimes unclear) language of the CCPA, the regulations also raise new questions about the application of the CCPA and fail to address issues that many have worried about since the CCPA was passed (e.g., the very broad scope of applicability of the CCPA).

The proposed regulations largely focus on (1) notices required to be provided to consumers, (2) processes a business must follow to respond to consumer requests, and (3) methods for verifying that a consumer making a request is who they say they are.

A. Notices Required to be Provided to Consumers

In addition to expanding on the necessary contents of a business’s privacy policy, the proposed regulations address the contents of notices to be provided to consumers (a) at or before the collection of personal information, (b) related to the right to opt-out of the sale of personal information, and (c) explaining any financial incentives available to the consumer.

In general, these notices must be easy to read and easy for the average consumer to understand. The notices may not use technical or legal jargon, and must be in a format that draws the consumer’s attention. The notices must also be accessible to consumers with disabilities, at a minimum providing information on how the consumer may access the notice in an alternative format.

New under the proposed regulations is the requirement that businesses also provide notice and obtain explicit consent from consumers for using any category of personal information for a purpose not disclosed at the time at collection. At the same time, the proposed regulations require that the business list the categories of personal information collected in a manner that provides consumers a “meaningful understanding” of the information. Drafting notices that are broad enough to avoid needing to obtain consent in the future while still providing consumers with “meaningful understanding” will be challenging.

B. Responding to Consumer Requests

The proposed regulations also provide detailed requirements for submitting and responding to consumer requests. In particular, two or more methods must be made available to consumers for submitting requests to know (i.e., requests that the business disclose what information related to the consumer the business collects, uses, discloses and sells) and requests to delete (i.e., requests that the business delete information collected), including a toll-free phone number. Additional methods may be required depending on how the business typically interacts with consumers (e.g., for retail establishments, three methods may be required – a toll-free phone number, a webform on the business’s website, and a form that can be submitted in person).

The business must confirm receipt of all requests to know and requests to delete within 10 days, and provide information regarding how the request will be processed. A full response to any requests to know and requests to delete must be provided within 45 days of receipt (or up to 90 days if the business notifies the consumer and provides an explanation of why the business needs more time to respond), regardless of how long it takes to verify the identity of the consumer (see Part C below).

Similar to requests to know and requests to delete, two or more methods must be made available to consumers to submit requests to opt-out of the sale of personal information, including an interactive webform accessible via a link entitled “Do Not Sell My Personal Information”. The business must act on any opt-out request as soon as feasibly possible, but no later than 15 days after receipt, and must notify all third parties to whom it has sold personal information of the relevant consumer within 90 days prior to the business’s receipt of the request.

C. Verifying the Identity of a Consumer

The proposed regulations emphasize that businesses must establish and comply with a reasonable method for verifying the identity of the consumer making a request in order to avoid any unauthorized disclosure or deletion of personal information. The robustness of the method for verification depends on many factors, including the sensitivity of the personal information at issue and the risk of harm to the consumer of any unauthorized access or deletion of such information.

Businesses should generally avoid asking the consumer for additional personal information in order to verify the consumer’s identity, but may do so if necessary. If additional personal information is requested, it may be used only for verification purposes and must be deleted as soon as practical after processing the request (except if required to be kept for record-keeping purposes)

D. Additional Topics Addressed

In addition to the topics above, the proposed regulations also address:

  • additional requirements and processes related to the collection and use of personal information of minors;
  • new disclosure requirements for businesses that collect the personal information of more than 4 million consumers;
  • the CCPA’s prohibition on discrimination of consumers and methods for valuing consumer data when offering a price or service difference to a consumer where permitted under the CCPA;
  • the process for using an agent to submit consumer requests;
  • clarifications regarding entities that will be considered a service provider under the CCPA;
  • training of employees regarding a business’s obligations under the CCPA; and
  • record-keeping requirements for consumer requests.

Written comments regarding the proposed regulations may be submitted until December 6, 2019, at 5:00 pm PST, and public hearings will be held December 2, 2019 through December 5, 2019. The CCPA will go into effect on January 1, 2020, but the proposed regulations (including any modifications) are not expected to become final until the first half of 2020, meaning enforcement is not likely to commence until July 1, 2020. While there will be a gap in time between the CCPA’s effective date and the date on which Attorney General Becerra is empowered to enforce the CCPA, the Attorney General has indicated that there will be no safe harbor for non-compliance. Therefore, it will be important for businesses to have appropriate training, procedures, and compliance frameworks in place prior to January 1, 2020.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Moore & Van Allen PLLC | Attorney Advertising

Written by:

Moore & Van Allen PLLC
Moore & Van Allen PLLC
Contact
more
less

Moore & Van Allen PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide