Final Regulations to Help Businesses Comply with California Consumer Privacy Act; Ballot Measure Could Expand Privacy Protections
The Attorney General began enforcing the California Consumer Privacy Act, meant to give consumers greater control over how businesses use their personal information, on July 1. The law allows the Attorney General to recover up to $2,500 for each violation or up to $7,500 for each intentional violation. The law also allows consumers to bring a private right of action to recover damages up to $750. For businesses that collect and store significant amounts of consumer data, the potential penalties are steep. It is more important than ever to ensure compliance with the CCPA.
The CCPA includes expansive compliance requirements for businesses and new consumer privacy rights, including the right to know what information businesses have collected about them, the right to have their personal information deleted and the right to prevent businesses from selling their personal information to third parties. In addition, the CCPA requires that a parent or guardian affirmatively consent to the collection of personal information about people younger than 13.
However, the CCPA itself provides little guidance to businesses about how they are supposed to comply with their new duties. Instead, the CCPA directs the Attorney General to adopt regulations that set forth the rules and procedures with which businesses must comply, such as rules and procedures for the submission of opt-out requests by consumers and mandatory notices that businesses are required to provide. On June 1, the Office of the California Attorney General submitted final proposed regulations to the California Office of Administrative Law.
Here is a brief summary of the key proposed regulations.
Notices to Consumers
The proposed regulations state when and how notices must be provided to consumers. The regulations also list the categories of information that must be included in each notice. While there are specific requirements for each notice, all notices must be easy for laypersons to read and understand, be available in the languages in which the business ordinarily provides information to consumers and be reasonably accessible to persons with disabilities.
Requests to Know or Delete
The proposed regulations also create a process for submitting requests to know and requests to delete. Of note, businesses must acknowledge receipt of a request to know or delete within 10 business days and respond to these requests within 45 calendar days of receiving them.
When responding to a request to know or delete, businesses must first verify the identity of the consumer, as instructed in the proposed regulations. If the business cannot verify the consumer’s identity, the request may be denied.
Once the consumer’s identity is verified, for a request to know, the business must disclose the categories of information collected, the sources from which the personal information was collected, the business purpose for which the personal information was collected or sold and the categories of third parties to whom the personal information was sold.
Requests to Delete
After verifying the consumer’s identity, in response to a request to delete, businesses are to permanently and completely erase the personal information on its systems, de-identify the personal information or aggregate the consumer information.
Requests to Opt-Out
In addition to the CCPA’s requirements, the proposed regulations mandate that businesses treat user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting or other mechanism, as an opt-out request for that browser or device. Businesses must comply with opt-out requests as soon as “feasibly possible,” but no later than 15 business days from the date the business receives the request. Unlike requests to know and or delete, the business does not need to verify the consumer’s identity before processing an opt-out request.
The proposed regulations also allow businesses to give consumers the choice of opting out of the sale of their personal information for certain purposes or all purposes, so long as there is a more prominent all purposes opt-out option available.
While the CCPA prohibits businesses from discriminating against consumers who exercise their rights under the Act, it allows businesses to offer “financial incentives” to people who choose not to opt-out. The financial incentive is considered discriminatory unless the value of the incentive is reasonably related to the value of the consumer’s personal information to the business.
More Changes Coming
Even once these regulations are effective, there are further changes on the horizon. Certain employee data and certain information collected in the context of business-to-business transactions will no longer be exempt from the CCPA as of Jan. 1, 2021, unless the CCPA is further amended.
To further complicate matters, the California Privacy Rights Act is on the November 2020 ballot. The Act would amend the CCPA to create even greater privacy rights and more stringent obligations on businesses. Unlike the CCPA, the Act would limit future amendments to those that further consumer privacy, which means the California Legislature would not be able to amend the law to reduce consumer rights or water-down the requirements. It would require the Attorney General to update and amend the CCPA regulations with a significant number of new provisions.
Here are some key provisions of the Act:
Exemptions for Employment Information
- Extends exemptions for employee and applicant information through Jan. 1, 2023, from the current expiration date of Jan. 1, 2021.
- Establishes a new category of “sensitive personal information,” and give consumers heightened protections for any use of “sensitive personal information.”
- Adds a right of correction for personal information that is inaccurate.
- Permits opt-out rights so that advertisers cannot use precise geolocation information.
- Clarifies that the compromise of a consumer’s email address in combination with a password or security question and answer is considered a breach.
- Triples fines for violations of the CCPA’s opt-in right for minors.
- Raises the age for opt-in consent to 16.
- Establishes the California Privacy Protection Agency, which will initially be funded with $5 million in 2020-2021, and $10 million in each following year, to enforce the law.
Subcontractors and Other Third Parties
- Requires that businesses impose CCPA obligations on down-stream contractors.
- Expands data deletion obligations through the supply chain.