In this alert, we summarize the key takeaways from the final regs in the areas of Notices, Consumer Rights Requests, Non-Discrimination and Loyalty Programs, Service Providers, Minors, Households, Training and Records, and Sale and Reasonable Security.
On June 1, 2020, the Office of the California Attorney General (OAG) submitted the final proposed regulations (final regs) under the California Consumer Privacy Act (CCPA or the Title) to the California Office of Administrative Law (OAL). OAL now has 30 working days, plus an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic, to review the regs for procedural compliance with the Administrative Procedure Act. Although we do not expect OAL to make any substantive changes to the regs, we are still one procedural step away from the regs being filed with the secretary of state by OAL and becoming enforceable by law. Noting the July 1, 2020, statutory mandate for the regulations, the OAG petitioned OAL for expedited review and submission to the secretary of state prior to that date and for effectiveness upon submission to the secretary. As we have previously explained, there is a legal basis for this approach.
BakerHostetler and several industry groups filed comments with the OAG in mid-March, as the pandemic was breaking, asking for a continuation of delay in the enforcement of the CCPA until six months after the regs become final, in part to help companies focus on COVID-19. Those comments now have been rejected by the OAG, and enforcement of the CCPA will begin on July 1, 2020, regardless of when final regulations are promulgated, absent action by the governor or the Legislature.
The final regulations, which number 29 pages, provide guidance on certain key requirements under the CCPA, including definitions (Article 1), notice requirements (Article 2), businesses’ obligations in handling consumer rights requests (Article 3), requirements for verification of consumers making requests (Article 4), special rules regarding minors (Article 5) and use cases for applying the CCPA’s non-discrimination mandate (Article 6). The regs also flesh out what service providers can and must do (Section 999.314), expand on training and record- keeping requirements (Section 999.317), and explain what businesses can and must do in response to a request putatively made by an agent acting on behalf of a consumer (Section 999.326). Notably absent are guidance on the design of a standard “do not sell” opt-out button, guidance on the meaning and scope of “sell,” and information about how to treat third-party cookies.
These regs should be analyzed within the context of the six CCPA amendment bills (A.B. 25, A.B. 874, A.B. 1146, A.B. 1202, A.B. 1355 and A.B. 1564), which were signed into law on Oct. 11, 2019. The regs attempt to reconcile the amendments as well as to provide guidance on the rights and obligations of businesses, service providers and third parties under the CCPA. Together with the final regs, the OAG also published a Statement of Reasons (SOR) on June 1, which provides responses to all the comments received during the rule-making process. We can further glean from this SOR the reasoning behind certain positions taken by the OAG in the regs and potential enforcement priorities.
The final regs provide guidance on the three categories of privacy notices businesses must provide under the CCPA:
- for businesses that collect personal information (PI) directly from consumers, a notice to consumers about the collection of PI at or before the point of collection;
- for businesses that sell PI, a notice of the right to opt out and a notice of sale details; and
The OAG continues: “To the extent a business does not collect personal information directly from the consumer but intends to sell the personal information, the business can comply with subsection (e).” Subsection (e) refers to the California data broker law, Civil Code Sections 1798.99.80 et seq. That data broker law provides that “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” must register as a data broker. It is important to note that the following key terms within the data broker law have the same meaning as they do under the CCPA: “business,” “collect,” “sell,” “third party,” “personal information” and “consumer.” Accordingly, businesses that do not collect PI directly from the consumer and sell it further downstream may satisfy their notice requirements through the data broker registration process if they qualify as a data broker. It is through this combination of notices that the consumer is ensured effective notice regarding the selling of their PI, and will have a meaningful ability to opt out of downstream sales, either directly with a party with which they have a direct relationship or by going to the data broker registry to identify parties with which they may not have a direct relationship and that may be selling their PI. The OAG notes that the registry has the added benefit of “allowing [technology] innovators to pull information about how data brokers process requests to opt-out from a centralized repository …” and offer consumers opt-out tools that utilize that information.
- Notice at Collection Requirements: Businesses should verify whether PI is collected under the expanded definition of PI for the CCPA and should establish new or revised procedures to deliver required privacy notices before any PI is collected.
- Opt-in Consent Requirement for New Uses for Data: If the notice previously included statements about how the PI will be used, businesses should have a way to ensure that the data is not used for any purposes that are outside of those stated purposes. Any new or secondary purpose for using the data that is materially different from what was previously disclosed in the notice at collection will require explicit consent from the consumer.
- Notice Requirement for New Type of Data Collection: If a business develops a new product or a new service and new types of PI are collected other than those disclosed in the previous notice, the business is required to provide a new notice.
- IP Address as PI: The February version of the draft regulations stated that IP address alone that did not or could not reasonably link to a particular consumer, was not “personal information.” The final regs deleted this clarification, and thus the final regs do not include guidance on whether IP address alone should be treated as PI. In the SOR, the OAG stated: “The OAG deleted this provision to prioritize the implementation of regulations that operationalize and assist in the immediate implementation of the law. Further analysis is required on this issue.” So the OAG kicked the can down the road, and this issue is likely to be revisited in further rule-making.
- New Notice of Sale Requirement: Businesses are required to state in their privacy policies whether or not they sell PI. Any business that has stated in its privacy policies that it engages in sales of PI should also consider whether the data broker laws apply to that business.
- B2B Collection of PI: Businesses that do not collect PI directly from consumers and do not sell consumers’ PI are no longer required to provide a notice at collection. Thus, a company that collects consumer PI from third parties should evaluate whether any of its data transfers to third parties constitute a sale under the CCPA’s definition and, if they do, should consider registering as a data broker.
- Date Broker Notice Requirement: Businesses that do not collect PI directly from the consumer and further downstream sell it may satisfy their notice requirements through the data broker registration process if they qualify as a data broker. Businesses that do have a direct relationship with the consumer and are merely supplementing PI from data brokers that they then desire to downstream sell cannot qualify as data brokers because they already have a direct relationship with the consumers. These businesses can meet their notice obligations by disclosing in their privacy notice that they are both directly collecting PI and acquiring additional PI from third parties, and that they are selling the PI.
- New Notice and Opt-out Requirement for Sale of Data: If a business bought PI from another business, it cannot resell the PI unless the entity that collected the PI gave explicit notice to the consumer about the sale and the consumer was provided with an opportunity to exercise the right to opt-out. Any business that is purchasing data sets from a data broker should evaluate whether its data processing activities could constitute a resale of PI.
- Just-in-Time Notice Requirement for Mobile Apps: The regs include a new requirement to provide a “just in time” notice when collecting PI from a consumer’s mobile device for a purpose the consumer would not reasonably expect.
- New Employee Privacy Notice Requirement: Employers are required to provide a privacy notice to employees. A business that has employees in California should provide a CCPA-compliant privacy notice to its employees, which may need to be updated if new types of PI were collected as a result of COVID-19, for example.
- To see a chart outlining what notice requirements apply in different circumstances, click here.
- PI collected from consumers but no sale
- PI collected from consumers and sale
- PI collected from third parties but not sale
- PI collected from third parties and resale
CONSUMER RIGHTS REQUESTS
As with the first set of proposed regs, the identity verification requirements in the final regs are focused on proving that requesters are who they say they are rather than on proving that each requester is a California consumer. Following the publication of the initial draft regulations, Microsoft and other major companies announced that they will not be restricting CCPA rights to California residents. Covered businesses will need to decide whether they will take the same approach, and for those that require California residency, it is not clear what they can do to verify that beyond attestation.
The final regs propose a few major changes that impact a business’s obligations regarding handling consumer rights requests and should now be applied to how requests are processed.
- Toll-Free Number Requirement: A U.S. toll-free number is required as one of the methods by which consumers may submit requests to know. However, if a business operates exclusively online and has a direct relationship with a consumer from whom it collects PI, a toll-free number is not required, and an email address will suffice.
- In-person Requirements: If the business primarily interacts with consumers in person, the regs require the business to consider providing an in-person method such as having a printed form, a computer portal, or a telephone number available for consumers to submit requests to know and requests to delete. While the final regs do not require that submission of a request be available for completion entirely in-store, it would seem that some minimum information must be available at physical locations so consumers will know how to make a request, even if online or via a toll-free number. Signage and training of staff are recommended, and care should be taken to accommodate special needs of the disabled.
- Accessibility Requirements: The regs require that accessibility for the disabled follows generally recommended industry standards and, for online accessibility, specifically incorporates the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, by reference.
- 10-day Response Requirement: The regs require specific disclosures to be included in the initial acknowledgment confirming receipt of requests to know or requests to delete, which must be provided to the consumer within 10 business days of receipt of such requests.
- 15-day Opt-out Requirement: Businesses should comply with a request to opt out as soon as feasibly possible, but no later than 15 business days from the date the business receives the request. If a business sells a consumer’s PI to a third party after the consumer opts out but before the opt-out request has been processed, it is required to notify the third parties that the consumer has exercised the right to opt out and to direct those third parties to not sell that consumer’s information. This is a change from the initial draft, which proposed to require that a business pass through a consumer’s opt-out request to third parties to which it sold the consumer’s PI within the past 90 days.
- Verification Requirement: Where verification cannot be confirmed through a password-protected account, the regs require verification to a “high degree of certainty” before responding to a request to access specific pieces of PI or to delete sensitive PI. In contrast, verification to a “reasonable degree of certainty” is required if responding to a right-to-know request for categories of PI collected and before deleting less-sensitive PI. If a business fails to verify the consumer’s request for specific pieces of PI, it should determine whether it has met the lower standard for “reasonable degree of certainty,” and it should provide the categories. The regs give examples of the types of data that should receive higher scrutiny before a request to delete is executed.
- Authorized Agent Requests: The regs provide great detail on what a business may, must and must not do to verify a putative authorized agent request.
- Global Privacy Controls and Browser Plug-ins: The regs require honoring “[u]ser-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting or other mechanism, that communicate or signal the consumer’s choice to opt-out.” However, the regs also provide that a business need do so only if such tools “clearly communicate or signal that the consumer intends to opt-out.” No guidance is provided as to what standard should be applied to establish that intent or what, if any, diligence a business must undertake to look for any such expressions of intent.
- Uniform Opt-out Button Design: The design for the opt-out button that was previously proposed has since been removed, and no new design was offered in the final regs. If the business sells PI, a link titled “Do Not Sell My Info” should be added to the business’s internet home page, to direct consumers to a web page that enables the consumers to opt-out.
NON-DISCRIMINATION AND LOYALTY PROGRAMS
The regs clarify that a financial incentive or a price or service difference is discriminatory only if the consumer is treated differently by the business because the consumer exercised a right conferred by the CCPA or the corresponding regs.
We have previously explained that the impact of the non-discrimination regs on typical loyalty programs may not be as significant as many people have supposed. Now that the regs have been finalized, businesses should determine whether and which business practices are impacted by the nondiscrimination provisions, especially if new types of PI were collected in the past couple of months in response to COVID-19 or if new pricing strategies and service delivery channels have been implemented.
- Examples of Discrimination under CCPA: The final regs delete one of the examples that was previously provided, and instead provide four examples that illustrate which types of behavior are discriminatory.
- How to Calculate the Value of Consumer PI: The regs provide eight different methods for calculating the value of a consumer’s PI to the business. The regs clarify that for purposes of calculating the value of the consumer’s PI, a business may consider the value of data from all natural persons in the United States rather than limit itself to the value of data from California residents.
A business that provides services to a person or organization that is not a business (e.g., a government or a nonprofit entity), but that would otherwise qualify as a service provider, should be deemed a service provider. The OAG explained that this was necessary to ensure that a vendor of a nonprofit or the government should not have to respond to consumer requests on data that was intended to be outside the scope of the CCPA in the first place. Further, this would seem to provide the benefits and obligations of service providers that serve government or nonprofit entities.
Another question the rulemaking tried to answer is the extent to which a service provider may use its client’s consumer PI for its own business purposes and remain within the service provider exception to sale. Under the final regs Section 999.314(c), a service provider may retain, use or disclose PI only for five permitted purposes: (1) processing or maintaining PI on behalf of the business in compliance with the service provider contract; (2) retaining another service provider as a subcontractor; (3) strictly internal use in building or improving the quality of its services, provided that PI is not used to build or modify user profiles for another business or combined with PI from another source; (4) data security and fraud prevention; or (5) discharging legal obligations under Cal. Civ. Code Section 1798.145(a)(1)-(4). We have received a number of questions about how a service provider could use the PI it collected for internal use to build or improve the quality of its services. Any business that is a service provider should have internal controls in place to understand what PI is collected directly from consumers and whether any legal or contractual restrictions apply to the use of that data, and businesses engaging service providers should ensure that they are contractually imposing limitations of the processing of their PI that are consistent with the regs.
- Vendor Agreements and CCPA Rider Requirements. The scope of permitted uses of client PI by service providers includes retention of subcontractors, internal product or service development, and legal compliance purposes, but is actually more restrictive than what was proposed in the initial draft of the regs; it is a definitive list of what a service provider can do regarding client data, whereas the initial regulations limited only use that benefited other clients as opposed to limiting all uses. This is a far more restrictive interpretation of a service provider’s own permitted business purposes than many vendors had hoped for, and it may result in some vendors having to be third parties and thus subject to the sale and do-not-sell provisions of the law.
- Service Provider Obligations: Service providers that receive right-to-know or deletion requests regarding PI collected, maintained or sold on behalf of a business must either act on behalf of the business and respond to the request, or inform the consumer that the request cannot be acted upon because it was sent to a service provider.
- Business, Service Provider, or Third Party: Much like the debate about the distinction between “data controller” and “data processor” under the General Data Protection Regulation, there is continued debate on whether a company can be a business collecting PI, a service provider and a third party at the same time. The OAG provides guidance on this point to a certain extent by including the following in the SOR: “An entity may in some instances be the business that collects personal information from consumers and in other instances [be] a third party that receives personal information collected by another business.” Businesses should separately determine for each data processing activity whether the obligations for collection, sale or resale apply.
The regs outline parental consent verification standards for children under 13, inspired by the Children’s Online Privacy Protection Act (COPPA). Under the regs, the parental verification requirements are triggered by a business’s actual knowledge of selling the PI of minors, not by the collection or maintenance of such PI. The regs also flesh out how minors’ opt-in and opt-out of sale must be handled.
- Opt-in Requirement: For minors between 13 and 16 years of age (i.e., ages 13, 14 and 15), the regs require affirmative opt-in for sales of the consumer’s PI using a two-step process (i.e., double opt-in).
The regs narrow the definition of “household” to require not only residence at the same address but also (1) sharing a common device or service and (2) sharing the same group account or unique identifier. Thus, data merely tied to a particular residential address without more does not constitute household PI, which means that heightened household verification requirements would not apply to it.
- Household PI: To qualify as household PI, the data must be associated with a particular group account (or identifier) covering shared devices or services used by individuals residing at the same address. However, where the rights of other persons’ privacy are implicated by data tied to a residence that would not qualify as a household, there may still be a basis to restrict access to protect the privacy rights of the other persons pursuant to Section 1798.145(l) of the Title.
- Responding to Request for Household PI: Unless a household has a password-protected account with a business, the business may not comply with a request for specific pieces of PI or a request to delete unless all of the household members jointly make the request, are individually verified and prove that each individual is currently a member of the household.
- Minors’ PI in Household Data: If a household member is a minor under 13 years of age, the business must first obtain verifiable parental consent pursuant to the regulations’ COPPA-inspired requirements.
- Limits to Right to Know or Right to Delete: If a password-protected account holder requests to exercise a right to know or deletion request, the business may (but is not required to) process the requests relating to household information according to its existing practices and in compliance with CCPA regulations. However, where the rights of other persons’ privacy are implicated by data tied to a residence that would not qualify as a household, there may still be a basis to restrict access to protect the privacy rights of the other persons pursuant to Section 1798.145(l) of the Title.
TRAINING AND RECORDS
Training and record-keeping requirements are central to the regulations, with the most significant obligations being thrust upon businesses that process the PI of 10 million or more California consumers per year, which is a much greater volume of processing than the 4 million threshold originally proposed. The regs also require maintaining records of consumer requests for 24 months.
- Record-keeping Requirement: The final regs include specific requirements for what types of records must be maintained for at least 24 months from the time the requests were received by the business. Consider maintaining records of consumer requests for the full statute of limitations period applicable to OAG enforcement actions (four years).
SALE AND REASONABLE SECURITY
Finally, the modified regs provide no further guidance on the definition of “sale” or what constitutes reasonable security.
- Reasonable Security Standards: Look to well-established industry standards for evaluating data security and maintain good documentation of your information technology and information security policies, program, assessments and remediations.
- CCPA Sale of PI Risk Assessment: Look closely at potential sale situations, and either establish a basis for why it is not a sale or treat it as a sale and offer an opt-out procedure. For more information on cookies and the CCPA, including application of the “sale” provisions in the content downstream data transfers inherent in interest-based advertising, see our prior posts here and here.
- Intersection with the New Data Broker Law: For companies that have included statements in their privacy policies indicating whether they sell or do not sell PI, which is a CCPA requirement, we also recommend a separate analysis to determine whether the new data broker registration requirements apply. As discussed above, the California data broker law was enacted in October 2019, and as can be seen from the advisory that the OAG issued on Jan. 6, 2020, the CCPA and the data broker laws are two laws that the OAG is thinking about together when outlining new data privacy rights for California consumers. Because the definitions of “collect” and “sell” are broad under both these laws, a reexamination of what it means to be a “data broker” is required.
For copies of the final regs along with related rule-making documents, visit the attorney general’s CCPA rule-making site here.