On October 11, 2019, the California Attorney General issued long-awaited draft Regulations to the California Consumer Privacy Act (CCPA). The draft Regulations provide helpful clarity on some core aspects of California’s sweeping new privacy law, while also adding significantly to the complexity of, as well as the list of, requirements on a business to protect consumer personal data. In some instances, these regulations go beyond the requirements of the European Union’s General Data Protection Regulation (GDPR), and in some cases, the likely contemplation of even the well prepared.
This alert does not summarize the entirety of the draft Regulations; rather it points out and analyzes some of the key highlights. The Regulations are still a draft, so they may change; but with the CCPA set to go into effect in only a few months, businesses will find it useful to look to them as an invaluable compliance roadmap.
First, the draft Regulations clarify that a company can be both a business and a service provider, depending on its relation to the consumer and the data collected (999.314). This clarification is highly significant, and it helps bring the CCPA more in line with the European GDPR’s critical distinction between controllers and processors. In essence, with the draft Regulations, the CCPA would recognize that service providers need not assume the responsibility of businesses for adjudicating consumer access and deletion requests. If the service provider receives an access or deletion request from a consumer regarding personal information that the service provider collects, maintains, or sells on behalf of a business it services, it need not comply with the request, but shall explain the basis for the denial, and refer the consumer to the relevant business (999.314(d)). Therefore, a business can now be less concerned that its service providers would be making unilateral decisions on responding to consumer requests regarding personal information that the business collected or processed through the service provider. As with the GDPR, the key will be to ensure a contract is in place with service providers that includes clear direction on how to handle consumer access or deletion requests.
Second, the draft Regulations acknowledge that when it comes to consumer access or deletion requests, there is an inherent tension between privacy and cybersecurity. For example, if an individual asks for a detailed accounting of the personal information a business maintains on them, should the business simply email that information, or would doing so present undue cybersecurity risks? Should personal information be masked when presented to a requesting consumer, akin to what is done with all but the last four digits of credit card numbers on receipts? The draft Regulations state that a business “shall not” provide a consumer with specific pieces of personal information if the disclosure creates a “substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks” (999.313(c)(3)). In fact, the draft Regulations even exclude Social Security numbers, driver’s license numbers, financial account numbers and other sensitive information from the disclosure requirement (999.313(c)(4)).
Similar privacy vs. security questions apply for verification, which the draft Regulations also helpfully address. While the draft Regulations require the business to disclose its verification procedures (999.308(b)(1)(c)), it requires only that those verification procedures be reasonable and tiered to the sensitivity of the personal information at stake (993.323).
Third, the draft Regulations help avoid confusion over whether the CCPA actually requires a business to collect more personal information in order to comply with consumer requests. Take, for example, IP addresses, which the CCPA includes within its definition of personal information, but which many companies do not necessarily collect or maintain in a way that reasonably identifies a consumer or a household. The draft Regulations confirm that the business would not have to, say, correlate a dynamic IP address with an internet service provider if a consumer asks for all personal information that the business collected on them. Instead, the business may require the consumer to demonstrate that they are the “sole consumer associated with the non-name identifying information” (999.325(e)(2)).
In addition, for verification purposes, a business need only match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business. A business may collect additional personal information to verify a request, according to the draft Regulations, but the business “shall delete any new personal information collected for the purposes of verification as soon as practical after processing the consumer’s request…” (999.323(c)).
Fourth, in an additional nod to cybersecurity, not to mention practicality, the draft Regulations provide that where personal information is stored on archived or backup systems, deletion may be “delayed until the archived or backup system is next accessed or used” (999.313 (d)(3)). While the CCPA, unlike the GDPR, does not have an explicit data minimization requirement, one way to facilitate compliance when it comes to deleting personal information on backups is to institute a retention schedule whereby unaccessed archives are aged off after a certain period of time (assuming, of course, that newer backups are sufficient).
Fifth, the draft Regulations help answer the question: what does it mean to delete personal information? In their current form, the draft Regulations clarify that a business can comply with a deletion request by “[p]ermanently and completely erasing” the personal information on its existing systems “with the exception of archived or backup systems,” de-identifying the personal information, or aggregating the personal information (999.313(d)(2)).
Sixth, the draft Regulations help resolve the logical conundrum inherent in deletion requests: how do you prove that you have deleted someone’s information upon their verified request? Now, the draft Regulations clarify that a business may—and in fact shall—maintain records of consumer requests, including for deletion, made pursuant to the CCPA, and how the business responded to those requests for at least 24 months (999.317(b)). The Regulations explain that the records may be maintained in a “ticket or log format provided that the ticket or log includes the date of the request, the nature of the request, manner in which the request was made, the date of the business’ response, the nature of the response, and the basis for the denial of the request if the request in denied in whole or in part” (999.317(c\)). For further clarity, the Regulations exempt these records from the CCPA (999.317(d)).
Seventh, the draft Regulations make clear that the CCPA applies to a business that does not collect information directly from consumers if the business sells a consumer’s personal information (999.305(d) and 999.312(e)). A business that does not interact directly with consumers must either contact the consumer directly and provide notice that the business sells that consumer’s personal information and provide them with notice of the right to opt out, or contact the source of the personal information and obtain a signed attestation from the source that it gave the consumer the notice of collection, and provide an example of the notice. Attestations must be kept for two years (999.305(d)). A business that does interact directly with consumers must also provide at least one method by which the consumer may submit requests to know or requests to delete online (999.312(e)). This provision has particular significance for consumer data resellers and advertising networks.
As helpful as these draft Regulations are, it is important to note that they also add some obligations on businesses, beyond the current CCPA requirements, including the following:
- Any time a business wants to use a consumer’s personal information for any purpose other than those disclosed in the collection notice, the business would have to “directly” notify the consumer of this new use and “obtain explicit consent” from the consumer for the new use (999.305(a)(3)). So far, the regulations do not distinguish between material and non-material changes.
- To avoid including a “Do Not Sell” notice, a business would have to affirmatively state that “[i]t does not, and will not” sell personal information (999.306(d)(2)). Furthermore, a consumer whose personal information is collected while an opt-out notice is not posted shall be deemed to have validly submitted a request to opt out. If this provision survives, it can be read as retroactively importing an opt-in requirement regarding sale into every legacy collection.
- While the current text of the CCPA states that a business “may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information,” (Cal. Civ. Code 1798.125(b)(1)), the draft Regulations would require that the mandatory financial incentive notice include a “good-faith estimate” of the value of the consumer’s data and a description of the method the business used to calculate that value (999.307(b)(5)). Interestingly, this may generate a new publicly available data set around the real financial value of personal data.
- A business would need to confirm receipt of any requests to know or delete within 10 days of receipt of the request, and the business would have to provide information about how it will process the request (999.313). Unverified requests to delete would need to be treated as requests to opt out of sales (999.313(d)(1)).
- Any business that alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers, must compile specific metrics for each calendar year. As indicated above, the regulations clarify that the maintenance of that information alone would not violate the CCPA or the regulations as long as it is not used for any other purpose (999.317(g)).
These additional obligations take the CCPA beyond GDPR in several instances, reinforcing that those relying on their GDPR program documentation and processes to carry them through the CCPA will need to revisit that approach. Swiftly too, given the potential operational impacts of implementation against the impending deadline.
The regulations are subject to a notice-and-comment period and are likely to be developed further. The deadline to submit written comments is December 16, 2019.