Proposed Regulations to the California Consumer Protection ActPublications - Client Alert | November 22, 2019
The Attorney General for the State of California has released the proposed text of regulations for the California Consumer Protection Act (“CCPA”). Additionally, the Attorney General has released a Notice of Proposed Rulemaking Action and an Initial Statement of Reasons. Collectively, these documents lend significant clarity concerning the future data protection landscape as the implementation date for CCPA rapidly approaches. The aspects of the proposed regulations discussed below are likely to be of particular importance to businesses seeking to comply with CCPA.
The proposed regulations define important terms that were left undefined in the original text of the CCPA, such as “household.” The proposed regulations also provide for additional disclosures at the point of collection and notification to consumers of their rights to opt out of the business's sale of personal information. Each notice would be required to use straightforward language, identify the categories of personal information collected, and include certain information concerning the business’s disclosures and sales of personal information to third parties.
Under CCPA, businesses must offer at least one method for submitting requests that reflects the way the business primarily interacts with consumers. The proposed regulations provide some much-needed guidance for those obligations. For example, “if a business is an online retailer, at least one method by which the consumer may submit requests should be through the business’s retail website.” Once a request to delete or to identify the personal information held by the company is made by an individual, businesses have 10 days to confirm receipt of the request and provide information about how the business will process the request and 45 days to furnish a response. The proposed regulations categorically prohibit businesses from disclosing highly sensitive personal information in those responses, such as “Social Security number, driver’s license number, […] financial account number, any health insurance or medical identification number, any account passwords, or security questions and answers.”
The proposed regulations also address one of the most important challenges for businesses implementing CCPA compliance measures: verification of a consumer’s request to access or delete information. While the proposed text of regulations and the CCPA do not stipulate a prescribed methodology for verifying consumer identity, businesses must design verification procedures which respect the type, value and sensitivity of personal information that may be disclosed. Additionally, when designing verification procedures businesses should consider the likelihood of fraudulent, malicious, spoofed or fabricated requests and the personal information available for disclosure. Generally, the proposed regulations suggest that businesses should match information provided by a consumer against personal information already maintained by the business when verifying a consumer’s identity, but a third party may be used.
CCPA provides consumers with the right to opt out of a business’s sale of personal information. The proposed regulations would require businesses with an online presence to maintain two or more methods for submitting requests, including an interactive web form “accessible via a clear and conspicuous link titled ‘Do Not Sell My Personal Information,’ or ‘Do Not Sell My Info’ on the business’s website or mobile application.” The proposed regulations place timing parameters around a business’s obligation to respond to an opt-out request. Businesses would be required to appropriately respond to a request to opt out within 15 days and notify all third parties to “whom it has sold the personal information of the consumer within 90 days prior to the business’s receipt of the consumer’s request […] instruct them not to further sell the information [and] shall notify the consumer when this has been completed.” Unlike a request to access or delete personal information, businesses need not verify a request to opt out of the sale of personal information.
CCPA will continue to evolve up to and beyond its effective date of January 1, 2020. These proposed regulations are one piece of that puzzle; however, they must be read concurrently with the most recent amendments to the CCPA in order to present an accurate snapshot of CCPA’s current form.
The Notice of Proposed Rulemaking Action invites written comments concerning the proposed regulations until 5:00 p.m. on December 6, 2019. Companies that may be affected by the proposed regulations should strongly consider submitting comments. Kutak Rock’s Privacy and Data Security Group stands ready to assist new and current clients preparing to submit comments or establish CCPA-compliant operations.