In Taft’s Privacy and Data Security Insight, we have been writing regularly on the California Consumer Privacy Act and what to expect as it goes into effect in January.  Like many new privacy laws, panic begins to set in about how to actually address the new approach towards consumer privacy (remember the great GDPR panic of May 25, 2018?)  In our last blog, we told you about the final amendments to the CCPA and how the language of the law will finally read. The next step to the implementation of the United States’ most comprehensive state privacy law is the issuance of the Attorney General’s  Proposed Regulations, a Notice of Proposed Rulemaking Action, and an Initial Statement of Reasons. These draft documents attempt to answer the question burning in the minds of lawyers and businesses around the country:  HOW am I supposed to actually do this? With these draft documents finally out (awaiting public comments until December), we have what we are to understand as the AG’s guidance to businesses on how to comply with the provisions of the CCPA, including, but not limited to:

  1. How to properly notify consumers;
  2. How to handle consumer requests;
  3. How to verify the identity of consumers;
  4. Collecting personal information of minors; and
  5. How the value of consumer data is calculated.

The California Consumer Privacy Act (“CCPA”) will go into effect on January 1, 2020.

I. Notice to Consumers.

The Proposed Regulations require different methods of notification for consumers’ rights, in which the notices must be clear, easy to read, understandable to an average consumer, and use plain language. Additionally, the notice must be designed in a way to draw the consumer’s attention to the notice.

  • Collection § 999.305. If a business collects information from a consumer online, the notice requirement can be met by providing a link to the business’s privacy policy. Whereas, a business that does not directly collect information from the consumer must provide notice by either contacting the consumer directly or by contacting the source of the information to confirm there was notice provide to the consumer at the time of collection.
  • Sale of Information § 999.306. A business that sells consumers’ information must post the right to opt-out on their internet webpage. A consumer must be able to access this page by clicking on a link titled either “Do Not Sell My Personal Information” or “Do Not Sell My Info.” The notice must also include an online and offline method for a consumer to submit their request, instructions for any other available methods, the proof required when a consumer uses an authorized agent, and a link to the business’s privacy policy.
  • Financial Incentive § 999.307. The notice of financial incentive explains to consumers what financial incentive or price a business may offer for the sale of their personal information. This allows consumers to make informed decisions on whether to participate in the business’s service. This notice must have a summary of the incentive or price or service difference offered; a description of the material term, including the categories of information; how a consumer can opt-out; and an explanation of why these financial incentives or services are permitted under the CCPA.
  • Privacy Policy § 999.308. A Privacy Policy must inform consumers of their right to know what is being collected and sold, their right to have their information deleted, their right to opt out of the sale of their information, their right to not be subject to discriminatory treatment; how a consumer can designate an authorized agent; and the date the privacy policy was previously updated. In addition, if you collect personal information on more than 4,000,000 consumers, you have a special requirement to add the metrics to your privacy policy or have a separate document on your website specifically for those metrics. See § 999.317.

 II. Consumer Requests.

  • Methods to Submit Requests § 999.312. A business must have two or more methods available for submitting requests to delete information. Such methods can be a toll-free number, a link on the business’s website, email address, a physical form submitted to the business, or a form submitted in the mail. If a business and its consumer do not interact directly, there must be at least one method to submit requests online. If the request is made online, there must be a two-step process to request deletion. There must be a clear submission to delete and a separate confirmation that they want their personal information deleted.
  • Responding to Requests 999.313. A business must confirm receipt of the request within 10 days and then explain how the request is to be processed. Next, the business must respond to the request within 45 days; however, there is an option to extend this period to 90 days if the business notifies the consumer and explains the reason for the extra time.

III. Verification of Consumers.

  • Password Protected Account 999.324. Businesses must comply with a method of verification in which it takes into account the sensitivity of the information and the risk of harm to the consumer if accessed by an unauthorized party. If a consumer has a password protected account with the business, the business can use that existing account to verify the identity of the consumer as long as there are security measures to detect fraud or malicious activity.
  • Non-Account Holders § 999.325. If there is no password protected account with the business, the standard for verification can differ depending on the type of information being requested. If the information being requested is for a category of personal information, the business must verify the consumer’s identity to a reasonable degree of certainty, which is established by matching two data points provided by the consumer with the information maintained by the business. If the request is about specific pieces of personal information, the business must match three data points instead of two. Lastly, the verification standard for a request to delete will vary depending on the sensitivity of the information and the risk of harm that would occur if there was unauthorized access.
  • Households 999.318. When all consumers of a household make a request to a business for information on the household, and the business can verify each individual consumer, then the business must comply with the request to know or delete the information. Additionally, if a consumer does not have a password protected account and requests information pertaining to a household, the business can provide aggregate information on the household as long as the consumer’s identification is verified.

IV. Minors’ Personal Information § 999.330.

If a business collects data from children under the age of 13, the business must comply with a reasonable method to determine that the person giving consent for the collection is the parent or guardian of that child. The regulations describe six possible methods:

  1. A consent form to be signed by a parent or guardian under penalty of perjury.
  2. In connection to a monetary transaction, have a parent or guardian use a credit card, debit card, or other online payment that provides notification of the transaction to the account holder.
  3. Have a parent or guardian call into a toll-free number.
  4. Have a parent or guardian meet with personnel from the business in person.
  5. Have a parent or guardian use video-conference to connect with personnel from the business.
  6. Verify the identity of the parent or guardian by checking a form of government issued identification against other databases with such information. The business must then promptly delete the information collected after verification is complete.

V. Value of Consumer Data § 999.337.

A business that offers a financial incentive or service difference must use and document its reasonable and good faith method for how it calculates the value of the consumer’s data. The Proposed Regulations offer multiple methods a business can use:

  1. The marginal value that the sale, collection, or deletion of the information gives to the business;
  2. The average value that the sale, collection, or deletion of the information gives to the business;
  3. Revenue or profit generated based on separate tiers, categories, or classes of consumers whose data has different values;
  4. Revenue generated from the sale, collection, or retention of the information;
  5. The business’s expenses for the sale, collection, or retention of the information;
  6. The business’s expenses for the offer, provision, or imposition for any financial incentives given;
  7. The business’s profit from the sale, collection, or retention of the information; and
  8. Any other good-faith methods that are practical and reasonable.

As we said above, there is more to come as public comments may result in changes to the final guidance from the AG. There is a lot to digest and likewise many ways to develop a plan to meet the law’s requirements while being manageable in the scope of your current operations. It is never too late to get started.  Indeed, this is just the beginning, as we expect more states to adopt similar frameworks.  We recommend speaking with counsel to find a way forward.