Proposed CCPA Regulations- What Changed?

On October 10, the California Attorney General released proposed regulations for the California Consumer Privacy Act (CCPA). While the proposed regulations do not address all areas of concern or ambiguity that privacy lawyers might have, such as how various exemptions to the law will operate, the regulations go into great detail on consumer rights requests, child consent, and the process for opting out of the sale of personal information. To a lesser extent, the regulations address data brokers and the technical requirements of privacy notices. While a full description of each of these topics would be is outside the scope of this post, we will examine notable additions to each area that the proposed regulations make from the statute itself.

Notices to Consumers

a. Disabilities. The proposed regulations specify that privacy notices must be accessible to consumers with disabilities, at a minimum providing information on how a consumer with a disability might access the notice. §999.305(a)(2)(d). The proposed regulations do not specify which disabilities require this accommodation, but the use of text-to-speech options seems like a good first step.

b. Data Brokers. While the CCPA requires data brokers to register with the state, it had not defined their responsibilities under the CCPA. §999.305(d) of the proposed regulations states that a business that does not collect personal information directly from consumers but still sells that information (data brokers included) must either contact the consumer directly with notice of their opt-out right (impossible for data brokers), or:

“Confirm that the source provided a notice at collection to the consumer. . . and [o]btain signed attestations from the source describing how the source gave the notice at collection and including an example of the notice.”

In this way, the CCPA would require the data industry to ensure that at some point the person whose data is being sold has consented to that sale. The proposed regulations also state that

“A business shall notify all third parties to whom it has sold the personal information of the consumer within 90 days prior to the business’s receipt of the consumer’s request that the consumer has exercised their right to opt-out and instruct them not to further sell the information. The business shall notify the consumer when this has been completed.” §999.315(f).

In other words, anyone who sells personal information would have to verify that the consumer had consented to that sale, but the seller would also have to stop selling AND notify all others to whom they had sold the data if the consumer opts out. This puts data brokers in a difficult spot.

Notice of the Opt-Out Right

The proposed regulations reaffirm the CCPA’s “do not sell my personal information” button, but give the option of adding an additional button, the text of which will be determined in a “modified version of the regulations” that “may be used in addition to posting the notice of the right to opt-out, but not in lieu of any posting of the notice”. §999.307(e)(1). Therefore, it remains unclear just what else an opt-out button might say.

However, the proposed regulations add the requirement that a website collecting personal information have a “webform” by which the consumer can submit their request to opt-out online. §999.307(c)(2). No more detail about the webform is given other than it must be an “interactive webform accessible via a clear and conspicuous link titled ‘Do Not Sell My Personal Information,’ or ‘Do Not Sell My Info,’ on the business’s website or mobile application.” §999.315(a).

In another wrinkle, the proposed regulations state that if a business collects personal information without a proper opt-out notice posted, it must act as if every consumer has submitted an opt-out request, i.e. it cannot sell that personal information. §999.306(d)(2)

Finally, the Attorney General gave a hint as to what it considers a “sale” of personal information. Privacy lawyers have wondered whether third party advertising cookies might be considered a “sale” under the CCPA. §999.315 of the proposed regulations states that if a business collects personal information from consumers online, it must respond to “do not track” requests and other user privacy controls. By putting a section on “do not track” in the part of the regulations dealing with the opt-out of sale of personal information, the Attorney General is strongly implying that use of tracking cookies is considered a sale of personal information under the CCPA. Therefore if a business website uses Facebook or Google Pixels, it must have a “Do Not Sell My Info” button or some variation thereof.

Consumer Rights Requests

The proposed regulations focus heavily on the exercise of consumer rights. The proposed regulations outline a two-step process for requests to delete personal information: the request submission itself is the first step, and the second step is confirmation of that request. §999.312. Whether an “are you sure?” pop-up after step one is sufficient remains to be seen.

A business has ten days to respond to a consumer request for deletion or knowledge of personal information that a business collects. §999.313. If the request is deficient in some manner, the business has to either treat the request as sufficient or help the consumer correct the request. If the business still cannot verify the identity of the consumer, then the business must tell the consumer why and treat the deficient deletion request as an opt-out of sale. §999.313(d). It is unclear how a business could identify a consumer for opt-out when it cannot verify the consumer’s identity.

Though a business must delete personal information stored on archives or backups, it can delay that deletion until the next time those backups are accessed. The business must also keep a record of consumer requests and its responses for 24 months, and if the business buys or sells more than 4 million people’s personal information annually it must publish statistics about those requests. §999.317(g).

Verification of Consumer Requests

In verifying a consumer’s request, businesses must set up and document a process to verify consumer identities. The proposed regulations recommend matching at least two pieces of information the consumer confirms with information the business has, but caution against collecting additional information for verification. Businesses can use third-party verification systems for this purpose but must avoid collecting information like social security number, driver’s license number, and other sensitive information unless absolutely necessary. §999.323. The regulations go into depth on several scenarios; the essence of the guidance is to match data first, collect additional data when necessary, implement security measures over the whole process, and tell consumers why the business is doing what it’s doing.

Children’s Data

The proposed regulations for children’s personal information piggyback on the requirements of the Children’s Online Privacy Protection Act (COPPA). The CCPA calls for opt-in consent before a business can sell the personal information of a child it has actual knowledge is under 16, with stricter requirements for children it knows are under 13.

The proposed regulations require a parent or guardian to opt-in on behalf of the child before the business can sell personal information of a child under 13. The business must verify the identity of the parent or guardian using several methods already outlined by COPPA, but the proposed regulartions add several more methods like speaking with a parent on the phone or checking the parent’s ID against a database. §999.330(2). In other words, if a business wants to sell kids’ personal information, get verifiable parental consent under COPPA and verify the parent’s identity.

Note that the proposed regulations do not mention ‘email plus’ consent under COPPA, so emailing a parent is not a valid verification or opt-in method under the proposed regulations.

The opt-in process for children over 13 must feature a two-step process (§999.316) and all requests for child opt-in must inform the requestor of their ability to opt out at a later date. §999.331.

Conclusion

The proposed regulations will undoubtedly change after public comment. However their guidance on consumer notices, rights requests, identity verification, and children’s data will add much-needed color to many ongoing CCPA compliance efforts.

*********

Do you have questions on how the proposed regulations will affect your CCPA compliance? Contact SK&S privacy attorney Thomas Codevilla at Codevilla@skandslegal.com or 720-608-4799. Thomas has extensive experience in CCPA compliance.