Alert October 11, 2019

California AG Publishes Proposed CCPA Regulations

Summary

On October 10, 2019 the California Attorney General (“AG”) issued long-awaited proposed regulations (the “Regulations”) implementing the California Consumer Privacy Act (“CCPA”). The Regulations attempt to clarify, and in some cases significantly expand, obligations on companies subject to the CCPA. Stakeholders can provide comment during public hearings (schedule available here) and have until December 6, 2019 to submit written comments to privacyregulations@doj.ca.gov. The AG has not indicated when final regulations will be promulgated. The Regulations were accompanied by a Notice of Proposed Rulemaking and an Initial Statement of Reasons. Key features of the Regulations include:

Privacy Policies

The Regulations call for CCPA privacy policies to link each category of information collected to the categories of sources from which the information was collected; the business or commercial purpose for the collection; and the categories of Third Parties with whom the information is shared. If the Regulations are enacted as proposed, it will be difficult for companies to prepare CCPA-compliant privacy policies without first conducting comprehensive mapping of data assets and flows. Additional disclosure requirements for Businesses include:

  • describing the methods employed to verify the identity of the Consumer exercising his or her rights;
  • explaining that Consumers can designate agents to make rights requests on their behalf; and;
  • for Businesses that buy, sell, receive, or share personal information relating to 4,000,000 or more California residents, describing the number of rights requests received, complied with, and denied, as well as the median number of days to substantively respond to rights requests.

Rights Requests

The Regulations instruct Businesses to refrain from providing (a) specific pieces of information that would create “a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the Business, or the security of the Business’s systems or networks;” or (b) sensitive information such as social security numbers; driver’s license numbers; financial account numbers; health insurance or medical ID numbers; or account passwords or security authentication questions and answers.

A Business could comply with a deletion request by de-identifying or aggregating the applicable information and that if a Business were to deny a deletion based on an exception, all future use of the data would be limited by the exception. (For example, if a deletion request were to be denied on grounds that the information is required to comply with a legal obligation, the information could only be used as needed for that purpose.)

Service Providers and Third Parties

The Regulations clarify that a Service Provider’s subcontractor (i.e., a “sub-processor” under the GDPR), would also be a Service Provider subject to applicable restrictions under the CCPA on data use. Subcontractors therefore will want to review their commercial agreements for CCPA impacts, including restrictions on their use of Personal Information received under these agreements.

Importantly, the Regulations would also prohibit Service Providers from using data obtained from one customer to offer services to another, unless data received from different Businesses is combined “to the extent necessary to detect data security incidents, or protect against fraudulent or illegal activity.” In other words, Service Providers that pool customer data for any reasons other than for security/fraud detection, including to improve their services, will be considered Businesses if this prohibition, as drafted, is included in the final regulations. This prohibition could impact the processing activities of a growing number of companies that offer high demand intelligence or insight services (beyond security/fraud detection) using data from multiple customers.

Opt Out of Sale

The Regulations would require Businesses to treat “user-enabled privacy controls, such as a browser plugins, privacy settings or other mechanisms that signal a Consumer’s choice to opt-out of a Sale of their Personal Information as a valid opt out request for that browser or device, or, if known, for the Consumer.” The practical impact appears to force businesses to treat Do Not Track signals and cookie blockers as valid CCPA opt outs.

All opt out requests would be retroactive for the preceding 90 days. Businesses would have to instruct Third Party recipients of personal information relating to Consumers that submitted opt outs to refrain from selling such personal information and inform the Consumer resident when it has done so.

The Regulations clarify that Businesses can offer granular opt out options (i.e., allowing Consumers to opt out of some but not all Sales), as long as a global opt out option is prominently displayed.

An opt out request need not be verified, and a Business could only deny an opt out request if the Business has a good faith belief that the request is fraudulent.

The Regulations would require Third Parties, before selling Personal Information, to (a) contact the consumer directly to offer notice and an opt out; or (b) “obtain signed attestations from the source [of the personal information] describing how the source gave notice at collection and including an example of the notice.”

Verification

Businesses would be required to establish that the Consumer exercising his or her rights is the person whose information is the subject of the rights request. Verification methods would have to be aligned with the sensitivity of the information at issue. Businesses would be permitted to verify the identity of account holders through their accounts. Businesses that suspect fraudulent activity would be permitted to implement additional verification measures.

For rights requests involving non-account holders, Businesses would be required to verify identity based on the specific request with escalating requirements to promote certainty:

  • Requests to know categories of information maintained by the Business would have to be verified with a “reasonable degree of certainty” (i.e., by matching at least two data points provided by the Consumer with those maintained by the business);
  • Requests to know specific pieces of information would have to be verified with a “reasonably high degree of certainty” (i.e., by matching at least three data points provided by the Consumer with those maintained by the Business and by obtaining a signed declaration of identity);
  • Deletion requests would require verification with a reasonable or reasonably high degree of certainty, depending on sensitivity of the information at issue.

Non Discrimination

The regulations purport to offer examples of activities that would violate the non discrimination terms of the CCPA. However, the examples appear to reflect service tiers that would permit the exercise of CCPA rights instead of offering examples of activities that punish Consumers for exercising their CCPA rights.

The Regulations clarify that Businesses can calculate the value of the personal data (for purposes of determining non-discrimination violations) through different metrics, including by determining the revenue generated by or expenses related to the Sale, collection, or retention of data, or the average value to the Business of the Sale, collection, or deletion of a typical Consumer’s data.

Conclusion

Companies that are subject to the CCPA will want to consider submitting comments or otherwise participating in the public meetings and/or submitting comments through their trade associations or through smaller coalitions formed specifically to address CCPA rulemaking process.

We will continue to monitor developments and keep you updated of key developments.

Goodwin’s Chambers and Legal 500 ranked Privacy & Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients’ data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include a former Chief Privacy Officer of the U.S. Department of Homeland Security in the Obama Administration and Legal 500 Recommended Lawyer; a Legal 500 “Leading Lawyer;” and a “Next Generation Lawyer” in Cyber Law and Data Breach Response, as well as three other; Legal 500 Cyber Law ranked partners; several former federal prosecutors; and multiple GDPR, CCPA, FTC, HIPAA, and COPPA experts. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe.