The CCPA goes into effect on January 1, 2020. At this point, all of the enacted amendments have been signed and there is no opportunity for additional legislative amendments to the statute before its effective date. However, businesses have long awaited California Attorney General Xavier Becerra's issuance of implementing regulations, as required by the statute. Late last week, those draft regulations arrived.
On October 10, 2019, AG Becerra issued proposed regulations, accompanied by an Initial Statement of Reasons, Economic and Fiscal Impact Statement, and fact sheet. The regulations, in general, address privacy policies, consumer notices, practices for handling consumer requests, ways to verify consumer requests, requirements regarding minors, and rules governing non-discrimination practices. The regulations also introduce new terminology for various CCPA obligations that will likely become part of the privacy vernacular in the United States. Some of the regulations offer practical advice about implementing CCPA compliance measures and specific language to be included in relevant privacy policies (the "good"). Some components add valuable protections for consumers, but propose significant new burdens on entities trying to comply with the CCPA in less than three months (the "bad"). And some appear, seemingly, out of left field (the "unexpected"). While this client alert is not intended to thoroughly analyze all twenty-four pages of the regulations, it identifies some of the most interesting aspects of the regulations, provides practical advice regarding how you might need to adjust your compliance efforts, and if your organization is inclined to comment on the proposed regulations, sets forth information regarding how and when to provide comments.
It is important to note that these are draft regulations and, after public comment, the final regulations may contain significant changes. But it is also important to consider the draft regulations when implementing CCPA compliance measures because the proposed regulations are indicative of the AG’s current perspective regarding CCPA implementation. The AG, after all, will be responsible for CCPA enforcement beginning either July 1, 2020 or six months after the publication of final regulations, whichever is sooner. Given some of the surprising elements to the regulations, we expect significant stakeholder participation through the comment process (described below).
The “good”:
- The draft regulations resolve some of the internal inconsistencies present in the legislation (for example, incomplete and inconsistent textual definitions of “service provider” and confusion as to the 45- or 90-day extension period for responding to verified consumer requests).
- Proposed Section 999.308 provides guidance related to text that must be included in a business’ privacy policy, which will be a useful checklist for businesses (and a checklist for regulators confirming that a business’ privacy policy is CCPA compliant).
- The draft regulations include practical advice for verifying consumer requests, including that the number of data points that should be matched depends on the sensitivity of the request.
- The draft regulations prohibit the disclosure of certain sensitive types of information in response to consumer requests, such as Social Security numbers, security question answers and health insurance information, to help limit associated data breach exposure.
- The draft regulations explicitly recognize that service providers may instruct consumers to submit requests directly to the responsible business.
- The draft regulations acknowledge that consumers may want to opt in after opting out, and they provide an example framework to facilitate that possibility.
- The draft regulations provide instructions on compliance recordkeeping.
The “bad”:
- With perhaps too much of an emphasis on facilitating opt-outs, the draft regulations open the door to practices that are overly loose and inconsistent with modern preference management practices.
- They clarify that there is no requirement to verify the identity of the individual requesting an opt-out.
- They require businesses to respond to an opt-out using user-enabled privacy controls, such as browser plugins or privacy settings.
- They add tight timelines and a new process requirement for processing opt-outs (10 days to respond, 15 days to process requests, 90 days to notify third parties of the consumer’s request – and the business must notify the consumer when those notifications are completed).
- They add a requirement for a business to “specify the manner in which it has deleted personal information” in response to a consumer’s request to delete.
- They indicate that a business should treat an unverifiable request to delete to be an opt-out request, without regard to whether the consumer seeking deletion of existing, historical data necessarily wants to exercise opt-out rights for the future. The draft regulations clarify that when businesses respond to “requests to know” and disclose the categories of personal information, sources, and/or third parties, the categories must be specific to the requestor and should not be a generic list unless the categories are the same for every consumer.
- The draft regulations specify that businesses using financial incentives (including loyalty programs) must make a number of disclosures in a “notice of financial incentives,” including a “good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference.” Then, they specify a somewhat arbitrary method of calculating that “value.”
- The draft regulations make it clear that the CCPA is intended to apply to both online and offline business practices. While the draft regulations do address notices for offline collection to some extent, it remains unclear to what extent various approaches to offline notices are practical and actionable, and what types of data collection will require offline notices in the first place.
The “unexpected”:
- The draft regulations allow a business to “delay” compliance with a request to delete if the personal data is stored on “archived or backup systems … until the archived or backup system is next accessed or used.” While it is not clear what the regulations mean by “next accessed or used” in the context of routine backup operations, this provision may impact businesses that retain historical backup data (for disaster recovery or archival purposes), including in situations where a business accesses or uses backups for retrieval of historical or deleted items, is rebuilding servers after ransomware attacks or other disruptive events, or is gathering records from backups for litigation purposes.
- The draft regulations impose new recordkeeping requirements applicable to all businesses (including as pertinent to training programs and consumer requests), and a new requirement for businesses that buy, receive, sell, or share the personal information of 4,000,000 or more California consumers (which must publish – in their privacy policies – metrics related to consumer requests and a business’ responses thereto).
Notably, the AG did not provide guidance regarding all of the CCPA provisions assigned to that office:
- The CCPA requires the AG to develop an opt-out logo or button, which is not yet included in the proposed regulations. The AG has indicated it will be added “in a modified version” of the regulations based on further public feedback on its design.
- The AG did not include any provisions addressing deference to existing confidentiality provisions under federal law, including intellectual property rights or employment laws, which may be appropriate given that the law specifically carves out data governed by the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act.
- The draft regulations do not further specify the categories of personal information or unique identifiers that are required to be listed in privacy policies, which would be particularly helpful with respect to employment-related information, as to which notices of collection are still expected following the latest amendments to the law.
At bottom, the draft regulations contain another long set of requirements with which businesses will need to comply, in addition to the requirements set forth in the CCPA itself, and they confirm that the CCPA will have a huge impact on California businesses and consumers. To that effect, the accompanying Notice of Proposed Rulemaking includes some incredible statistics: 15,000-400,000 businesses will be affected at a cost of $467 million to $16.4 billion over 10 years, with the highest costs in first 12 months. The Economic and Fiscal Impact Statement also claims that the total statewide benefit of the CCPA is $12 billion, which it bases on the value of total digital advertising revenue for search, banner and video, adjusted to only cover the number of California consumers.
It is important to note that these regulations are still in draft form. A comment period on the proposed regulations has already begun, and the AG has called for submissions on a number of topics, including differing compliance or reporting requirements that take into account the resources available to businesses. Public comments may be submitted on or before 5 p.m. Pacific Time on December 6. They may be submitted by email or by mail to:
Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013
The AG will also hold four public hearings across California on December 2-5, 2020. Further details are available at oag.ca.gov.
While the draft regulations may change somewhat through the comment process, businesses should be prepared to comply with the regulations as drafted. It will be months before the final regulations will be issued – perhaps even after the CCPA’s effective date. Please do not hesitate to reach out to any of the authors here or your firm contact with questions regarding these draft regulations, how to submit comments or get involved in the rulemaking process, or how the CCPA affects you and your business. With less than three months until the CCPA’s effective date, the time to act is now.
Client Alert 2019-248