Introduction

On October 10, 2019 the California Attorney General released a document of Proposed Regulations for the California Consumer Privacy Act. The proposed regulations were written to clarify the operational steps businesses must take when implementing the CCPA. The new proposed regulations also aid businesses with implementing business processes to ensure that all individual rights are being properly provided to customers.

The proposed regulations focus on the following topics:

  1. Notices to Consumers
  2. Privacy Policies
  3. Handling Consumer Requests
  4. Verification Requirements
  5. Handling the Personal Information of Minors
  6. Offering Financial Incentives

Notices to Consumers

The California AG specified new requirements regarding notices that businesses must provide to customers. There are four different types of notices that businesses must provide to their customers which are:

  1. Notices at the time of collection of personal information
    1. These notices must include the categories of data being collected and the business purpose for collection.
    2. They must also include a link to your business’s “Do Not Sell My Personal Data” link and a link to your business’s online privacy policy.
  2. Notices discussing the business’s privacy policy
  3. Notices discussing an individual’s rights to opt-out of the sale of their personal information
    1. These requests do not need to be verifiable, unlike access and deletion requests.
    2. Your business must treat browser plug-ins and other privacy settings as valid opt-out requests.
  4. Notices discussing financial incentives
    1. These notices must provide individuals with the value of their data to your business and how your business came up with that valuation.

When writing a notice, your business must ensure that they are:

  • Written in plain, unambiguous, and easy to understand language.
  • Designed to engage and draw the attention of your customers so that they see the notice.
  • Designed in a way that is accessible to individuals with disabilities.
    • Make sure the colors are easy to view.
    • You can also provide an audio option on the notice.
  • Ensure that each notice is provided in all languages where your organization does business.

Privacy Policies

The CCPA requires businesses to post a comprehensive online privacy policy on their website that is easily navigable. Previously, having a privacy policy that explained your business’s data collection served as a notification, however, with the newly proposed regulations you must now provide additional notice for each point of data collection [2]. Your business must only use the collected data for the specified business purpose in the notice; you can no longer use it for any other purpose.

The new proposed regulations also provide additional requirements about information you must include in your company’s privacy policy. For one, your privacy policy must now explicitly state that an individual will not be treated differently if they exercise their individual rights. There are also new requirements where businesses must provide information about the sources of information, categories of personal information collected, and what your business plans to do with the information collected.

Consumer Requests

In the new proposed regulations, the AG requires businesses to provide two different ways for customers to submit a request.  Businesses must provide a toll-free number unless it is an online only business that works directly with consumers.  In that case, it does not need to provide the toll free number.  Other methods include an email, an online form, in person or by mail. Typically, most businesses choose to use an electronic method and a phone number as their two methods. If your business commonly works with customers offline then you must provide an offline method for your customers.

Businesses must now confirm the receipt of customer requests within 10 days and the previously stated 45-day time limit to respond to requests includes the time it takes for your business to verify a request. An additional requirement states that businesses must respond to opt-out requests within 15 days and all third parties that your business has sold personal information to within the last 90 days must be notified about the consumers opt-out request. All employees who handle requests must undergo training before handling requests.

There are also new regulations for businesses who collect information from 4,000,000 or more individuals. These businesses must now track the amount of access, delete, and opt-out requests and provide the median amount of time it takes them to respond to these requests. Additionally, these businesses must disclose this information in their online privacy policy.

Verification Requirements

With the release of the proposed regulations there is more detail surrounding the level of verification your business must achieve depending on the sensitivity of the information being requested. Ultimately, businesses should not release any sensitive information to anyone without a high level of confidence that the individual requesting the information is who they say are. Businesses cannot at any time release an individual’s Social Security Number, driver’s license number, any government issued ID, financial account number, any health insurance or medical identification information, account passwords, or security questions [2].

There are different types of ways that a business can verify a customer’s identity and your business should select the most effective way for you. Businesses should only use information that is in their possession at the time of the request to confirm an individual’s identity. One way to do this is to ask an individual to re-authenticate themselves on a password protected account. Additionally, if your business can match three different data points to the customer then your business can move forward with a high level of certainty and release sensitive information to that customer if need be [1].

What if you cannot verify a customer? If a customer requests deletion of their personal information but you cannot verify their identity then you can treat their request as the right to opt-out of the sale of personal information. If you receive a request for access and cannot verify the identity of the customer making the request then you should only share the categories of personal information that is being collected about that individual. If a customer requests the categories of their personal information being collected and you cannot verify their identity then you can respond by sharing your general business practices regarding the collection, maintenance, and sale of personal information set forth in your privacy policy [2].

Right to Opt-Out of Selling Personal Information

As mentioned in the “Notices to Consumers” section above, businesses must provide consumers with a notice to opt-out of the sale of their personal information. If an individual opts-out of the sale of their personal information then businesses must halt selling their information in the present and the future.

The right to opt-out notice should appear after an individual clicks on the “Do Not Sell My Personal Data” link and must be formatted as a proper notice (instructions are written under the “Notices to Consumers” section above).

Below is information that your business must include in the right to opt-out of the sale of personal information notice:

  1. A description of an individual’s right to opt-out [2].
  2. The online version of a request to opt-out form or if your business does not have a website then you must have information regarding the offline request form [2].
  3. Directions regarding other methods of submitting requests [2].
  4. Information about the proof required when an individual uses authorized agents (someone who acts on behalf of the individual) to exercise their right to opt-out [2].
  5. A link to your business’s privacy policy.

Handling the Personal Information of Minors

The newly proposed regulations provide specific methods for verifying that an opt-in for the sale of personal information of a child greater than 13 years is their actual parent or guardian. It also provides methods for protecting minors’ personal information if they are under 16 years of age.

Offering Financial Incentives

The newly proposed regulations detail a list of methodologies that a business must use to calculate the value of their customer’s data. This section is confusing, however, if your business provides a loyalty program or has a subscription service and a free service then it important for your business to understand these new rules regarding financial incentives [1].

Training for Employees

In the newly proposed regulations, there are new requirements about documentation and training which apply to all employees who handle customer requests and to employees who are in charge of your business’s compliance with the CCPA [2]. Training must be done to inform all employees about the newly proposed regulations and the CCPA.

Employees must keep a record the customer requests that your business is receiving and the records must be maintained in a log or ticket format. Information that is maintained in these records cannot be used for any other business purpose.

Next Steps

While the CCPA goes into effect January 1, 2020 these newly proposed regulations will not go into effect until the spring of 2020 after debate, discussion, and correction. However, your business should start planning how you will implement these new regulations into your existing business functions.

Do you need help implementing the CCPA in your business? Schedule a FREE consultation now.

Sources

[1] https://www.alston.com/en/insights/publications/2019/10/the-draft-ccpa-regulations

[2] https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-proposed-regs.pdf