On October 10, 2019 the California Attorney General released a document of Proposed Regulations for the California Consumer Privacy Act. The proposed regulations were written to clarify the operational steps businesses must take when implementing the CCPA. The new proposed regulations also aid businesses with implementing business processes to ensure that all individual rights are being properly provided to customers.
The proposed regulations focus on the following topics:
- Notices to Consumers
- Privacy Policies
- Handling Consumer Requests
- Verification Requirements
- Handling the Personal Information of Minors
- Offering Financial Incentives
Notices to Consumers
The California AG specified new requirements regarding notices that businesses must provide to customers. There are four different types of notices that businesses must provide to their customers which are:
- Notices at the time of collection of personal information
- These notices must include the categories of data being collected and the business purpose for collection.
- Notices discussing an individual’s rights to opt-out of the sale of their personal information
- These requests do not need to be verifiable, unlike access and deletion requests.
- Your business must treat browser plug-ins and other privacy settings as valid opt-out requests.
- Notices discussing financial incentives
- These notices must provide individuals with the value of their data to your business and how your business came up with that valuation.
When writing a notice, your business must ensure that they are:
- Written in plain, unambiguous, and easy to understand language.
- Designed to engage and draw the attention of your customers so that they see the notice.
- Designed in a way that is accessible to individuals with disabilities.
- Make sure the colors are easy to view.
- You can also provide an audio option on the notice.
- Ensure that each notice is provided in all languages where your organization does business.
In the new proposed regulations, the AG requires businesses to provide two different ways for customers to submit a request. Businesses must provide a toll-free number unless it is an online only business that works directly with consumers. In that case, it does not need to provide the toll free number. Other methods include an email, an online form, in person or by mail. Typically, most businesses choose to use an electronic method and a phone number as their two methods. If your business commonly works with customers offline then you must provide an offline method for your customers.
Businesses must now confirm the receipt of customer requests within 10 days and the previously stated 45-day time limit to respond to requests includes the time it takes for your business to verify a request. An additional requirement states that businesses must respond to opt-out requests within 15 days and all third parties that your business has sold personal information to within the last 90 days must be notified about the consumers opt-out request. All employees who handle requests must undergo training before handling requests.
With the release of the proposed regulations there is more detail surrounding the level of verification your business must achieve depending on the sensitivity of the information being requested. Ultimately, businesses should not release any sensitive information to anyone without a high level of confidence that the individual requesting the information is who they say are. Businesses cannot at any time release an individual’s Social Security Number, driver’s license number, any government issued ID, financial account number, any health insurance or medical identification information, account passwords, or security questions .
There are different types of ways that a business can verify a customer’s identity and your business should select the most effective way for you. Businesses should only use information that is in their possession at the time of the request to confirm an individual’s identity. One way to do this is to ask an individual to re-authenticate themselves on a password protected account. Additionally, if your business can match three different data points to the customer then your business can move forward with a high level of certainty and release sensitive information to that customer if need be .
Right to Opt-Out of Selling Personal Information
As mentioned in the “Notices to Consumers” section above, businesses must provide consumers with a notice to opt-out of the sale of their personal information. If an individual opts-out of the sale of their personal information then businesses must halt selling their information in the present and the future.
The right to opt-out notice should appear after an individual clicks on the “Do Not Sell My Personal Data” link and must be formatted as a proper notice (instructions are written under the “Notices to Consumers” section above).
Below is information that your business must include in the right to opt-out of the sale of personal information notice:
- A description of an individual’s right to opt-out .
- The online version of a request to opt-out form or if your business does not have a website then you must have information regarding the offline request form .
- Directions regarding other methods of submitting requests .
- Information about the proof required when an individual uses authorized agents (someone who acts on behalf of the individual) to exercise their right to opt-out .
Handling the Personal Information of Minors
The newly proposed regulations provide specific methods for verifying that an opt-in for the sale of personal information of a child greater than 13 years is their actual parent or guardian. It also provides methods for protecting minors’ personal information if they are under 16 years of age.
Offering Financial Incentives
The newly proposed regulations detail a list of methodologies that a business must use to calculate the value of their customer’s data. This section is confusing, however, if your business provides a loyalty program or has a subscription service and a free service then it important for your business to understand these new rules regarding financial incentives .
Training for Employees
In the newly proposed regulations, there are new requirements about documentation and training which apply to all employees who handle customer requests and to employees who are in charge of your business’s compliance with the CCPA . Training must be done to inform all employees about the newly proposed regulations and the CCPA.
Employees must keep a record the customer requests that your business is receiving and the records must be maintained in a log or ticket format. Information that is maintained in these records cannot be used for any other business purpose.
While the CCPA goes into effect January 1, 2020 these newly proposed regulations will not go into effect until the spring of 2020 after debate, discussion, and correction. However, your business should start planning how you will implement these new regulations into your existing business functions.
Do you need help implementing the CCPA in your business? Schedule a FREE consultation now.