WBK Industry - State Regulatory Developments

California Issues CCPA Proposed Regulations

On October 10, 2019, the California Attorney General’s office published the California Consumer Privacy Act (CCPA) proposed regulations.  The proposed regulations are subject to a verbal and written comment period, which ends on December 6, 2019.

The proposed regulations are authorized and mandated by the CCPA.  Below is a summary of the proposed regulations.

Notices to Consumers

  • Businesses are required to provide the following to consumers: (i) notice at collection of personal information; (ii) notice of right to opt-out of sale of personal information; (iii) notice of financial incentive; and (iv) the business’ privacy policy.
  • In general, the notices mentioned above must be “presented to the consumer in a way that is easy to read and understandable to an average customer.”  Notices must: (i) use plain language; (ii) use a format that draws the consumer’s attention; (iii) be available in the languages used in the business’ ordinary course; and (iv) be accessible to consumers with disabilities.
  • The notice at collection must include, among other things, a list of the categories of personal information to be collected and the business or commercial purpose for which each category will be used. If the company sells personal information, the notice must include a link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.”
  • A business that does not collect information directly from consumers does not need to provide a notice at collection, but before it can sell the information, it must contact the consumer directly or must contact the third party source of the personal information.
  • The notice of financial incentive must include an explanation of why the financial incentive is permitted under the CCPA, including: (i) a good faith estimate of the value of the consumer’s data that forms the basis for the offering the financial incentive or price or service difference; and (ii) a description of the method the business used to calculate the value of the consumer’s data.
  • The privacy policy must be posted online through a conspicuous link using the word “privacy,” on the business’s website homepage or on the download or landing page of a mobile application and must comply with the content requirements listed in the proposed regulations.

Business Practices for Handling Consumer Requests and Verification of Requests

  • A business must provide two or more designated methods for submitting requests to know and requests to delete.  Permissible methods include a toll-free telephone number, a link or form available online, a designated email address, a form submitted in person, and a form submitted through the mail.
    • A “request to know” means a consumer’s request that a business disclose personal information that it has about the consumer and includes, among others, specific pieces of personal information that a business has about the consumer, categories of sources from which the personal information is collected, and categories of third parties to whom the personal information was sold or disclosed for a business purpose.
    • A “request to delete” means a consumer’s request that a business delete personal information about the consumer that the business has collected from the consumer.
  • At least one method must reflect the manner in which the business primarily interacts with the consumer.
  • A business has 10 days to confirm receipt of a request to know or request to delete and provide information about how the request will be processed.  Responses must be provided within 45 days (since date of receipt), or within 90 days under certain conditions.
  • The proposed regulations address how to respond to a request to know or request to delete, including what a business must do to verify a consumer’s identity, security measures that must be in place, and under which circumstances a business may deny a consumer’s request.  In addition, the proposed regulations include guidelines for how service providers may use personal information received from a person or entity it services.
  • Records of consumer requests must be maintained for 24 months.

Non-Discrimination

  • Offering a financial incentive or a different level of price or service is discriminatory if the business treats a consumer differently because the consumer exercised a right conferred by the CCPA or the proposed regulations.  However, a business may offer a price or service difference if it is reasonably related to the value of the consumer’s data.  A business must use and document a reasonable and good faith method for calculating the value of the consumer’s data.

The proposed regulations also include special rules regarding minors’ personal information.

Businesses that receive personal information from 4 million consumers or more are subject to certain additional CCPA requirements.