California Attorney General’s CCPA Regulations: What Do They Mean for Your CCPA Compliance Prep?

October 13, 2019Alerts

On Thursday, October 10, the California Attorney General issued draft regulations for the California Consumer Privacy Act. The regulations are open for public comment until December 6, 2019. Much has been written about the new and surprising provisions in the regulations, but what do they mean in practice for how you have been preparing to comply with CCPA?

1. Create New Privacy Notices

You need to adopt and maintain four privacy notices: Notice of collection, notice of opt-out, notice of financial incentive and privacy policy. What does this mean?

  • You need to create a notice of collection of personal information which will be separate from and in addition to your online privacy notice (aka “privacy policy”). To this end you should:
    • Assess the various places that you collect personal information.
    • Determine the best method for providing notice at or before the time information is collected for each one of those places.
    • Include: the information required in the regs/law
    • Be comprehensive and precise. (You will not be permitted to use any categories of personal information that you did not disclose nor use categories of information that you disclosed for any purpose other than those disclosed.)
    • Draft in a way that is very user-friendly. This means that your notice must:
      • Use plain, straightforward language – such that the notice is understandable to an average consumer
      • Avoid technical or legal jargon
      • Be written in a manner that provides consumers a meaningful understanding of the information being collected
      • Use a format that draws the consumer’s attention to the notice and makes the notice easy to read, including on smaller screens, if applicable.
      • Be available in the languages in which the business, in its ordinary course, provides contracts, disclaimers, sale announcements and other information to consumers.
      • Be accessible to consumers with disabilities. At a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.
  • You need to create a notice of the right to opt out.

If you sell personal information (the way that this is defined in CCPA):

  • Provide the notice. You need to provide a notice of the right to opt out:
  • Draft the notice to be “very user-friendly” (as explained above).
  • Include the information required in the law and regs:           

If you do not sell personal information:

  • You do not have to provide a notice to opt out if:
    • you will not sell personal information during the time period a notice to opt out is not posted; and
    • state in your privacy policy that that you do not and will not sell personal information
  • Create a notation in your records of all information collected during this time as being information of consumers that had exercised the right to opt out. This way, if you change your practice going forward – you will have an opt-out list.
  • You need to create a notice of financial incentive.

Before drafting the notice

  • Review the documentation of your financial incentive.
  • Analyze, using a reasonable and good faith method, whether it meets with the requirement that the price or difference is directly related to the value provided to the business by the consumer’s data (or “the value of the consumer’s data”) and document your analysis
  • Use the criteria for the analysis provided in the regs.

The notice

  • Provide the notice of financial incentive.
  • Draft in a very user-friendly manner (see above).
  • Include the information required in the law/regs. This should include an explanation of why the financial incentive or price or service difference is permitted under the CCPA.
  • Create a process for operationalizing the right to opt in and to withdraw.

2. Revise Your Online Privacy Notice

  • Make sure that it includes your online and offline practices regarding the collection, use, disclosure and sale of personal information.
  • Draft the notice in a very user-friendly manner. (see above)
  • Include all information required in the law/regs including:
    • A description of the right to know and how to exercise it
    • What information you collect by category and for each category: : (i) the categories of sources from which that information was collected, (ii) the business or commercial purpose(s) for which the information was collected, and (iii) the categories of third parties with whom the business you share the personal information
    • Whether you have disclosed/sold personal information
    • A description of the right to request deletion and how to exercise it
    • A description of your method for verifying the consumer’s identity (or if there is no reasonable method a statement to that effect and an explanation of why you do not have any reasonable method by which you can verify the identity of the requestor)
    • A description of the right to opt out of a sale and how to exercise it
    • A description of the right to non-discrimination
    • An explanation of how a consumer can designate an authorized agent to make a request under the CCPA on the consumer’s behalf.
    • A contact for more information
    • The date the privacy policy was last updated.
    • If you collect or process the personal information of 4 million consumers or more:
      • Number of each type of request that you have received in the past 12 months
      • Whether you complied with the request in whole or in part or whether you denied it
      • The median number of days it took you to substantively respond to each type or request.

3. Revise your Process for Verifying the Identity of Consumers Making Know/Deletion Requests

  • Establish or revise and maintain your written, reasonable method for verifying the identity of the person making a request to know or to delete.
  • Establish and implement reasonable security measures to detect fraudulent identity verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information.
  • Use the principles set forth in the regs to devise the process. This includes:
    • Whenever feasible
      • Use the information that you already have about the consumer.
      • Use a third-party verification service.
      • Leverage a password-protected account and the compliant authentication procedures associated with it, provided that you require a consumer to re-authenticate themselves before disclosing or deleting the consumer’s data. 
    • Unless necessary, Avoid:
      • Using personal information as defined in California Data breach law for the verification (this includes e.g. social security number, driver’s license, account number, medical information or health insurance information)
      • Collecting new information that you don’t already have
        • If you do, use it only for the verification and delete as soon as practical after.
    • Consider the type, sensitivity, and value of the personal information.
    • Consider the risk of harm to the consumer posed by any unauthorized access or deletion.
  • Establish a process for evaluating on a yearly basis whether a reasonable verification method can be established and document its evaluation.

4. Revise Your Process for Responding to Know (Access) Requests

Before responding

  • Create or revise the two or more methods you will make available for submitting requests.
    • At minimum:
      • a toll-free telephone number and interactive web form accessible through the website or mobile application
      • additional method reflecting the manner in which you primarily interact with the consumer (e.g. paper form for point-of-sale retailers)
  • Create a process for identifying and responding to requests not made through the designated process (e.g. specific directions as to how make the request using the designated method).
  • Create a process that ensures that you do not at any time disclose a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password or security questions and answers.
  • Create a process that allows denying requests for specific pieces of information if:
    • The disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with, or the security of your systems or networks.
    • There is a conflict with federal or state law.
    • There is an exception to the CCPA.
  • Implement reasonable security measures for transmitting personal information to the consumer as part of a response.
  • Devise/implement a process for dealing with requests pertaining to household information.
    • If you can individually verify all members of household – you can comply with the request.
    • If the person does not have a password-protected account and you cannot verify – you may provide aggregate household information, subject to verification requirements.

For the response: Create/implement a process which includes:

  • An initial response within 10 days confirming receipt and describing how you will verify identity and process the request
  • The ability to request additional time to respond, and the reason
  • A notice of problem with verification – which includes an explanation of your inability to verify and (i) for a request for specific pieces of information – a possible response with categories of information; and (ii) for a request for categories of information – a possible link to an explanation of your common data processing practices.
  • Full response:

If you are granting the request (a YES response)

  • Avoid referring the consumer to your general practices outlined in the privacy policy unless its response would be the same for all consumers and the privacy policy discloses all the information that is otherwise required to be in a response to a request to know such categories.
  • Provide the information set forth in the regs for each identified category of personal information collected about the consumer.

If you are denying the request (a NO response)

  • Explain why.
  • If only some disclosure is prevented – provide the rest.
  • For household request - If you cannot verify the identity you may provide aggregate household information, subject to verification requirements.

5. Revise Your Process for Responding to Deletion Requests

Before responding

  • Assess whether it makes the most business sense for you to comply with deletion requests by a complete deletion or, alternatively, through de-identification or aggregation.
    • If de-identification – (i) make sure that it meets with the definition of de-identification and (ii) for sensitive information – consider getting a third party to confirm the de-identification
  • Conduct/revise your analysis of which exceptions to the right to delete may apply to you and make sure to assess whether those cover all of the information or only parts of it (if only parts – you would need to disclose the rest).
  • Create or revise the two or more methods you make available for submitting requests. This can be any of two or more of: a toll-free telephone number, a link or form available online through a business’s website, a designated email address, a form submitted in person and a form submitted through the mail – but it may make sense to use the same methods you created for the right to know.
  • Use a two-step process for online requests to delete, where the consumer must (i) clearly submit the request and (ii) separately confirm that they want their personal information deleted.
  • Create a process for identifying and responding to requests not made through the designated process (e.g. specific directions as to how make the request using the designated method).
  • Create a process for dealing with requests pertaining to household information. (see above)
  • For backup – ensure that information is deleted the first time following the receipt of the deletion request that the archive or backup system is accessed or used.

For the response: Create/implement a process which includes:

  • Initial response (see above)
  • Request for additional time (see above)
  • If you would like – a notice presenting an option to delete only a selected portion of the data, provided that (i) You also offer a global option to delete all personal information; (ii) You present the offer to delete all information more prominently than the other choices; (iii) You use the two-step process (outlined above) for this.
  • Notice of problem with verification
    • Tell the consumer that you cannot verify their identity.
    • Provide an explanation why you do not have any reasonable method by which you can verify
    • Treat the request as an opt-out of sale and inform the consumer of this fact.
  • Full response which includes:
    • Specify the manner in which you deleted.
    • Indicate that you will maintain a record of the request as required by the regs.
    • For a denial of the request: Provide the basis of denial, delete information not subject to an exception and use the information retained per an exception only as permitted by the exception.

6.  Revise Your Process for Responding to Opt-out Requests

Before responding

  • If you collect information online – assess your position regarding “Do Not Track” or “DNT” and whether and how you are able to recognize and respond to browser plugin or privacy setting or other mechanism that communicates or signals the consumer’s choice to opt out of the sale.
  • Create or revise the two or more methods you make available for submitting requests:
    • At minimum:
      • An interactive web form accessible through a clear and conspicuous link titled “Do Not Sell My Personal Information,” or “Do Not Sell My Info,” on your website or mobile application
      • If you collect information online – treat user-enabled privacy controls, such as browser plugins or privacy settings or other mechanisms, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request.
      • Additional method reflecting the manner in which you primarily interact with the consumer (e.g. paper form for point of sale retailers)
    • Incorporate into your process the ability to submit a request through an authorized agent.
  • If you would like – add into the process a choice for the consumer to opt out of sales of certain categories of personal information provided that (i) You also offer a global option to opt out of the sale of all personal information;  (ii) You present the global option more prominently than the other choices.
  • Revise your process so that it:
    • Allows you to respond within 15 days from the date you received the request
    • Includes a notification of all third parties to whom you have sold the personal information of the consumer within 90 days prior to your receipt of the consumer’s request that the consumer has exercised their right to opt out and instruct them not to further sell the information
    • Allows you to deny a request if you have a good-faith, reasonable and documented belief that a request to opt out is fraudulent
    • Includes a two-step process for opting in to a sale after an opt out

After the response

  • Notify third parties. (see above)
  • Inform the consumer that you have notified all third parties. (see above)
  • Inform the consumer when a transaction requires the sale of their personal information as a condition of completing the transaction, along with instructions on how the consumer can opt-in.

7. Revise Your Agreements with Third Party Vendors

  • Prohibit your service providers from using consumers’ personal information received in connection with the services provided to one business client for another unless necessary to detect data security incidents or protect against fraudulent or illegal activity.
  • Require your service providers to devise a process for recognizing and fielding consumer requests and conveying them to the right business client.
  • Address in your agreement with the service provider who answers consumer requests, you or the service provider.
  • If you will be responding to the requests, require the service provider, in your agreement, to devise a process for providing an interim response to the consumer which will include the content required in the regs.

8. Revise Your Processes When Receiving Personal Information from Third Party Information Sources

If you receive personal information from a third-party source and want to sell the information (in the broad meaning for this under CCPA) you should:

  • In your agreement with the source of the information (i) get a representation (attestation) that the source provided a notice at collection to the consumer that meets with the requirements, which will contain a description of how the source gave the notice at collection and (ii) attach an example of the notice to the agreement.
  • Retain the agreement containing the attestations for at least two years and make them available to the consumer upon request.

Alternatively you may: contact each consumer directly to (i) provide notice that you will be selling personal information about the consumer and (ii) provide the consumer with a notice of right to opt-out

9. Revise or Develop Records Retention and Training Programs:

Records Retention

  • Maintain records of consumer requests made pursuant to the CCPA and how you responded to said requests for at least 24 months.
  • Retain all signed declarations collected in connection with requests to know specific pieces of information.
  • Avoid using records for any other purpose than for the record-keeping

Training

  • Revise or create a training policy to ensure that all individuals responsible for handling consumer requests or your compliance with the CCPA are informed of all the requirements in the regs and the CCPA
  • Document, and comply with the training policy.

Note: The regulations also include special requirements in the event you collect the personal information of children and if you are a service provider which are not covered in this article.

Odia Kagan is a partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of CCPA compliance issues contact Odia at [email protected] or 215.444.7313.