Updated Clarity on CCPA Regulations

Where should businesses focus their compliance efforts?

On Oct. 10, 2019, the California attorney general released the proposed regulations for the California Consumer Privacy Act (CCPA). The proposed regulations dictate the spirit of what the final CCPA will likely entail. The regulations provide guidelines on five primary areas: 1. Notice to the Consumer; 2. Business Practices for Handling Consumer Requests; 3. Verifications of Requests; 4. Minors; and 5. Non-Discrimination.   

1. Notice to the Consumer: The proposed regulations document four types of notice requirements. The notice requirements are very similar to the European Union’s General Data Protection Regulation. The notice needs to be presented to the consumer in a way that is easily understandable and accessible or visible. The proposed regulations also include the content requirements for each type of notice. 

  • Notice at collection of personal information: The purpose of the notice at collection is to inform consumers of the categories of personal information to be collected from them and the purposes for which the personal information will be used. The personal information collected should only be used for the purpose mentioned in the notice. If the business decides to use the personal information for a new or additional purpose, the consumer needs to be notified about the new purpose. 
  • Notice of right to “opt out” of sale of personal information: The proposed regulations include the notification requirements related to right to opt out of sale of personal information. Businesses need to post the notice of right to opt out on the webpage. Print notices should be provided where the business interacts with consumers offline. However, if the business does not intend to sell personal information of consumers, no notice is required.
  • Notice of financial incentive: The purpose of the notice of financial incentive is to explain to the consumer the financial incentives that the business may offer in exchange for the retention or sale of the consumer’s personal information. The notice needs to include the description of the method the business has used to calculate the value of the consumer’s information.
  • Privacy policy: The purpose of the privacy policy is to provide the consumer with a detailed description of the business’s collection, use, disclosure, and sale of consumer’s personal information. The regulations require that the notice needs to be available online and ready for printout. The notice needs to be made available in other forms where the business does not operate a website. 

2. Business Practices for Handling Consumer Requests: The proposed CCPA regulations confirm various rights for consumers, including the right to know about the collection, sale, and disclosure of their personal information, the right to opt out of the sale of their personal information, and a limited right to request that their personal information be deleted. A brief description of the consumer requests that the business needs to respond to as part of the CCPA compliance requirements are provided below. 

  • Request to know: CCPA creates a right for the consumer to access their data free of charge. The business needs to provide two or more designated methods for submitting requests to know, including a toll-free telephone number. The business needs to confirm the receipt of the requests within 10 days and respond to the requests within 45 days. An additional 45-day extension, for a maximum of 90 days, may be available to the business. Under certain circumstances, the business does not need to provide specific pieces of consumer information. Businesses are not required to reidentify personal information that is already de-identified to comply with the requirement.
  • Request to delete: Based on the CCPA regulation, upon receipt of a “verifiable consumer request,” a business must “delete the consumer’s personal information from its records” and direct its service providers to do the same. The request submission method is similar to the request-to-know process. De-identified and aggregated personal information are excluded from the deletion requirements. 
  • Request to opt out: A consumer can direct a business that sells personal information about the consumer to third parties not to sell their personal information. The business needs to comply with the request within 15 days of the receipt of the request. 
  • Request to opt in: The opt-in for sale of personal information is a two-step process whereby the consumer needs to make the request for opt-in and then separately confirm their choice to opt in. A business can sell personal information of minors, children less than 16 years of age, only after affirmative authorization/opt-in request. 

3. Verification of Requests: The proposed regulations state that the business needs to leverage existing consumer information that the business holds about the consumer to verify the identity of the consumers. This means the business needs to avoid collecting additional personal information for identity verification where possible. The regulations provide flexibility for the business to design their identity-verification process. While designing the identity-verification process, the business needs to be cognizant of the type, sensitivity, and value of the personal information. The process needs to be rigorous where sensitive and/or valuable personal information is involved. 

4. Minors: The proposed regulations prescribe guidelines around handling a minor’s data. Specifically, where the minor is under the age of 13 years, affirmative confirmation is required from parents or the guardian for the sale of personal information. The regulations prescribe methods for confirming that the person providing consent is the child’s parent or guardian.

5. Non-Discrimination: The proposed regulations provide a methodology for businesses to calculate the value associated with the personal information of the consumer. A business can calculate the value of consumer information using marginal value, average value, revenue generated, profit generated, or expense incurred.  

While the regulations are open to public comment through Dec. 6, 2019, and we may expect few additional clarifications, the broader contour of the requirements are likely not going to change. Organizations should continue to focus on CCPA compliance activities without waiting for the public comment period to end. Businesses that have not initiated their CCPA compliance effort should start as soon as possible. These businesses should consider starting by performing a current-state assessment to evaluate the preparedness of the institution to comply with the CCPA requirements. Businesses that are further along the journey should focus on implementing consumer rights and complying with transparency obligations outlined within the regulations. These businesses should develop a personal data inventory if they have not already done so and define the requirements for their consumer rights solution. 

About the Experts

Back to top