Businesses: What to know about draft CCPA regulations

The Jan. 1, 2020 effective date for the California Consumer Privacy Act is just a few months away. The act is the most sweeping data privacy law in the United States to date, and provides California residents a number of new rights over their personal information. California Attorney General Xavier Becerra is responsible for interpreting and enforcing the act, and published draft regulations on Oct. 10.

The regulations clarify the act in five key areas:

1. Right to Opt Out of the Sale of Personal Information

The CCPA provides California residents with the right to "opt out" of the sale of their personal information. The draft regulations provide some guidance on the mechanics of how this opt-out might work, including:

How to Receive Opt-Out Requests: Businesses that sell personal information must provide two or more methods for consumers to submit requests to opt out. One of these methods must be a "Do Not Sell My Personal Information" (or "Do Not Sell My Info") link to a webpage that describes the consumer's right to opt out, a web form through which to submit the request, and a description of how requests from authorized agents should be submitted. In addition, one of the methods must reflect how the business primarily interacts with the consumer. For example, if the business collects information online and sells personal information, the draft regulations would require the business to treat a browser plugin, privacy setting, or similar mechanism that communicates or signals the consumer's choice to opt-out as an opt-out request.

Requirements for Businesses that Don't Sell Personal Information: A business that does not sell personal information would not be required to provide an opt-out method. However, if the business decides to start selling personal information in the future, the draft regulations require it to treat all consumers whose personal information it collected when the "Do Not Sell" link was unavailable as having "opted out."

Requirements for Third Parties Receiving Personal Information: A business that receives an opt-out request must notify the third parties to which it sold the consumer's personal information and instruct them not to further sell that information. Before re-selling personal information, third parties either must provide consumers with notice and an opportunity to opt out or obtain assurances that another entity has done so.

2. Rights to Access and Delete Personal Information

Under the act, consumers can request access or deletion of their personal information, subject to various exceptions. The draft regulations provide additional guidance:

How to Verify Requests: Under the statute, requests to access or delete data must be "verifiable" by the business. The draft regulations provide businesses flexibility for verifying consumers' requests, based on the sensitivity of the data and specific circumstances. For example, where the consumer has an existing password-protected account with the business, the draft regulations permit the business to use their existing authentication practices as long as they require the consumer to re-authenticate themselves before deleting the data or disclosing it to the consumer.

How to Respond to Access Requests: The draft regulations acknowledge that there are circumstances in which a business should not comply with a consumer's request because there is too much risk of harm to the consumer's information or account, or to the systems or networks of the business if the request is fraudulent. In particular, the regulations state that certain sensitive information, including Social Security Number and financial account numbers, should never be provided in response to an access request.

How to Respond to Deletion Requests: The draft regulations require the business to conduct a two-step process for deletion requests--consumers must first submit the request and then subsequently confirm the request. Businesses then may delete, de-identify, or aggregate the data and notify the consumer of the approach they used.

3. Transparency Requirements

Under the draft regulations, many businesses would need to update their online privacy policies to explain their process for verifying consumer requests (including any information the consumer must provide for such purposes) and how a consumer may designate an authorized agent to submit requests on their behalf.

4. Calculating the Value Of Consumer Data

The act prohibits businesses from charging different prices or offering different levels of service to consumers who exercise their CCPA rights, unless such differences are based on the value that the business derives from the consumer's data. The draft regulations require businesses to specify the means by which they arrive at a "good-faith estimate" of the value of consumers' data, and provide different criteria by which businesses are permitted to calculate that value.

5. Recordkeeping

The draft regulations require businesses to maintain records about their receipt and responses to consumer requests for a period of 24 months. Certain businesses that annually buy, receive, sell, or share the personal information of 4 million or more consumers would be required to publish more prescriptive metrics, including the median number of days it took to respond.

What's Next?

The California attorney general's office is holding public hearings in Sacramento, Los Angeles, San Francisco and Fresno from Dec. 2-5, and interested stakeholders have until Dec. 6 to submit comments in response to the draft regulations. It's not clear that the attorney general will be able to finalize the regulations before the law takes effect Jan. 1, 2020. What is clear, however, is that Californians and covered businesses will ring in the new year with a new privacy law that will be enforced no later than July 1, 2020. 