Skip to main content
Top Button
Countdown to CCPA – Do the California Attorney General’s Regulations Affect Your Company’s Complianc Countdown to CCPA – Do the California Attorney General’s Regulations Affect Your Company’s Complianc

Countdown to CCPA – Do the California Attorney General’s Regulations Affect Your Company’s Compliance?

On October 10, 2019, the California Office of the Attorney General (OAG) released its highly anticipated proposed text of California Consumer Privacy Act (CCPA) regulations, a procedure required by the statute. For many businesses still shoring up their California Consumer Privacy Act (CCPA) compliance, interpreting some of the finer language of the law has been one of the largest obstacles, and privacy professionals and business executives alike have waited for the OAG to provide more details on the law’s most confusing language. The text of the CCPA, for example, does not define “reasonable security measures” for responding to a consumer’s data access request and similarly does not provide examples of “reasonable methods” for verifying identity. While textual uncertainty combined with frequent comparisons of the CCPA to the E.U.’s General Data Protection Regulation (GDPR) have naturally led many privacy professionals to craft comparable definitions of reasonableness and utilize parallel examples for verifying identity, much of the CCPA compliance process has thus far been an admittedly imprecise science. The OAG’s proposed regulations are welcomed clarifications and instructions. For those who are following along with our “Countdown to CCPA” client alerts (found here and here), we have provided below detailed summaries of the most significant guidance from each Article in the OAG’s regulations, beginning with a brief outline of included topics.

Highlights from the Proposed Regulations

  • Notice. The Notice sections discussed below detail notice requirements at collection, what notice must be provided about exercising opt-out requests, and specific notice requirements when offering financial incentives or price of service differences.
  • Business Practices for Handling Consumer Requests. These sections provide guidance for businesses who must comply with timeliness requirements, customer rights including deletion and opt-out, and response requirements. 
  • Verification Requests. The verification requests sections describe how to reasonably verify individuals based on the sensitivity of information sought and propose additional requirements.

Article 2. Notice to Consumers

§ 999.305. Notice at Collection of Personal Information

The regulations emphasize a clear distinction between a notice at collection of personal information and a privacy policy. A notice at collection must inform consumers, at or before the time of collection, of the categories of personal information to be collected and the business purpose for which they will be used, and if a business sells the information, it must include a link entitled “Do Not Sell My Information” where consumers can opt-out of the sale of their information. Although this notice can be linked separately on a webpage or application download page, it can also be given by providing a link to the section in your privacy policy that includes the required information in a notice at collection.

§ 999.30. Notice of Financial Incentive

Businesses must provide a notice of financial incentive that includes a summary of the financial incentive or price of service difference; the categories of personal information implicated; how a consumer can opt-in to the incentive; the right of consumers to withdraw from the incentive at any time and how they can access that right; and an explanation of why the financial incentive is permitted. The explanation should include a good-faith estimate of the value of the consumer’s data and a description of the method the business used to calculate that value. For guidance on how to calculate the value of consumer data, see § 999.337.

Article 3. Business Practices for Handling Consumer Requests

§ 999.313. Responding to Requests to Know and Requests to Delete

Under the new regulations, businesses must confirm receipt of a request to know or request to delete within 10 days and provide information about how the business will respond to the request, the business’s verification process, and when to expect a response. The business must respond to the request within 45 days, regardless of the time needed to verify the consumer. A business must never disclose in a request to know the consumer’s Social Security Number, Driver’s License Number, financial account number, health insurance identification number, account password, or security questions and answers.

The OAG did not provide any guidance on “reasonable security measures” that must be deployed when responding to these requests. We recommend that our clients consult the Center for Internet Security’s security controls or the New York Department of Financial Services’ cybersecurity requirements for guidance on this issue, but what constitutes reasonable security measures will likely be left to courts. 

§ 999.315. Requests to Opt-Out

Under the CCPA, businesses must provide two or more designated methods for submitting requests to opt-out, including an interactive webform and a conspicuous link titled, “Do Not Sell My Personal Information.” However, the OAG regulations state that a business can also express an opt-out request through user enabled privacy controls such as browser plugins and privacy settings. Businesses have 15 days to respond to these requests, and must notify third parties to whom it has sold the consumer’s personal information within 90 days prior to the receipt of the consumer’s request that the consumer has exercised this right, and must also instruct them not to further sell the information. Requests to opt-out do not need to be a verified consumer request, but a business can deny the request if it has a good faith, reasonable belief the request is fraudulent.

§ 999.317. Training; Record-Keeping

This section requires that businesses maintain records of CCPA requests and responses for at least 24 months. Also, the regulations expand requirements for companies collecting information of 4,000,000 or more consumers: such businesses must compile statistics on the number of requests and the median time it takes to respond to these requests, and this information must be disclosed in either the business’s privacy policy or website. All individuals responsible for handling consumer inquiries about the business’s compliance with the CCPA must be informed of the law’s requirements, and businesses must establish, document, and comply with a training policy to insure employees are provided this training.

Article 4. Verification of Requests

Article 4 provides much-needed clarification on “reasonable methods” for verifying consumer requests.

§ 999.323. General Rules Regarding Verification

This section provides factors businesses must consider in determining the method by which the business will verify the consumer’s identity:

  1. The type, sensitivity, and value of the personal information collected (i.e., sensitive information warrants more stringent verification);
  2. The risk of harm to the consumer posed by any unauthorized access or deletion;
  3. The likelihood fraudulent or malicious actors would seek the personal information;
  4. Whether the personal information is sufficiently robust to protect against fraudulent requests;
  5. The manner in which the business interacts with the consumer; and
  6. Available technology for verification.

Businesses should generally avoid requesting additional information from the consumer for purposes of verification. If additional information is necessary, the information must be used for verification purposes only and must be deleted as soon as practical.

§ 999.325. Verification for Non-Accountholders

The regulations state that if a business maintains a password-protected account with the consumer, the business may verify the customer’s identity through its existing authentication practices for the consumer’s account. However, if a consumer does not have or cannot access a password-protected account, there are different verification requirements.

If the information sought is simply the categories of personal information, the business must verify the consumer’s identity to a reasonable degree of certainty: they must match at least two data points provided by the consumer with data points maintained by the business.

If instead specific pieces of personal information are sought, the business must verify the identity of the consumer to a reasonably high degree of certainty: they must match at least three pieces of personal information provided by the consumer with data points maintained by the business together with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.

Illustrative scenarios explaining these requirements can be found on page 20 of the full text of the regulations.

Next Steps for Your Business

The California Attorney General will hold four public hearings December 2-5, 2019 where stakeholders may present oral or written testimony regarding the proposed regulations, and the OAG will accept written comments until December 6, 2019. Ice Miller will continue to monitor the OAG’s actions on the CCPA as new developments arise.

To speak to an attorney, please contact Nick Merker or Mason Clark. Nick Merker is a partners and chair of Ice Miller’s Data Security and Privacy Practice Group. Mason Clark is an associate in Ice Miller’s Data Security and Privacy Practice Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

View Full Site View Mobile Optimized