New Regulatory Guidance on Compliance with the California Consumer Privacy Act

As widely reported, the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. The California Attorney General, who is responsible for generally enforcing the CCPA, will adopt final regulations on or before July 1, 2020, and will not bring an enforcement action until six months after the publication of such regulations. This schedule gives businesses subject to the CCPA additional time to consult with their lawyers and take the necessary steps to be in full compliance.

On February 7, 2020, the California Attorney General modified its proposed regulations that were published on October 11, 2019 to address comments received from the public (collectively, Proposed Regulations). The Proposed Regulations give further guidance on a variety of issues that were unclear under the CCPA. Among the topics addressed by the Proposed Regulations are the following:

• Personal Information: The Proposed Regulations state that to be considered “personal information,” the information must be capable of being associated with a particular consumer. Thus, for example, “if a business collects the IP address of visitors to its website but does not link the IP address with a particular consumer or household, then the IP address would not be “personal information.” Proposed Reg. § 999.302.
• Required Notices: The Proposed Regulations detail the information that should be included in the various disclosure notices required under the CCPA. They also require businesses to use “plain, straightforward language” and a format that draws the consumer’s attention to the notice. See, e.g., Proposed Reg. §§ 999.305, 999.306, 999.307, 999.308. The required notices and privacy policy that are accessible online must “follow generally recognized industry standards, such as the Web Content Accessibility Guidelines (the 'WCAG'), version 2.1 of June 5, 2018, from the World Wide Web Consortium.” Id. Under the WCAG, web content developers are encouraged to provide content that is “perceivable, operable, understandable, and robust.”
• The disclosure notice required at the time personal information is collected shall include: (1) a list of categories of personal information about consumers to be collected; (2) the commercial purpose for which the categories of personal information will be used; (3) a link titled “do not sell my personal information” if the business sells such information; and (4) a link to the business’s privacy policy. Proposed Reg. § 999.305.
• The Proposed Regulations provide the following sample opt-out buttons that, if otherwise required under the CCPA, may be used in connection with the notice to opt-out. Proposed Reg. § 999.306.

• A business cannot generally discriminate against a consumer for exercising a right under the CCPA. However, the business can offer financial incentives. The notice of financial incentive shall include: (1) a summary of the financial incentive offered; (2) a description of the material terms of the financial incentive, including the categories of personal information implicated; (3) how consumers can opt-in to the financial incentive; (4) a statement of the consumer’s right to withdraw and how that right may be exercised; and (5) an explanation of how the financial incentive is reasonably related to the value of the consumer’s data. Proposed Reg. § 999.307.
• The CCPA requires that a business publish a privacy policy. The privacy policy shall include: (1) a consumer’s right to know about information collected, disclosed or sold; (2) a consumer’s right to request deletion of personal information; (3) a consumer’s right to opt-out of the sale of personal information; (4) a consumer’s right to non-discrimination for the exercise of privacy rights; (5) instructions on how an authorized agent can make a request on the consumer’s behalf; and (6) contact information for consumers to contact the business about their privacy rights. Proposed Reg. § 999.308.

• Training and Record Keeping: The Proposed Regulations require training for all individuals responsible for handling consumer inquiries. Proposed Reg. § 999.317. Businesses must also retain records of consumer requests and how the business responded to such request for 24 months. Id.
• Definition of Household: Pursuant to CCPA, the ability to identify a household is the same as being able to identify an individual. The Proposed Regulations change the definition of household to “a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.” (Emphasis added.) The new definition is intended to be limited to a person or group of people who permanently reside at an address, thus eliminating guests or people with no actual connection from the definition. Proposed Reg. § 999.301(l).
• Service Providers: A business may use a service provider to process personal information on its behalf. The Proposed Regulations add a permissible use of personal information by service providers. They state that a service provider can use personal information internally “to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.” Proposed Reg. § 999.314.
• Verification of Requests: The CCPA requires that a business receiving a request for information must verify the identity of the requesting consumer. The Proposed Regulations also clarify that third-party identity service providers may be used to verify the identity of the consumer making a request and, if so, those service providers are subject to the requirements of Article 4, “Verification of Requests.” Article 4, among other things, provides examples of proper methods of verification. Specifically, if a retailer maintains a record of purchases made by the consumer, the business may require the consumer to identify items that they recently purchased. Proposed Reg. § 999.325.

The comment period for the Proposed Regulations ends on February 25, 2020. Additional changes to the Proposed Regulations may take place as a result of any new comments received during the current comment period. However, in the meantime, the Proposed Regulations provide helpful guidance on the enforcement objectives of the California Attorney General and best practices that should be gleaned therefrom. Businesses that must comply with the CCPA would be wise to structure initial compliance around the directives of the Proposed Regulations. This will necessarily require particular emphasis on drafting notices that use plain language in formats that draw the attention of consumers, and make those notices accessible to users.

If you received this alert from a third party or from visiting our website, and would like to be added to our Cybersecurity & Privacy mailing list or any other of our mailing lists, please visit us at: https://forms.hodgsonruss.net/sign-up-for-email-and-other-communications..html.