On October 10, 2019, California Attorney General Xavier Becerra released proposed implementing regulations for the California Consumer Privacy Act (“CCPA”). CCPA is intended to give consumers greater control how their personal information is collected, managed and shared. The Attorney General will hold a series of public hearings as part of the official comment period, and the final regulations are expected to be released sometime in the spring of 2020.
Note: Requirements proposed in the draft regulations that provide processes or standards not initially addressed in the statute are labeled “[NEW].” Text in italicized bold font draws attention to important concepts in the regulation.
The word “sell” as used throughout this document means “sell” as defined in the CCPA. The definition of the word “sell” for purposes of the CCPA is broad and includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or third party for monetary or valuable consideration.” Under this broad definition, CCPA applies to most personal data sharing by businesses, even if personal information is not explicitly sold. For an overview of CCPA, please check out the ACC Quick Overview on “Understanding the California Consumer Privacy Act” (2019) and the ACC Guide on “Operationalizing the California Consumer Privacy Act” (2019).
The notice must:
• Be easy to read and understandable by the average consumer:
o Use plain language
o Format that draws attention and is readable on smaller screens if applicable
o In the language(s) the business uses with consumers in the ordinary course (if you regularly conduct business with consumers in both Spanish and English, your notice must also be in both Spanish and English)
o Accessible (at a minimum provide information on how consumers can access the notice in an alternative format)
o Visible where consumers will see it before any data collection takes place, INCLUDING OFFLINE (so brick and mortar must post physical signage which at the very least provides the URL for the online notice)
• [NEW] Be available in an additional format that allows the consumer to print it out as a separate document
• Be posted online using the word "privacy"
• Be part of any California-specific notice (example: if the business has a separate page of disclosures under California’s “Shine the Light” privacy law, which relates to the sharing of customers’ personal information for marketing purposes)
o Each category of personal information that will be collected from a consumer
o The categories of sources from which the information was collected
o The business or commercial purpose for which the information was collected
o The categories of third parties with whom the business shares personal information
• [NEW] Provide the requirements for a consumer to verify their identity, including documents or information required
• [NEW] Provide the requirements for a person to confirm that they are the parent or guardian of a minor requesting to opt in to sale
• [NEW] Outline the method by which a consumer may designate an authorized agent to make a request on the consumer's behalf
• [NEW] Provide the metrics reporting required if a business buys or sells the personal information of more than 4 million consumers
If a financial incentive is available to the consumer:
• Must provide notice of the financial incentive (following same formatting rules – easy to read, plain language, etc).
• [NEW] Shall include
o Succinct summary of the financial incentive /price or service difference
o Description of the material terms
o How the consumer can opt in to the incentive or difference
o Notice of the right to withdraw from participation
o Explanation of the financial incentive including
Good faith estimate of the value of the data to the business
Description of the method used to calculate value
A business cannot use the information other than as described, and cannot collect information other than as described; if a business doesn’t post the notice they cannot collect personal information.
[NEW] If a business does not and will not sell personal information:
• The business is not required to include a "Do Not Sell My Personal Information" button on its website
• The business does not have to provide a Notice of Right to Opt Out to consumers
• the person whose information is collected during this period is deemed to have opted out of sale under the CCPA at the time of collection
[NEW] Businesses that do not collect information directly from consumers don't need to provide a notice at collection but have to do the following before sale:
• Contact the consumer directly to provide the notice and the notice of the right to opt out OR
• Contact the source to confirm that the source provided the notice of collection to the consumer and the notice of the right to opt out AND obtain a signed attestation from the source describing how the source provided notices.
Notice at Collection
• Must be provided to the customer at or before the time of collecting any personal information, including offline
• Must include:
o A list of the categories of personal information to be collected;
o The business or commercial purpose for which the personal information will be used;
o The link to the "Do Not Sell My Personal Information" page; and
Notice of Right to Opt Out of Sale – must include:
• Description of the right to opt out
• [NEW] The webform the consumer can use to opt out (having a webform is mandatory)
• Instructions for any other method the consumer can use to submit an opt out request
• Any proof required when a consumer uses an authorized agent to submit the opt out
Responding to Requests to Opt Out
• Required to act on the request within 15 days from the date of receipt
• Notify all third parties with which it has sold personal information of the consumer within the previous 90 days of the request to opt out and instruct the third party not to further sell the information
• [NEW] notify the consumer when this has been completed
• A request to opt out is the only consumer request that does not have to be a verifiable request
Opting In After Opting Out
Two-step process: consumer must clearly submit the request to opt in and then separately confirm the choice to opt in
"Do Not Sell My Personal Information" Button
• A sample button will be added in a modified version of the regulations after public feedback on its design
• [NEW] can also say “Do not sell my info”
[NEW] Browser Settings
A consumer's browser plug-ins and privacy settings can be considered a valid communication for the consumer to exercise its right to opt out of the sale of personal information
[NEW] Businesses are required to retain records of all consumer requests, including all responses by the business to the consumer, for at least 24 months.
[NEW] For businesses which buy or sell personal information of four million or more California consumers
• Compile the following metrics for the previous calendar year:
o The number of requests to know that the business received, complied with in whole or in part, and denied;
o The number of requests to delete that the business received, complied with in whole or in part, and denied;
o The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and
o The median number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.
• Establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests or the business’s compliance with the CCPA are informed of all the requirements in these regulations and the CCPA.
Verification of Requests
The California Attorney General’s office provided significant clarification regarding verification of consumers, but also added several operational issues including a risk of harm analysis that appears to need to be conducted for each request.
Factors to Consider for Verification. Establish a "reasonable method" for verifying the identity of a person making a Request to Know or Request to Delete.
• Match the information provided by the consumer to the personal information maintained by the business or the use of a third-party identity verification service
• Factors used to determine whether the method is reasonable include
o The sensitivity of the information requested
o The risk of harm to the consumer from unauthorized access or deletion
o The likelihood that malicious actors would seek the personal information; and
o The manner in which the business generally interacts with the consumer.
• A business should generally avoid requesting additional personal information from the consumer in order to verify the request.
Requests to Know and Requests to Delete
Methods of Submitting Requests to Know/Delete
Must provide two or more designated methods for submitting requests.
• Business must consider the methods by which it interacts with consumers when determining which methods to provide
• At least one method offered must reflect the manner in which the business primarily interacts with the consumer, even if it requires a business to offer three methods for submitting requests to know.
A consumer is permitted to use an "authorized agent" to submit a Request to Know or Request to Delete on the consumer's behalf; [NEW] the business may require that the consumer
• Provide written permission to the authorized agent to make the request and
• Verify their own identity directly with the business.
[NEW] A business may also accept a Power of Attorney that complies with the California Probate Code requirements.
For submitting requests to know:
• Provide, at a minimum, a toll-free telephone number and
• [NEW] If the business operates a website, an interactive webform accessible through the business’s website or mobile application.
• Other acceptable methods for submitting these requests include, but are not limited to, a designated email address, a form submitted in person, and a form submitted through the mail.
For submitting requests to delete:
• These can include any of the methods that are acceptable for requests to know, and are not prescribed by regulation.
[NEW] If a consumer submits a request that is not one of the designated methods of submission, or is otherwise deficient (other than deficient verification), the business shall either:
• Treat the request as if it had been submitted in accordance with the business’s designated manner, or
• Provide the consumer with specific directions on how to submit the request or remedy any deficiencies with the request, if applicable.
Deadlines to Acknowledge and Respond to Requests to Know/Delete
A business must:
• [NEW] Confirm receipt of the request from the consumer within ten days of receipt
• respond to the request within 45 days from the date the request is received
• [NEW] If the business requires an additional 45 days to respond, provide notice to the consumer with an explanation for why it will take longer to respond to the request
[NEW] If a business denies a request, it must inform the consumer that it will not comply and describe the basis for the denial.
Responding to Requests to Know
If a business maintains a password-protected account with the consumer, it may comply with a request to know by using a secure self-service portal for consumers if the portal
• Fully discloses the personal information that the consumer is entitled to,
• Uses reasonable data security controls, and
• Complies with the verification requirements
[NEW] A business shall use reasonable security measures when transmitting personal information to the consumer.
The 12-month period covered by a consumer’s verifiable request to know runs from the date the business receives the request, regardless of the time required to verify the request
Requests to know specific pieces of personal information
For requests to know specific pieces of information, the business must verify the identity of the person making the request
• If the business cannot verify the identity of the person making the request the business
o Must not provide specific information about the consumer to the requestor
o Must inform the requestor/consumer that it cannot verify their identity
• [NEW] If the request is denied in whole or in part, the business must respond to the consumer’s request as if it seeks the disclosure of categories of personal information about the consumer
[NEW] Business must not provide specific pieces of information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of
• That personal information,
• The consumer’s account with the business, or
• The security of the business’s systems or networks.
[NEW] Business shall not at any time disclose a consumer’s
• Social Security number, driver’s license number or other government-issued identification number,
• Financial account number,
• Any health insurance or medical identification number,
• An account password, or
• Security questions and answers.
[NEW] If a business denies a consumer’s verified request to know specific pieces of information because of a conflict with federal or state law, or an exception to the CCPA, the business shall inform the requestor and explain the basis for the denial. If the request is denied only in part, the business shall disclose the other information sought by the consumer.
Requests to know categories of personal information
The business must verify the identity of the person making the request
[NEW] If a business cannot verify the identity of the person making the request the business
• May deny the request to disclose the categories and other information requested and
• Must inform the requestor that it cannot verify their identity
If verified, then the business shall provide for each identified category of personal information it has collected about the consumer:
• the categories of sources from which the personal information was collected;
• the business or commercial purpose for which it collected the personal information;
• the categories of third parties to whom the business sold or disclosed the category of personal information and
• the business or commercial purpose for which it sold or disclosed the category of personal information.
[NEW] These disclosures must be made in a manner that provides consumers a meaningful understanding of the categories. The business must provide an individualized response to the consumer as required by the CCPA unless the answer would be exactly the same for every consumer.
Responding to Requests to Delete
if a business cannot verify the identity of the requestor the business may deny the request to delete.
• inform the requestor that their identity cannot be verified and
• [NEW] treat the request as a request to opt-out of the sale of personal information
Comply with a consumer’s request to delete their personal information by:
• Permanently and completely erasing the personal information on its existing systems with the exception of archived or back-up systems
o Note: If a business stores any personal information on archived or backup systems, it may delay compliance with the request to delete data stored on the archived or backup system until the archived or backup system is next accessed or used.
• De-identifying the personal information; or
• Aggregating the personal information.
In responding to a request to delete, a business will:
• Specify the manner in which it has deleted the personal information
• Disclose that it will maintain a record of the request
• Use a two-step confirmation process where the consumer confirms their selection
[NEW] A business may present the consumer with the choice to delete select portions of their personal information only if a global option to delete all personal information is also offered, and is more prominently presented than the other choices.
If a business denies a consumer’s request to delete the business will:
• Inform the consumer that it will not comply with the consumer’s request
• Describe the basis for the denial, including any statutory and regulatory exception
• Delete the consumer’s personal information that is not subject to the exception; and
• Not use the consumer’s personal information retained for any other purpose than provided for by that exception.
Consent for Sale of Minor Identification
If a business is collecting personal information from a child under the age of 13, both federal and state law are implicated, and the CCPA makes specific reference to the federal Children’s Online Privacy Protection Act (COPPA).
Under the CCPA, the business must receive verified consent from the child's parent or guardian affirmatively authorizing the sale of that personal information. The regulations set forth various methods for verifying that the person providing the consent is the child's parent or guardian. Such methods include the following:
• Providing a consent form to be signed by the parent/guardian under penalty of perjury and returned to the business by mail, fax, or electronic scan
• Requiring a parent/guardian, in connection with transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder
• Having a parent/guardian call a toll-free telephone number staffed by trained personnel
• Having a parent/guardian connect to trained personnel via video-conference
• Having a parent/guardian communicate in person with trained personnel
• Verifying a parent/guardian’s identity by checking a form of government-issued identification against databases of such information (note the requirement that the parent’s/guardian’s ID must be deleted by the business from its records promptly after such verification is complete)
[NEW] For children over 13 years old, the business must implement a two-step process to confirm the choice to authorize the sale of personal information. A two-step process is essentially a double opt-in – the individual makes the request and the business implements a step to confirm that the request was made.
[NEW] The regulations specifically state that these requirements are in addition to the COPPA requirements; businesses will need to comply with both.
The California Attorney General’s office will be holding listening sessions through early December 2019 and will release final regulations in early 2020, with an implementation date of July 1, 2020, as provided in the CCPA. While some of these requirements will likely be adjusted in the final rules in response to public comment, proceeding to implement these rules and then making the few changes necessary once the final rules are issued will likely be easier, and less resource-intensive, than waiting for the release of the final rules.
- Operationalizing the California Consumer Privacy Act (2019)
- Creating a Modern, Compliant and Easier-to-execute Records Retention Schedule (2018)
- Executing Your Records Management Program (2018)
ACC Maturity Models
- ACC US States’ Privacy Capability Maturity Model (2019)
- ACC Records Management Maturity Model (2019)