On October 10, the California Attorney General released the long-awaited proposed regulations (“CCPA Regulations” or “Regulations”) for the California Consumer Privacy Act (“CCPA”).  As noted in the press release announcing the CCPA Regulations, the Regulations are intended to operationalize the CCPA, provide additional guidance to consumers and businesses subject to the CCPA, and address some of the open issues raised by the CCPA.  Once finalized, the CCPA Regulations will govern compliance with the CCPA.

Below, we have provided a short summary of the information and requirements addressed by the CCPA Regulations.

Article 1: General Provisions

In addition to the terms already defined by the CCPA, the Regulations define additional terms that assist in interpreting the CCPA.  For example, “household,” a term used but not defined in the CCPA, is defined by the Regulations as “a person or group of people occupying a single dwelling.”  An additional term used but not defined in the CCPA, “financial incentive,” is defined by the Regulations as “a program, benefit, or other offering, including payments to consumers as compensation, for the disclosure, deletion, or sale of personal information.”

Article 2: Notices to Consumers

Article 2 of the Regulations provides requirements regarding notice to be provided to consumers at or before collection of PI; notice of a consumer’s right to opt-out of the sale of their PI; and notice of any financial incentives that may be offered in exchange for the retention or sale of a consumer’s PI.  Many of these provisions provide for entirely new obligations for businesses that were not explicitly required by the text of the CCPA.  For example, under the CCPA, at or before the collection of a consumer’s PI, a business is required to provide notice to the consumer regarding the purposes for which the PI will be used.  If the business later intends to use the consumer’s PI for a different or additional purpose, the business must provide the consumer with notice of the new purpose.  The CCPA Regulations require businesses to not only notify a consumer of the new purpose, but also to “obtain explicit consent from the consumer” to use the PI for the new purpose.

Article 2 also provides detailed requirements for the privacy policy required to be provided to consumers under the CCPA.  For example, the privacy policy must explain a consumer’s right to know what PI the business collects, uses, discloses, and sells; provide instructions for submitting a verifiable consumer request to know; provide links to an online request form or portal for making such request, if offered by the business; and describe the process the business will use to verify the consumer request, including any information the consumer must provide.  Article 2 also clarifies that the privacy policy should not contain specific pieces of personal information about individual consumers and need not be personalized for each consumer.

Article 3: Business Practices for Handling Consumer Requests

Article 3 of the Regulations provides requirements regarding (1) Methods businesses must provide for consumers to submit requests to know what PI is collected, shared, used, or sold and requests to delete PI; (2) Procedures for responding to requests to know and requests to delete; (3) Methods businesses must provide for consumers to submit requests to opt-out of the sale of their PI and required procedures for responding to such requests; (4) The opt-in process businesses must use for consumer requests to opt-in after opting out of the sale of their PI; (5) Training that businesses must provide to employees; and (5) Recordkeeping obligations.  Article 3 also provides additional information regarding what persons or entities qualify as service providers, and actions that service providers can and cannot take in relation to consumer PI.

As another example of a new obligation for businesses not explicitly required by the text of the CCPA, Article 3 of the Regulations creates requirements for businesses regarding requests to access or delete household information.  Specifically, if all consumers of a household jointly request access to specific pieces of information for the household or deletion of household PI, and a business can individually verify all of the members of the household, then the business must comply with such request.

Article 4: Verification of Requests

Article 4 provides general rules regarding the CCPA’s requirement to verify a consumer’s identity before taking an action in response to a consumer request.  When determining what method to use to verify a consumer’s identity, businesses must consider factors such as the type, sensitivity, and value of the PI; the risk of harm to the consumer posed by any unauthorized access to or deletion of PI; and the likelihood that fraudulent or malicious actors would seek the PI.  If a business is unable to verify a consumer’s identity from the information it already maintains on the consumer, then the business may request additional information from the consumer that can only be used for purposes of verifying the consumer’s identity and must be deleted as soon as practicable after processing the consumer’s request.  Businesses are permitted to use a “third-party verification service,” defined by the Regulations as “a security process offered by an independent third party who verifies the identity of the consumer making a request to the business.”  Such third-party verification services are required to comply with Article 4’s verification requirements as well.

The Regulations also require businesses to implement reasonable security measures to detect fraudulent identity-verification activity and to prevent the unauthorized access to or deletion of a consumer’s PI.  Article 4 outlines requirements relating to verification for password-protected accounts, verification for non-accountholders, and verification in situations where a consumer uses an authorized agent to submit a consumer request.

Article 5: Special Rules Regarding Minors

Article 5 outlines opt-out requirements businesses must implement for the sale of minors’ PI.  For minors under 13 years of age, a business must establish a reasonable method for determining that the person affirmatively authorizing the sale of the minor’s PI is the parent or guardian of that minor.  Examples of some of the “reasonable methods” provided in the Regulations include providing a consent form to be signed by the parent or guardian under penalty of perjury and returned to the business; having a parent or guardian call a toll-free phone number staffed by trained personnel; having a parent or guardian connect to trained personnel via video-conference; and having a parent or guardian communicate in person with trained personnel.

Article 5 also provides requirements for allowing minors at least 13 and less than 16 years of age to opt-in to the sale of their PI and sets forth situations in which businesses are not required to provide notice of a consumer’s right to opt-out of the sale of their PI.  Specifically, businesses that (1) exclusively target offers of goods or services directly to minors under 16 years of age and (2) do not sell the PI of such minors without their affirmative authorization, or, for minors under 13 years of age, without the affirmative authorization of the minor’s parent or guardian, are not required to provide notice of the right to opt-out.

Article 6: Non-Discrimination

Article 6 provides long-awaited guidance regarding the CCPA’s nondiscrimination requirements and how businesses can calculate the value of consumer data.  While a business cannot treat a consumer differently because the consumer exercised a right under the CCPA or under the Regulations, a business can offer a price or service difference to a consumer if the difference is reasonably related to the value of the consumer’s data.  An illustrative example provided by the Regulations is a music streaming business that offers a free service and a premium service for $5 per month.  If only the consumers who pay for the music streaming service are allowed to opt-out of the sale of their PI, then the practice is discriminatory, unless the $5 per month payment is reasonably related to the value of the consumer’s data to the business.

Article 6 helpfully clarifies that the “value provided to the consumer by the consumer’s data” (the language used in the CCPA) is the value provided to the business by the consumer’s data, referred to simply as “the value of the consumer’s data” within the Regulations.  Examples of some of the methods that businesses can use to calculate the value of the consumer’s data include the marginal value or average value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data; revenue or profit generated by the business from the sale, collection, or retention of consumer’s PI; and expenses related to the offer, provision, or imposition of any financial incentive or price or service difference.

Next Steps Before Regulations Finalized

Before the Regulations are finalized, interested stakeholders will have multiple opportunities to provide input.  The Attorney General will hold four public hearings in California from December 2-5 where interested parties can present oral or written statements or comments.  Additionally, the Attorney General will be accepting written comments from any interested party or their duly authorized representative until the written comment period closes on December 6, 2019 at 5:00 pm PST.

Fey LLC will continue to closely monitor CCPA developments.  To ensure you don’t miss out on any articles and alerts we prepare on the CCPA or other significant data protection laws and developments, you can follow our LinkedIn page here.

Laura Fey

Laura Clark Fey, Privacy Law Specialist (IAPP), is the principal at Fey LLC.

Hannah Zimmerman

Hannah Zimmerman is an associate attorney with Fey LLC.