Introduction
Privacy notice requirements
Handling consumer requests
Verification of consumer requests
Rules regarding minors
Non-discrimination
On October 10, California Attorney General Xavier Becerra (CA AG) released proposed regulations to implement certain provisions of the California Consumer Privacy Act (CCPA). The CA AG also released a Notice of Proposed Rulemaking and Initial Statement of Reasons that provide drafting insights and outline considerations that likely will continue to guide the rulemaking process. The CA AG is accepting written comments from the public until 5:00pm (PST) on December 6, 2019.
The proposed regulations would create many new requirements. They provide clarifications to businesses and consumers in five key CCPA areas as summarized below:
The proposed regulations emphasize that the pre-collection notice (a separate requirement from the online privacy policy) must describe the categories of PI to be collected and purposes for which each category will be used. The pre-collection notice is required for the collection of all personal information (PI). Such notice must be "visible or accessible where consumers will see it before any [PI] is collected." For example, it can be provided by posting a link to the relevant information on the business's website and, where a business collects PI at a bricks and mortar location, placing physical signage with the web address where the relevant information can be found. Notably, a business that intends to use previously collected PI for a new purpose not described in the pre-collection notice must obtain explicit consent from the consumer.
Businesses that do not directly collect PI from consumers are exempted from the pre-collection notice obligation but are required, before engaging in a sale, to take certain steps such as providing a pre-sale notice to consumers or contacting the source of the information to confirm they provided notice at collection and to obtaining from the source a signed attestation about their notice.
The proposed regulations would create training and record-keeping requirements and clarify acceptable methods for receiving and responding to consumer requests. Key provisions are listed below:
- Acceptable methods for receiving consumer requests
- Business' means of interacting with consumers determine acceptable request methods.
- Businesses may need to comply with deficient consumer requests, or requests submitted through non-designated methods.
- Businesses must treat user-enabled privacy controls (e.g., browser plugins) as a valid method for submitting opt-out requests.
- Requirements for responding to consumer requests
- Businesses must provide individualized responses to requests for information about collection, use, and disclosure of PI (e.g., cannot rely on privacy policy) unless the information in the privacy policy would be the same for all consumers.
- Businesses are prohibited from disclosing certain sensitive PI in response to a request under any circumstances (e.g., SSN, driver's license number, health insurance or medical identification number).
- Sale opt-out requests have a 15 day deadline.
- Businesses must forward sale opt-out requests to all third parties to whom the business has sold the consumer's PI in the past 90 days (and notify the consumer when this process is complete).
- Businesses may limit responses for access requests to household data.
- Deleting PI pursuant to consumer requests
- Businesses can "delete" PI via (1) outright deletion, (2) deidentificaiton, or (3) aggregation.
- Record keeping requirements
- Large businesses (annually processing PI of 4 million or more consumers) must compile and publish metrics on their receipt of and response to consumer requests.
Verification of consumer requests
The proposed regulations require businesses to adopt different standards for verifying consumer requests ("reasonable" vs. "reasonably high" degree of certainty) depending on the type of request received, the type of PI involved, and the business relationship with the consumer. "Reasonable" verification may involve matching two pieces of PI from the requestor to the business's records, while "reasonably high" verification may involve matching three pieces of PI and obtaining a signed declaration from consumer. In addition, the proposed regulations require businesses to implement reasonable security measures to detect fraudulent identity verification activity and prevent unauthorized access and deletion of PI.
The proposed regulations clarify that the CCPA's requirement that businesses obtain consent from parents/guardians before selling the PI of children under 13 is separate from the consent required under the Children's Online Privacy Protection Act (COPPA) and provides examples of reasonable methods for determining that the individual consenting to such sales is the child's parent/guardian.
The proposed regulations allow businesses to treat consumers differently (including by denying certain CCPA rights) if the differential treatment is reasonably related to the value of the consumer's data. They also provide businesses with examples of reasonable methods for calculating the value of consumer data (for financial incentive and differential treatment reasons).
For further information on this topic please contact Mark M Brennan, Timothy P Tobin, Bret S Cohen or Melissa K Bianchi at at Hogan Lovells by telephone (+1 202 637 5600) or email ([email protected], [email protected], [email protected] or melissa.bianchi@?hoganlovells.com). The Hogan Lovells website can be accessed at www.hoganlovells.com.
This article has been reproduced in its original format from Lexology – www.Lexology.com.
