California Attorney General Issues Long Awaited Draft CCPA Regulations

The Attorney General of California recently released draft regulations to implement the California Consumer Privacy Act. The CCPA becomes effective January 1, 2020.California consumer privacy act update image

In short, the CCPA grants California residents comprehensive rights relating to their personal information, including, but not limited to, dissemination and deletion.  Importantly, “personal information” is defined broadly under the CCPA and includes any information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” when collected by a for-profit business that either: (i) has annual gross revenues in excess of $25 million; (ii) buys, receives or sells the personal information of 50,000 or more consumers, households or devices; or (iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The draft regulations provide guidance concerning the notices covered entities must provide to consumers, how to handle consumer requests, how to verify the identity of the consumers making such requests, best practices relating to personal information of minors under the age of 16; and the offering of incentives to consumers that do not exercise their rights under the CCPA.

There are a number of required consumer notices under the CCPA.  

Without limitation, they must be clear, conspicuous and easy to read.  Specified information must be included in notices and there are collection restrictions in the absence of notice.  Notice must be provided to consumers at or prior to collection of personal information. Consumers should be fully informed of, without limitation, the categories of personal information collected and purposes for which such information shall be used.

There is also a personal information opt-out notice requirement.  

The notice of a right to opt-out of the sale of personal information must be posted on the webpage to which a consumer is directed to after clicking on the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on the website homepage.  The opt-out right notice must include a description of consumers’ right to opt-out of the sale of personal information, a mechanism for the consumer to the opt-out request online and a link (or URL) to the applicable privacy policy.

Very generally speaking, any transfer or disclosure of personal information about a California consumer to a third-party in exchange for consideration, regardless of whether money is exchanged, would qualify as a “sale” under CCPA.

Note that the term “homepage” does not necessarily mean what you may think it means.

Pursuant to the CCPA, a homepage is more than just a website’s introductory page.  It is also defined as “any internet web page where personal information is collected.”  It also includes the download or landing page of a mobile application. Thus, publishers and advertisers are required to provide the opt-out button to California residents on all pages that have any form of data collection, including, but not limited to, third-party trackers.

Covered businesses are also provided with methods for consumers to submit various requests (e.g., for information, to delete and to opt-out) and instructions on how to respond to such requests.  Importantly for digital marketers, the draft regulations impose mandatory deadlines for confirming receipt of and completing such requests, as well as notifying third-parties.

The draft regulations provide for a 24-month minimum retention period for consumer requests and related responses.  There are recordkeeping maintenance provisions, as well.  

Additionally, the draft regulations provide that covered businesses must establish (and document) a reasonable method of verification that considers the nature of applicable personal information and risks of harm to consumers in the event of unauthorized access.  There are specific requirements applicable to consumers with password-protected accounts and non-accountholders. The CCPA also imposes an obligation to implement reasonable security measures to detect fraudulent verification activity and prevent the unauthorized access to personal information.  Consult with an experienced FTC defense attorney to discuss data point verification thresholds.

Covered businesses must also obtain affirmative authorization for the sale of personal information of minors under 16 years of age, in addition to verification methods relating to children under the age of 13.  The foregoing is in addition the verifiable parental consent requirement imposed under the Children’s Online Privacy Protection Act.  COPPA applies to the collection of personal information, rather than just the sale of such information.

The CCPA also requires covered businesses that offer financial incentives to notify consumers of such incentives.  The notice must include, without limitation, a succinct summary of the financial incentive offered, a description of the material terms of the financial incentive (including the categories of personal information that are implicated by the financial incentive), how consumers can opt-in to the financial incentive, notification of the right to withdraw from the financial incentive at any time and how the consumer may exercise that right, an explanation of why the financial incentive (or price or service difference) is permitted under the CCPA, including a good faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference, and a description of the method by which the amount was calculated.  The policy behind the foregoing is so that consumers are able to make informed decisions regarding participation in the incentive.

Privacy policies must be posted on the homepage (and anywhere else personal information is collected, or the download or landing page of a mobile application) via a “conspicuous link” using the word “privacy.”  Privacy policies must include, without limitation: (i) information regarding consumers’ right to know about personal information collected, disclosed or sold; (ii) information regarding consumers’ right to request deletion of their personal information; (iii) information regarding consumers’ right to opt-out of the sale of their personal information; (iv) information regarding consumers’ right to non-discrimination should they exercise their privacy rights; and contact information for inquiries regarding privacy practices.

The draft regulations do not include comprehensive consideration of recently enacted amendments to the CCPA.

See the CCPA Fact Sheet, here.

Richard B. Newman is a federal litigation attorney at Hinch Newman LLP. Follow him on Twitter @ FTC Defense Attorney.

Informational purposes only. Not legal advice. May be considered advertising material.