By Rotem Perlman -Farhi and, Dan Or-Hof
The California Attorney General’s CCPA regulations are reaching their final stage.
on June 1, 2020, following a long process of public hearings, receipt of letters and comments from the public and two sets of modifications to the CCPA Regulations, the California Attorney General submitted the final proposed regulations under the CCPA.
As the Attorney General is planned to start enforcing the CCPA on July 2020, the Regulations become a crucial aspect for businesses to assess their risks and make the necessary arrangement to comply.
The 5 most important issues that businesses should consider in preparing for the Regulations:
- Disclosure obligations are broader and more onerous;
- Privacy notices should meet a specific accessibility standard;
- Service providers’ options to use personal information are delineated more accurately;
- There are new procedural requirements to process access and deletion requests;
- Records of processing is not just a GDPR requirement. The Regulations impose their own set of record keeping obligations.
Although the approval by the Office of Administrative Law is still pending, given the upcoming Regulations’ effective date and since the final version of the Regulations does not include any substantial changes from the second version of the Regulations (published on March 11, 2020), businesses should make the necessary preparations to comply with the Regulations.
The California Consumer Privacy Act (CCPA) entered into effect on January 1, 2020. The purpose of the AG Regulations is to provide guidance to businesses on how to comply with the CCPA and to enable consumers to exercise new rights over their personal information.
However, the AG Regulations are doing much more. They broaden the scope of some aspects of the CCPA, to introduce additional obligations on businesses and service providers and to add more substance to the CCPA. For a detailed analysis of the first draft of the AG Regulations, please see Part I, Part II and Part III of our analysis.
Below is a short summary of the additional requirements that the Regulations entail. Please Note – this is not an exhaustive list of the requirements under the Regulations and our description below should not be read as a substitute to the wording of the Regulations.
Additional Disclosure Obligations
The Regulations impose additional disclosure requirements upon businesses. This is done, among others, by the following:
- Clarifications to some of the definitions, for example, by providing additional examples to clarify the meaning of “categories of sources”. Businesses should review if their current privacy policies include disclosures relating to categories of sources and categories of third parties in view of the examples listed in the Regulations.
- Another example is the definition of “request to know” (the ‘right of access’) which has been clarified under the Regulations to mean “a consumer request that a business disclose personal information that it has collected about the consumer, and includes a request for specific pieces of personal information that a business has collected about the consumer.” Given the broad definition of Collection under the CCPA, businesses will need to disclose more than just the personal information that they have about the consumer. The definition of “request to delete” has not changed and a business will be required to only delete personal information about the consumer that it has collected from the consumer.
- Under the Regulations, businesses that sell personal information must also provide, for each identified category of personal information, the categories of third parties to whom the information was disclosed or sold.
The Regulations mandate the use of a standard to meet the requirements for reasonable accessibility for consumers with disabilities under the CCPA. Under the Regulations, online notices should use a “generally recognized industry standards, such as the Web Content Accessibility Guideline, version 2.1 of June 5, 2018, for the World Wide Web Consortium” to make the notices accessible.
The Regulations added specific requirements regarding the Notice of Collection and the Privacy Notice for businesses that collect personal information through a mobile application.
The Regulations clarify that a business will not require the consumer or the consumer’s authorized agent to pay a fee for the verification of its request to know or request to delete (for example, a notarized affidavit for verifications purposes may not be required unless the business compensates the consumer for the cost of notarization).
- Service providers’ obligations should also be carefully reviewed. For example, a service provider is now permitted to use the personal information internally “to build or improve the quality of its service, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or cleaning or augmenting data acquired from another source.”
- Service providers are allowed to either act on behalf of the business in responding to consumer requests or simply inform the consumer that the request cannot be acted upon because the request has been sent to a service provider.
Procedure for Responding to Requests to Know and Requests to Delete
- A new deadline was added – Businesses will have 10 business days to confirm a request to know or delete and should provide the confirmation message in the same manner in which the request was received.
- The information that a business should provide in response to a verified request to know, must include for each category of personal information –
- the categories of third parties to whom the business sold that particular category of personal information in the preceding 12 months; and,
- the categories of third parties to whom the business disclosed for a business purpose that particular category of personal information in the preceding 12 months.
- A business that sells personal information should ask the consumers if they would like to opt-out when receiving a deletion request.
- A business should not comply with requests to access or delete household information unless all consumers jointly make the request, the business verifies all members, and the business verifies that all members are currently members of the household. If a member of a household is under 13 years of age, the business must obtain verifiable parental consent.
Requests to Opt-Out
A new deadline was added – a business must comply with a request to opt-out no later than 15 business days from the date the business receives the request. During that 15-day window a resale by third parties is prohibited but a sale (by the business to third parties) may be permissible.
- Businesses are now required to maintain records of consumer requests and how the business responded to such requests for at least 24 months. Businesses will need to implement reasonable security procedures and practices in maintaining these records.
- Another new requirement is that information maintained for recordkeeping purposes shall not be shared with any third party.
Toward the Effective Date
Businesses who need to comply with the CCPA will need to conduct additional implementation work to adapt their procedures and policies to the forthcoming AG Regulations. The Preparations and implementation work could take time.
As the Regulations have probably reached their final version, businesses now have a vivid image about what it would take to comply with the CCPA after the Regulations take effect.