The California Attorney General (AG) has released new regulations, as part of a proposed rulemaking process to create procedures for facilitating consumers’ CCPA rights. While aimed at clarifying the CCPA requirements and providing compliance guidance, the proposed regulations raise question marks and concerns.
On Part I of our review, we discussed the challenges introduced by the AG’s proposed regulations for implementing the notices requirements under the CCPA. We reviewed in Part II the financial aspects and the potential social impact that the CCPA will have, if implemented pursuant to the proposed regulations.
Part III discusses the multiple procedures that businesses will need to put in place, to comply with the CCPA, as instructed by the AG’s proposed regulations.
Part III – CCPA Bureaucracy
10. New Internal Procedures
Internal procedures and practices form an integral part of efforts taken by a company to comply with regulations. The proposed regulations enhance the need to form adequate internal policies and procedures. Some of them are not covered in whole or in part by other data protection regulations (specifically, under the GDPR). These may cover –
– A detailed consumer verification process;
– Privacy policy updates, including explicit consent processes;
– Handling opt-out of sale requests;
– Handling requests to know and to delete;
– Handling use of minors’ information, including opt-in to the sale of information by minors of 13 to 16 of age;
– Non-discrimination assessments;
– Consumer data value assessments;
– Consumer requests’ metrics;
– Training.
11. Retailers may Need to Provide Three Methods for Requests to Know
Under the CCPA (Section 1798.130 (a)), a business needs to make available a toll-free number and one additional method (mailing address, email address, web page, or other applicable method), to submit requests to know (access requests).
Most if not all retailers who own a physical store, have online presence as well. The proposed regulations (section 999.312(c)), require in these cases that the retailer will provide three, rather than two, methods for submitting requests to know – a toll-free number, a web form and a hard copy form.
With more channels to manage requests, businesses will need more personnel and more internal procedures to handle and document the requests. The probability of errors and mishandling of requests may increase as a result.
12. The Battle Over the Webpage Footer
Throughout the years, footers of web pages have become a natural location for a whole array of links to online information. These typically include links to the terms of service, privacy policies, cookie notices, DMCA notices, licenses and other relevant terms.
The proposed regulations aim at claiming the little room left in these footers. Businesses, including those who do not interact directly with consumers, would potentially need to provide six more links for –
– Requests to know submissions;
– Requests to delete submissions;
– The section of the business’s privacy policy that contains the information required for the collection notice;
– “Do not sell my personal information” web page;
– The section of a business’s privacy policy that contains the information required for financial incentives;
– The metrics required from a business that alone or in combination annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 4 million or more consumers.
Presumably, as these links do not provide businesses with any commercial gain, they will likely be added to the already overloaded footers. Would the multiple links contribute to consumers’ control over their privacy, or would they be ignored due to the already existing data deluge that consumers face?
13. Security Risk Assessments to Consumers
Under the proposed regulations, a business will not provide a consumer with specific pieces of personal information, if the disclosure creates a “substantial, articulable and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.”
As a result, businesses would need to assess whether the disclosure of the information creates such risks. Performance of the assessment requires data about the risk to the data on the consumer’s side. Without knowing the consumer’s information security practices, the business may not be able to assess properly whether a “substantial, articulable and unreasonable” risk exists or not.
Would this mean in practice, that businesses will need to have their consumers go through security risk assessments to receive the information?
14. Multiple Do-Not-Sell Mechanisms
The CCPA requires a business to provide a “do not sell my personal information” link on the business’s homepage, to a webpage that enables the consumer to opt-out of the sale of the consumer’s personal information.
While the CCPA requires a single procedure for opting out, the proposed regulations require businesses to respond to an open-ended list of user-enabled controls, such as a browser plug-in and privacy settings. The potential consequences of this requirement are unclear. Will it require businesses to invest in measures to receive and process opt-out signaling from multiple sources, interfaces and transmission methods?
15. No Value-Added Services by Service Providers
Aggregated insights, trends, and relevant statistics are common practice with service providers who provide these added-value services on regular basis. These services, by their aggregated-statistical nature, require the service provider to use and analyze information derived from multiple clients.
Clients of data-driven services are accustomed to receiving aggregated insights and statistics from their service providers and see these services as an integral part of the services provided by their service providers.
Presumably, services will find themselves either violating the proposed regulations or forced to shift their position under the CCPA from a service provider to a business. Merging data from multiple sources will be permitted by a service provider only to detect data security incidents or to protect against fraudulent or illegal activity. The proposed regulations will prohibit any other data combining by service providers.
Conclusion
The California AG acknowledges the potential significant adverse economic impact of the regulations on California businesses and their ability to compete with businesses in other states.
A significant factor of the adverse impact lies with the multiple new procedures and policies that businesses will need to put in place, to comply with the CCPA and the regulations. Companies who operate in multiple territories already face a substantial regulatory burden. Mitigation of the adverse economic impact of the regulations lies with reducing, rather than enhancing, the scope of mandated procedures and policies.