2020 CCPA Proposed Regulations – Guide to Next Steps
Author: Mia Cawley
On August 14, the California Office of Administrative Law (OAL) approved the California Department of Justice’s regulations regarding the California Consumer Privacy Act (CCPA). The regulations took effect immediately. The CCPA gives California consumers certain rights to learn what personal information businesses collect and use. Covered businesses must now comply with both the statutory and final regulation requirements.
When Does the Collection of Information Require Notice?
Notice at Collection of Personal Information
A business is required to provide a “Notice At Collection of Personal Information,” informing consumers of what data will be collected, when it will be used, and its intended purpose at or before the time of collection. The notice should include:
- A list of categories of personal information collected
- Business or commercial purpose of information collected
- If selling information, a link titled “Do Not Sell My Personal Information”
A consumer’s personal information can’t be used for a purpose materially different than those disclosed in the notice at collection.
Notice of Right to Opt Out of Sale of Personal Information
If a business sells its consumers’ personal information, a notice must be provided informing the consumer of the right to opt out. In an easily understandable format, the notice must include information on the consumer’s right to opt out, an interactive online form the consumer can submit to opt out, and instructions for alternate opt out methods. An opt-out notice isn’t required if the business doesn’t:
- Sell personal information
Notice of Financial Incentive
The CCPA regulation outlines how to estimate and document the good faith value of the consumer’s data. For example, if a business provides a financial incentive as compensation for the collection, sale, or deletion of personal information, a notice must be provided that explains the material terms of the offered financial incentive, price, or service difference. In the notice, the business will need to provide a description of the method used to determine the value of the consumer’s data.
How to Address Consumer Requests
Businesses will be required to set up a process to handle requests from consumers wishing to exercise their rights under the CCPA.
Submitting Requests to Know and Requests to Delete
For requests to know, if a business is solely online and has a direct relationship with a consumer from whom personal information is collected, the business is only required to provide the consumer an email address. Otherwise, it must provide two or more designated methods for submitting requests to know, including, at a minimum, a toll-free telephone number. For all requests to delete, the business must provide two methods to submit the requests. The business should consider how it primarily interacts with consumers when determining the appropriate methods consumers should utilize for submitting requests to know and requests to delete.
Responding to Requests to Know and Requests to Delete
Upon receiving a request to know or a request to delete, a business must confirm receipt of the request within 10 business days and provide information about how the business will process the request. Businesses should respond to requests to know and requests to delete within 45 calendar days. If necessary, businesses may take up to an additional 45 calendar days (for a maximum total of 90 calendar days) from receipt of initial request if the business notifies the consumer explaining why an additional 45 days was needed.
If a business denies a consumer’s verified request to know specific collected personal information, the reason for the denial must be explained unless specifically prohibited by law. The business can also deny the request if the identity of the requestor can’t be verified. Once the identity of the requestor is verified, the business must permanently delete the personal information. If the information is stored on archived or backup systems, deletion isn’t required (unless the system containing it is reactivated for the purpose of selling, disclosure, or another commercial purpose). If a request to delete is fulfilled, a record of the request will be retained upon consumer notification. In cases where a request to delete is denied due to an exception, the business must explain the reason for the denial and delete all personal information not included in the exception.
Requests to Opt Out
California consumers have a right to opt-out of the business’ sale of personal information collected. Compliance with the consumer request must occur no later than 15 business days from the date of receipt. In addition, a business shouldn’t utilize a method that has the substantial effect of subverting or impairing a consumer’s decision to opt-out. An authorized agent can submit a request to opt out on a consumer’s behalf. If a business has a good-faith, reasonable, and documented belief that a request to opt out is fraudulent, it may deny the request. The consumer will have the ability to opt in to the sale of personal information. Additionally, if a consumer submits a request a delete and has not opted out, the business shouldn’t offer the option to opt out.
A business must establish, document, and comply with a reasonable method for verifying that the person making a request to know or delete is the consumer from whom the business has collected information. Businesses can match identifying personal information with retained records. Sensitive or valuable personal information warrants a more stringent verification process. Unless reasonably necessary, a business should avoid requesting additional information from the consumer for purposes of verification. Reasonable security measures to detect fraudulent identity verification activity should be implemented by the business. A request to know specific personal information can be denied if a business can’t verify the identity of the requestor pursuant to these regulations.
Training and Record Retention
All individuals responsible for handling consumer inquiries concerning privacy practices should be informed of all CCPA requirements. All requests made concerning consumer information must be retained with proper security measures for at least 24 months. Stored information shouldn’t be used for any purpose except to review or modify processes for compliance. For businesses exceeding 10,000,000 consumers that buy or receive personal information, organizations must compile metrics on the number of received requests to know, delete, and opt out, as well as the average number of days needed to respond to each of those requests.
Special Rules Regarding Consumers under 13 to 15 years of age
Consumers (under the age of 13) may opt in to the sale of personal information. Businesses that have knowledge of the sale of personal information of consumers under the age of 13 must establish, document, and comply with a method for determining that the person who authorized the sale is the parent or guardian of that child. A business with knowledge that it sells the personal information of consumers between the ages of 13 and 16 should establish, document, and comply with a reasonable process allowing such minors to opt in to the sale of their personal information.
Many businesses developed policies and procedures in order to comply with the CCPA. With the regulations finalized, businesses should review these documents for additional information. For further guidance, please visit State of California Department of Justice California Consumer Privacy Act, or consult our blog post, 2020 CCPA: What Financial Institutions Should Expect.