February 18, 2020

February 17, 2020

Subscribe to Latest Legal News and Analysis

Analysis of Modified Attorney General Regulations to CCPA – Part 2: Business Practices for Handling Consumer Requests

Overview:

We previously provided insights into this important portion of the CCPA regulations here.  In this installment, we address important revisions provided by the AG’s office to Article 3 of these regulations, several of which will have far-reaching implications. 

Below please find an overview of particularly relevant changes:

  • Businesses that only operate exclusively online and collect personal information from consumers with whom they have a direct relationship, will only be required to provide an email address for requests to know, as opposed to two or more methods, one of which had to be a toll-free phone number. 

  • Businesses are no longer required to use a two-step process for online requests to delete, consisting of the submission of the request and confirmation.  Instead, the two-step is optional. 

  • Businesses that cannot verify the consumer within 45 days of a request to know or delete may deny the request. 

  • Businesses no longer have the same responsibilities to search for personal information when responding to a request to know.  Businesses do not need to search for personal information that is not maintained in a searchable or reasonably accessible format, is only maintained for legal or compliance purposes and is not sold or used for a commercial purpose.  If each of these conditions is met, the business may instead describe to the consumer the categories of records that it did not search because these conditions were applied.

  • Businesses shall not disclose in response to a request to know unique biometric data generated from human characteristics. 

  • When responding to a request to know categories of personal information, businesses must now include additional information regarding the categories. 

  • When responding to requests to delete, businesses must now ask the consumer if they would like to opt-out of the sale of their personal information and provide the opt-out link or notice.  Businesses no longer have to treat all unverifiable requests to delete automatically as requests to opt-out. 

  • Service providers are restricted from processing personal information received from a business except to: (1) perform services in the contract with the business that provided the personal information, (2) engage a different service provider as a subcontractor, (3) use the data internally to build or improve the quality of its services; (4) protect against fraudulent or illegal activity and detect data security incidents or; (5) process in accordance with certain exemptions to the CCPA. Additionally, the requirement that service providers that receive requests to exercise rights directly from consumers instruct those consumers to submit their requests to the business has been eliminated.  Instead service providers are permitted but not required to respond directly.

Key Elements

§ 999.312 “Methods for Submitting Requests to Know and Requests to Delete”

Businesses that only operate online, and have a direct relationship with the consumers from which they collect personal information now only have to provide an email address for requests to know.  However, interestingly, businesses will still need to provide two or more methods for submitted requests to delete, one of which may be the email address. 

Businesses that interact with consumers in person “shall consider” but are not required to provide an in-person method such as a printed form to be submitted directly, or by mail, or a tablet or computer portal, or a phone that the consumer can use to call the business’s toll free number.  This changes the earlier requirement that at least one method would reflect the manner in which the business primarily interacts with the consumer. 

§ 999.313. Responding to Requests to Know and Requests to Delete  

Confirmation: Confirmations of a request to know or delete may be provided in the same manner in which the request was received. 

Verification: Businesses that cannot verify a consumer within the 45 day period given to respond to a request to know or delete may deny the request.  

Searching for personal information when responding: Businesses no longer have the same responsibilities to search for personal information when responding to a request to know.  Businesses do not need to search for personal information that is not maintained in a searchable or reasonably accessible format, is only maintained for legal or compliance purposes and is not sold or used for a commercial purpose.  If these conditions are met, the business may instead describe to the consumer the categories of records that it did not search because these conditions were applied.

Responding to requests to know and delete generally:

Businesses shall not disclose in response to a request to know unique biometric data generated from human characteristics.

Additional guidance has been provided regarding requests to know categories of personal information.  The business must now explicitly provide categories of information collected in the past 12 months, which of these categories it has sold to others, and for each of these sold categories, the categories of third parties the category was sold to, along with any categories it disclosed for a business purpose, and to which categories of third parties these disclosures were made.

When responding to at least unverifiable requests to delete, businesses must now ask the consumer if they would like to opt out of the sale of their personal information, and provide the opt-out link or notice.  Businesses no longer have to treat all unverifiable requests to delete automatically as requests to opt-out.    

§ 999.314. Service Providers

New, narrower scope of processing for service providers: Service providers are restricted from processing personal information received from a business except to: (1) perform services in the contract with the business that provided the personal information, (2) engage a different service provider as a subcontractor, (3) use the data internally to build or improve the quality of its services; (4) protect against fraudulent or illegal activity and detect data security incidents or; (5) process in accordance with certain exemptions to the CCPA.

Service providers can choose to respond to a consumer rights request or refer the consumer to the business: The requirement that service providers that receive requests to exercise rights directly from consumers instruct those consumers to submit their requests to the business has been eliminated.  Instead service providers are permitted but not required to respond directly. 

Service providers are bound by opt-outs: Further, service providers cannot sell data on behalf of a business if the consumer has already opted out of the sale of the personal information. 

§ 999.315. Requests to Opt-Out

Opt-out method must be easy: Businesses must use an opt-out method that is easy for consumers and requires minimal steps.  Businesses are specifically prohibited from using a method designed to subvert or impair a consumer’s decision to opt-out. 

Privacy control requirements and conflicts: The regulations previously provided for privacy controls that a consumer could use to signal to the business their request to opt-out of the sale of their personal information. Now the regulations have provided the mechanism must clearly communicate this consumer intent, and that the control require that the consumer affirmatively select the opt-out choice, and not use pre-selected settings.  If the control conflicts with a narrower existing business specific setting or participation in a financial incentive program, the business must still respect the control, but is afforded the option to notify the consumer of the conflict and provide an option to confirm the business specific control or participation in the financial incentive program. 

Opt-Out Granularity: Businesses are now allowed to present the consumer a choice to opt-out of the sale of certain uses instead of categories of personal information, as long as the global option is still more prominent. 

Business responsibilities after consumer submits opt-out but before the business complies with it: The regulations now clarify that opt-outs are to be complied within 15 business days. A significant additional change:  businesses will not need to notify third parties to whom they sold the consumer’s data within 90 days.  Instead, if the business sells the personal information of a consumer that has opted out within the 15 day period before it has complied with the request it shall direct any third parties that it has sold the personal information not to further sell the consumer’s information.  The requirement that the consumer be notified of this has been removed. 

Authorized Agents: The written permission provided to the authorized agent must now be signed by the consumer.  The method of signature is not provided. 

§ 999.316. Requests to Opt-In After Opting Out of the Sale of Personal Information

Consumers who opt-out of the sale of their personal information when the sale is required for a transaction or to use a product or service: If a consumer opts-out of the sale of their personal information when this sale is required for a transaction initiated by the consumer or for the use of a product or service, the businesses may inform the consumer of this and provide instructions to opt-in. 

§ 999.317. Training; Record-Keeping

Reasonable security measures required for records: The business must maintain reasonable security procedures and practices for maintained records.    

Use of records: The regulations clarify that maintained records may be used as reasonably necessary for compliance with the CCPA and these regulations, but may not be shared with any third party. 

Additional record keeping requests: The additional metrics required to be kept are now imposed on those businesses who buy, receive, sell or share the personal information of 10,000,000 consumers in a calendar year.  Previously, this number had been set at 4,000,000. 

§ 999.318. Requests to Access or Delete Household Information

Household does not have a password protected account: Where the household is using an account with the business that is not password protected, the business is prohibited from complying with a request to know specific pieces of personal information or a request to delete household information, unless (1) each consumer in the household jointly makes the request, each household member is verified, and the business is able to verify that each member making the request is currently a member of the household. 

Individual consumer has a password protected account that collects household information: Where the consumer has a password protected account that collects personal information about the household, the business is permitted to process requests to know and delete in compliance with the regulations and its practices. 

Member of a household under the age of 13: If a household member is under the age of 13, then the businesses must obtain verified parental consent before complying with a request to know or delete specific information as provided by the parental consent provisions of the regulations.

Note that the revisions also clarify that a “household” means those who reside at the same address, share a common device or the same service provided by a business and are identified by the business as sharing the same group account or unique identifier.

Recommendations:

Businesses will need to retool certain aspects of their currently deployed right to know and delete process flows based on these changes.  Other process flows, such as their opt-outs and training and record keeping will need to be reviewed as well. 

Additionally, affected entities will want to review their existing service provider addendums to ensure that best practices in light of the new guidance regarding the scope of service provider processing of personal information are met. 

Further, businesses and other interested parties should pay close attention to the changes described above regarding opt-outs, training and record keeping, and fulfilling requests involving households. 

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Brian H. Lam, Mintz Levin, software licensing lawyer, vendor agreements attorney
Associate

Brian Lam is a member of Mintz’s Privacy & Security Practice and Technology Transactions Practice. Brian focuses his practice on providing practical advice that enables companies to pursue their business in a competitive environment while reducing risk associated with the collection, use, storage, transfer, and potential loss of data. He frequently negotiates complex data-centric information technology agreements, and designs policies and corresponding controls for the implementation of best practices, compliance with state and federal law, and international considerations. He often...

858.314.1583
Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-demand media commentator and speaker on privacy and cybersecurity issues.

Cynthia is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E).

She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions. She is also a key contributor to MintzEdge, an online resource for entrepreneurs that includes useful tools and information for starting and growing a company.

Cynthia has extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions.

She conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise.

She is a frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies.

During law school, she was editor-in-chief of the Probate Law Journal.

617-348-1732