February 26, 2020

February 25, 2020

Subscribe to Latest Legal News and Analysis

February 24, 2020

Subscribe to Latest Legal News and Analysis

Just When You Thought Your CCPA Prep Was Nearing the End…

Yesterday, the California Attorney General and team held a press conference announcing the release of the long-awaited draft regulations implementing the California Consumer Privacy Act or the CCPA. Today kicks off the official comment period for the proposed rules, and based on initial reactions to the draft regs and the Initial Statement of Reasons underlying the proposal, there will be a great many submitting constructive criticism through the December 6 deadline.

While arguably ‘simply implementing’ the statute, it is clear that the AG’s team aims to bring the CCPA closer to the EU GDPR in some ways. In others, such as the new concern about businesses with higher volumes of personal information, the proposed rules are genuinely moving the goal posts for companies to comply. Given the fact that January 1, 2020 is coming (let’s just call it “Winter”) soon and the statute has a 12 month look back period, companies must scramble to understand how these draft rules will impact their business, assuming that the submitted comments do not result in material changes to the proposed regulations.

Here are just some of the key brain benders – to be followed by our more detailed analysis in the coming days:

  • Verifiable Requests – Authenticate Requestors (but don’t collect more data, put any data at risk, allow fraud…): There are a number of provisions related to how businesses authenticate consumers to confirm verifiable requests. It’s clear that businesses should avoid requiring collection of additional personal data to verify the request; however, the rules suggest a risk-based approach is required as to the rigorousness of the verification process (depending on sensitivity of the data and risk if the data lands in the wrong hands). But don’t worry- you can also engage a service provider to complete the verification for you.

  • Using Data from Another Data Source? Diligence is On You: Before selling data, a business that doesn’t collect data directly from consumers must either: 1) contact consumers to provide notice and the choice to opt-out; or 2) confirm that the data source provided appropriate notice to consumers and obtain an attestation from the data source describing how notice was given at the point of collection and a copy of the notice.

  • Adhere to Deletion Requests… Mostly: The rules set forth a two-step deletion process and businesses must acknowledge receipt of the request within 10 days. Alternatives to deletion include de-identifying or aggregating the personal information. For back-ups and archives, businesses can postpone deletion on those repositories until “next accessed or used” (which could be never?).

  • Evidence Your Good Work: Training (specific to the CCPA and final regs) and good record keeping will be essential. Logs of consumer requests and responses to the request must be maintained for 2 years and the content of the logs/records is also prescribed.

  • Attention Service Providers – Particularly Payment Vendors and the Like: For service providers thinking they would forever be fighting off limitations on data use across customers, the rules allow service providers to combine personal data collected from one or more businesses to which it provides services, when necessary to detect fraud, security incidents, or illegal activity. In other words, services where a vendor needs to combine data from each of its business customers in order to provide fraud prevention services to those customers will be allowed (e.g., credit card fraud at the point of sale).

  • Businesses with High-Volumes of Data, Here’s Your Call to the Carpet: Businesses that handle the personal data of > 4MM consumers must compile specific stats on consumer requests, responses, response times, and other details for the various categories of individual rights and post the previous year’s stats in the business’s privacy policy or on its website.

  • Equal and Fair Service and Fees to All… Unless You Properly Valuate Consumer Data: Charging a different price or providing disparate levels of service depending on whether a consumer exercised rights under the CCPA is discriminatory and prohibited unless the differences are reasonably related to the value of the consumer’s data. You may wonder, how do you determine the value of a consumer’s data to the business? Simply apply a reasonable, good faith method of calculation (balancing a number of factors set forth in the rules that would seem difficult to numerically quantify).

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.


About this Author

Tara Cho CIPP/US CIPP/E Data Security Attorney Womble Bond

Tara focuses her practice on privacy and data security issues across multiple industries such as technology, retail, e-commerce, and life sciences, with an emphasis on compliance risks and regulatory requirements affecting the healthcare sector. Tara became certified as a legal specialist in Privacy and Information Security Law by the North Carolina State Bar Board of Legal Specialization in 2018 as part of the inaugural class of specialists in this field – one of just 10 attorneys in the state to hold this certification.

She helps clients with all aspects of privacy and data...

Peter McLaughlin Privacy & Data Attorney Womble Bond

Peter McLaughlin is a Privacy & Data Security attorney who advises clients with respect to a broad range of technology transactions, privacy and security issues. While maintaining a broad privacy practice, Peter focuses on innovative uses of data, especially with the life sciences and digital health sectors. He also guides clients in their domestic and international handling of personal information; new product development; and the assessment of legally defensible cybersecurity programs. The Legal 500 has recognized Peter’s work in the area of data protection and privacy as “extremely knowledgeable, competent and professional.”

Peter spent time several years in-house at a global Silicon Valley technology company and as Assistant General Counsel and global privacy officer for a multinational health firm. He has represented clients across industry sectors with respect to governing personal information; responding to regulators from the Federal Trade Commission, the U.S. Department of Health and Human Services and state attorneys general; and supporting post-enforcement compliance obligations. In short, Peter holds a preeminent position in this space.