November 15, 2019

November 14, 2019

Subscribe to Latest Legal News and Analysis

November 13, 2019

Subscribe to Latest Legal News and Analysis

November 12, 2019

Subscribe to Latest Legal News and Analysis

Proposed CCPA Regulations: Initial Overview and Highlights

On October 10, 2019, the California Attorney General (California AG) issued the long-awaited California Consumer Privacy Act (CCPA) Regulations (Proposed Regulations), along with an Initial Statement of Reasons (ISOR) explaining the Proposed Regulations. These Proposed Regulations not only fill in statutory gaps, but also create several substantive new requirements. Companies may submit comments through December 6, 2019, and several public hearings will be held in the first week of December. Our Data Privacy & Cybersecurity Practice can assist you in drafting comments to the California AG during this public comment period.

Although we are highlighting key points from our initial review of the Proposed Regulations and the ISOR, these materials are complex and will be subject to continued review by, and further guidance from, our team of experts. The final regulations that are adopted following the comment period may differ from the Proposed Regulations. As we will not have the final regulations until close to or after the effective date of January 1, 2020, we are recommending that our clients take steps now toward developing consumer-facing documents, as well as internal policies and procedures, that reasonably comply with the Proposed Regulations pending the final outcome of the rulemaking process.

What Is Addressed by the Proposed Regulations?

The Proposed Regulations focus on privacy notice mechanics and details; requirements for evaluating and responding to individual rights requests; and other miscellaneous issues. The Proposed Regulations do not, however, clarify exemptions, applicability thresholds or the meaning of “sale” under the CCPA. Notably, the California AG considered and rejected the concept of a “GDPR safe harbor” because the two laws have too many differences.

What Are the Biggest Changes?

Below, we outline the most notable provisions in the Proposed Regulations and the ISOR.

  • Deterrence of Fraud: The Proposed Regulations specify how to authenticate a consumer’s identity and other measures to prevent fraud by (i) implementing a verification system that takes into account data sensitivity; (ii) providing specific guidance for authenticating non-account holders (e.g., matching three data points and obtaining a signed declaration in order to release specific pieces of personal information [PI]); and (iii) issuing a blanket prohibition on disclosing the following sensitive data in response to a request:

    • Social Security number

    • Driver’s license number or other government-issued identification number;

    • Financial account number

    • Any health insurance or medical identification number

    • An account password, or

    • Security questions and answers

  • Notification at Point of Collection: The CCPA requires most businesses to provide both a “notice at collection” and a more detailed website privacy notice. Key requirements regarding the “notice at collection” include:

    • At or before the point of collection, businesses must disclose the categories of PI collected, the business or commercial purpose for collecting the PI, notice of the right to opt-out of sale (if applicable) and a link to the more detailed privacy notice. For PI collected online, businesses can simply provide a link to the website privacy notice.

    • Businesses that do not collect PI directly from the consumer do not need to provide a “notice at collection.” However, prior to selling any PI, such businesses must either (i) contact the consumer directly to provide notice of the right to opt-out, or (ii) obtain a signed attestation from the original source that such notice was provided.

  • Focus on Offline Interaction: The Proposed Regulations require businesses to extend the same rights to offline activity, including providing offline notices and honoring rights requests via offline mechanisms in some cases.

  • Service Provider Clarifications: The Proposed Regulations and the ISOR clarify the scope of the definition of “service provider” by confirming that it applies to entities providing services to non-profits, government agencies and other entities that do not meet the definition of “business” and otherwise meet the conditions provided in the definition. In addition, the Proposed Regulations clarify that a service provider may not use PI from one business to provide services to another business or third party, except to detect data security incidents or protect against fraudulent or illegal activity.

  • Additional Requirements for Significant Processing Volumes: A business that “alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers,” must compile specified metrics regarding individual rights requests received and processed, and disclose this information within its privacy notice.

  • Opt-Out Button or Logo: The Proposed Regulations do not provide the anticipated button/logo that can be used to opt-out of the sale of PI. A placeholder is included indicating the button/logo will be made available at a later time, at which point, the public will have the opportunity to provide comments.

  • Consumer Data Value Calculation: The Proposed Regulations contain a method for calculating the value of consumer data. This method will need to be followed in order for a business to justify charging a different rate or providing a different quality of service in cases where consumers elect to opt-out of sale.

  • Procedural Details for Individual Rights Requests:

    • Opt-Out Requirements: A consumer making a request to opt-out of the sale of PI does not need to be verified (unless the business has a good faith, reasonable and documented belief that the request is fraudulent). Businesses should act as soon as possible to effectuate an opt-out request, but no later than 15 days from receiving the request. Further, a business must convey the opt-out request to all third parties to which the business has sold the PI in the past 90 days (and confirm to the consumer when this is completed). If a consumer has user-enabled privacy controls on a browser or device that indicate a desire to opt-out of the sale, a business must honor these preferences as if they were a request to opt-out made directly by the consumer. Arguably, this could be interpreted to require businesses to honor Do Not Track signals.

    • Responding to Rights Requests: In the event a consumer submits a request to know or a request to delete outside of one of the designated avenues provided by the business, the business is required either to (i) handle it as though it were submitted properly, or (ii) reply to the consumer with details on how to properly submit a request. If a deletion request cannot be verified, the business must treat that consumer as having opted-out of the sale of their PI.

    • Deletion Details: The Proposed Regulations allow back-up and archival data to be deleted when it is next accessed. Businesses must also get two confirmations before deleting data in response to a request.

    • Records Retention: Certain information regarding consumer rights requests must be retained for a minimum of 24 months.

  • Additional Noteworthy Clarifications:

    • Authorized Agent: The Proposed Regulations clarify the role of persons who are authorized to submit requests on a consumer’s behalf and how a business should handle these interactions.

    • Details on Treatment of Minors: The Proposed Regulations provide greater details on how to handle the PI of minors under 16 and the applicable opt-in requirements before selling their data. The ISOR points to COPPA requirements and guidance for confirming that a parent or guardian has provided consent.

    • Household Requests: Details are provided on how to verify and handle household data in certain circumstances.

© Copyright 2019 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Ann J. LaFrance, Squire Patton Boggs, Cybersecurity Matters Lawyer, Telecommunications Attorney
Partner

Ann LaFrance co-leads our Data Privacy & Cybersecurity practice. Drawing on more than 20 years of industry experience, Ann advises clients on telecommunications regulation and new media policy, competition law, dispute resolution and European Union ('EU') data protection matters.

44 20 7655 1752
Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs
Partner

Elliot Golding is a member of Squire Patton Boggs' Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He was selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, which recognizes those who “represent the best and the brightest of the data law bar around the world.”

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs, drafting privacy and security policies, preparing and testing data breach response plans, and negotiating complex data agreements. He not only counsels clients about what the law currently requires, but also provides industry context and forward-looking advice that takes into account trends and best practices in developing areas, such as the Internet of Things. In particular, Elliot helps clients understand how personal information may be used and disclosed to support business needs so that companies can stay competitive and compliant in a rapidly evolving environment.

Elliot has also managed dozens of breach response matters for companies through all aspects of investigation, notification, remediation and engagement with regulators (including federal regulators such as the Office of Civil Rights [OCR] and State Attorneys General). Elliot has defended clients in litigation by State Attorneys General under state security breach notification laws and the Health Insurance Portability and Accountability Act (HIPAA) and has helped clients successfully avoid enforcement actions altogether by working directly with regulators during investigations.

Elliot's practice covers a wide range of laws, regulations, industry standards and best practices, such as HIPAA and HITECH; 42 CFR Part 2 (Federal Confidentiality of Alcohol and Drug Abuse Patient Records); Federal Trade Commission (FTC) Act and FTC guidance; state laws and guidance governing privacy, security and breach notification (such as the California Shine the Light law, Lanterman-Petris-Short Act, Confidentiality of Medical Information Act, CalOPPA, and state laws governing sensitive health information); Telephone Consumer Protection Act (TCPA); CAN-SPAM; Gramm-Leach-Bliley Act (GLBA); Children's Online Privacy Protection Act (COPPA); NIST Security Standards; and Payment Card Industry Data Security Standards (PCI-DSS).

Elliot is co-chair of the ABA E-Privacy Law Committee, vice-chair of the ABA Healthcare Technology Committee, vice-chair of the Privacy, Security and Emerging Technology Division for the ABA Section of Science & Technology Law, a member of the Bloomberg BNA Health Care Innovations Board, and a frequent speaker and writer of thought leadership pieces. He is also a Certified Information Privacy Professional (CIPP/US).

202-457-6407
Lydia de la Torre Privacy Lawyer Squire Patton Boggs
Of Counsel

Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other state’s privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.

Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups...

650 843 3227
Glenn Brown Cybersecurity Attorney Squire Patton Boggs
Of Counsel

A senior member of our Data Privacy & Cybersecurity Practice Group, Glenn Brown provides business-oriented advice to clients in numerous industries on data privacy and regulatory compliance matters, including regulatory investigations and examinations. He has experience driving privacy and compliance priorities within organizations and providing strategic counsel regarding privacy, compliance and risk to support the growth and success of the business.

Glenn also has deep experience advising clients regarding compliance with many of the US...

678 272 3235
India Scarver, Squire Patton Boggs Law Firm, Columbus, Litigation Attorney
Associate

India Scarver focuses her practice on toxic tort litigation in federal and state courts. India also has experience representing clients in debt collection cases.

614-365-2719