CCPA In-Depth Series: Draft Attorney General Regulations on Consumer Notice

This post is the first in a three part series taking a deep dive into the five key articles of the Attorney General’s CCPA draft regulations:  Article 2 on Notice to Consumers; Article 3 on Business Practices for Handling Consumer Requests; Article 4 on Verification of Requests; Article 5 on Special Rules Regarding Minors; and Article 6 on Non-Discrimination.  Today we look at consumer notice.  Check back daily for the next installment, or visit the CCPA Monitor for a collection of all our CCPA insights.

Intro and Background.  In the summer of 2018, the California Legislature drafted and passed the California Consumer Privacy Act (CCPA) in record time.  Facing a procedural deadline for a ballot initiative, the Legislature acted with dispatch, as it did not want to add to the State Constitution, with its super-majority amendment requirements, many of the provisions that ultimately found their way into the CCPA.  This abbreviated legislative process produced a bill with numerous gaps and anomalies, however.  Businesses, consumer advocates, and privacy watchers thus have been eagerly waiting for over a year for the Attorney General to propose the regulations the CCPA requires him to promulgate.

On October 10, 2019, this wait finally ended.  As laid out below, the nature and breadth of the Attorney General’s proposed regulations explain why they took so long to produce.  Put simply, the proposed regulations are significant and will have substantial implications on businesses’ ongoing efforts to comply with the CCPA with less than three months left to go before the effective date.  Indeed, even if they do not resolve all of the Law’s many ambiguities, they do provide helpful implementation guidance – along with surprising new requirements, some of which may questionably extend beyond the CCPA itself.

Highlights.  The Attorney General’s proposed regulations are thick with important provisions, and businesses should thus study the full regulations carefully.  Nonetheless, before delving into a detailed analysis of certain aspects of the regulations, this alert highlights several key aspects of the Attorney General’s proposal, including that the regulations:

  • Provide detailed guidance on the major disclosures required by the CCPA, including notices “at or before the point of collection,” notices regarding consumers’ right to opt-out of the sale of personal information and be free from discrimination for exercising their privacy rights, and requirements for updated privacy policies.
  • Of particular note, the regulations clarify that businesses generally do not have to provide notice “at or before the point of collection” if they are not collecting information directly from the consumer.  In such circumstances, however, before selling the information in question, a business must either give the consumer an opportunity to opt out or obtain a “signed attestation” from the entity that collected the personal information stating that it provided notice at the point of collection to the consumer and include an example of the notice.
  • Detail specific requirements for verifying the identity of consumers making CCPA rights requests, including directly prohibiting businesses from disclosing social security numbers, driver’s license and government-issued ID numbers, financial account numbers, health insurance or medical identification numbers, account passwords, or security questions or answers.
  • Require businesses that provide financial incentives for different types of products or services based on the value of consumers information (e.g., free vs. paid streaming) to quantify the value of consumers’ personal information and disclose the value and methods used to calculate it.
  • Put in place obligations that appear to extend beyond those contemplated by the CCPA, such as that businesses must: (1) pass on opt-out requests to entities that have purchased the personal information at issue within the past 90 days; and (2) maintain and disclose metrics if they handle the personal information of four million or more consumers each year.

Detailed Analysis On Consumer Notice.  One of the main objectives of the CCPA is to require businesses to be more transparent about what data they collect and how they use it.  To this end, the CCPA, among other things, obligates businesses to:

  • inform consumers “at or before the point of collection” of the categories of personal information it collects and the purposes for the collection;
  • provide consumers with notice of their right to opt-out of the sale of personal information, including with a “Do Not Sell My Personal Information” link;
  • notify consumers when they are using financial incentives to collect personal information; and
  • update their privacy policies with numerous disclosures.

The Attorney General’s proposed regulations provide guidance on all of these notice obligations.

General Guidance (Sections 998.305-08).  To begin, the proposed regulations lay out certain general principles that apply to all forms of notice contemplated by the regulations.  In particular, the regulations mandate that all the forms of notice identified above – including both the general privacy notice and the notice of the right to opt-out – should be “designed and presented to the consumer in a way that is easy to read and understandable to an average consumer,” such that the notice shall:

  • use “plain, straightforward language and avoid technical or legal jargon”;
  • use “a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable”;
  • be “available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers”; and
  • be “accessible to consumers with disabilities” by, at a minimum, letting consumers with disabilities know how to access the notice in an alternative format.

In addition, the proposed regulations make explicitly clear that businesses interacting with consumers offline are still obligated to provide relevant notices, such as through “printed forms’ or “prominent signage” where applicable.

Notice at or Before Point of Collection (§ 998.305).  The proposed regulations provide a significant amount of clarifying guidance about a business’s obligation to provide notice “at or before the point of collection.”

Method of Providing Notice.  Resolving a question left open by the CCPA, the proposed regulations allow businesses that collect personal information online to fulfill their “at or before the point of collection” disclosure obligations by displaying a link, at the point of collection, to the section of their privacy policy that contains the required disclosures.   The Attorney General appears to have provided this guidance with the consumer experience in mind, as a link will provide a much smoother interaction than including the entire disclosure on the screen.

With respect to offline collection, the regulations note that business can include the notice on the form used to collect information, provide paper notices, or simply post “prominent signage” directing consumers to their website.

Importance of Notice.  The regulations have given more substance to the important concept of use compatibility, and in doing so emphasize three ways in which the “at or before the point of collection” notice obligations cabin a business’s behavior:

  • First, if a business wants to use the information in a new or different way than it has disclosed, it will need to obtain the consumer’s “explicit consent” before doing so.
  • Second, if a business wants to collect personal information other than that disclosed, it must provide a new notice.
  • Finally, the regulations make clear that, if a business does not provide the relevant notice, it shall not collect personal information from the consumer.  This is the first introduction of a data collection prohibition in the CCPA.

This clarity on the implications of the “at or before the point of collection” notice emphasizes the importance businesses should attach to making the notices comprehensive in the first instance, limiting the need to return to the consumer for consent or with further notice.

Content of Notice.  The regulations provide additional detail on what businesses must include in their notice “at or before the point of collection” notice, detailing four such items:

  • a list of the categories of personal information about consumers to be collected, with the categories written to provide a “meaningful understanding of the information being collected”;
  • the “business or commercial purpose” for which the business will use each category of personal information collected;
  • the “Do Not Sell My Personal Information” link (if the business sells such information); and
  • a link to the business’s privacy policy.

Notice Obligations when not Collecting Directly from Consumer.  The proposed regulations provide guidance on one of the more important issues left open by the CCPA:  how should businesses provide notice “at or before the point of collection” if they are not collecting information directly from the consumer?

Pragmatically, the regulations do not require businesses to provide notice in such a situation.  However, they do require businesses to take one of two steps before selling any information they did not collect directly from a consumer.  In particular, in such circumstances that business must either: (a) locate the consumer and give them an opportunity to opt out, or (b) obtain a “signed attestation” from the entity that collected the personal information that explains how and provides an example of the notice provided at the point of collection to the consumer.

This obligation could impose significant recordkeeping, contracting and other compliance burdens on both businesses that obtain, as well as those that provide personal information.  Given the potential record keeping difficulties, we expect that businesses that collect and then share or sell personal information should begin preparing to respond to requests for attestations.

Notice of Right to Opt-Out of Sale (§ 998.306).  The draft regulations did not reveal the long-awaited and eagerly anticipated “Do Not Sell” logo or button, as the Attorney General wants additional public input on the design.  Businesses that sell personal information will thus need to prepare to include their own opt-out links entitled “Do Not Sell My Personal Information” or “Do Not Sell My Info” until the logo is ready.  Leaving this to the side, however, the proposed regulations did provide guidance on numerous aspects of opt-out of sale notices.

Method of Notice.  The regulations make clear that businesses, when interacting with consumers online, must post the notice of right to opt-out on the Internet webpage to which the consumer is directed after clicking on a “Do Not Sell My Personal Information” or “Do Not Sell My Info” link.

Businesses that “substantially interact” interact with consumers offline, on the other hand, must print the notice on paper forms that collect personal information, provide consumers with a paper version of the notice, or simply “post signage” directing consumers to a website where the notice can be found.  Moreover, the proposed regulations make clear that a business that does not operate a website “shall establish, document, and comply with” one of these offline methods for information consumes of their opt-out rights.

Content of Notice.  Whether provided online or off, an opt-out of sale notice, to be consistent with the proposed regulations, must provide the following information:

  • a description of the consumer’s opt-out rights and describe how the consumer can submit opt-out requests:
  • the form where consumers can submit requests online (or the primary method for offline requests);
  • instructions for any other method by which the consumer may submit their request to opt-out (as the CCPA require two designated methods to opt-out);
  • a description of the proof the business will require to authenticate agents who want to act on the consumer’s behalf; and
  • a link to the business’s privacy policy.

Confirmation when Notice of Opt-Out is Not Required.  The regulations confirm that a business is exempt from the requirement of providing the consumer with notice of their opt-out rights if the businesses “does not, and will not, sell personal information” and states as much in its privacy policy.

Interestingly, the proposed regulations provide a consequence if businesses do not have an opt-out of sale button:  “A consumer whose personal information is collected while a notice of right to opt-out notice is not posted shall be deemed to have validly submitted a request to opt-out.”  This emphasizes the importance of correctly determining whether such a notice is necessary, and may lead to a proliferation of opt-out of sale buttons for avoidance of doubt and to preserve future flexibility. 

Notice of Financial Incentives (§ 998.307)Pursuant to the proposed regulations, a business must provide a notice of financial incentive either online (through a link to the appropriate section of the business’s privacy policy, if the business so desires) or at a physical location where consumers will see it before opting in to a financial incentive program.  The regulations also provide detailed guidance on what this notice must include:

  • a summary of the incentive program and its material terms, including the categories of personal information that are implicated by the financial incentive or price or service difference;
  • an explanation of how consumers can both opt-in and withdraw from the program; and
  • an explanation of why the incentive program is allowed, including an estimate of the value of a consumer’s data and a description of the method used to calculate that value.

Privacy Policies (§ 998.308).  The proposed regulations emphasize the importance of privacy policies to the CCPA’s overall scheme.  They note that the privacy policy is the place where business must provide consumers with a comprehensive description of their online and offline practices regarding how they collect, use, sell or share personal information and consumers’ rights regarding that information.  The regulations also provide detailed guidance on how businesses must make privacy policies available and what such policies must include.

Method of Posting Pricy Policies.  The regulations make clear that businesses should make their privacy policies readily available to consumers.  Businesses that are online must post their privacy policies through a “conspicuous link using the word ‘privacy’ on [their] website homepage or on the download or landing page of a mobile application” and make sure that consumers can print out the policy as a separate document if they so desire.  Any “California-specific description of consumers’ privacy rights” on a website must also include the privacy policy.  Businesses without websites must their privacy policies “conspicuously available to consumers.”

Content of Privacy Policies.  The proposed regulations provide a detailed laundry list of what businesses must include in their privacy policies, including some items the CCPA did not explicitly require to be included:

  • Disclosures on Information Collected and Sold.  As contemplated by the CCPA, under the regulations, businesses must list the categories of personal information they have collected in the previous 12 months and for each category, the business or commercial purpose for which it was collected.  They must further provide this information “in a manner that provides consumers a meaningful understanding of the information being collected.”  The regulations also make clear that businesses must state whether they have disclosed or sold any personal information to third parties, list the categories of any such information it has disclosed or sold, and state whether they have sold the personal information of minors under 16 years of age without affirmative authorization.
  • Right to Know, Deletion, and Opt-Out of Sale Requests.  In the privacy policies, businesses are obligated to inform consumers of their right to: request information on the information the business collects, uses, discloses, and sells; delete their personal information; and opt-out of the sale of their personal information.  For right to know and deletion requests, businesses are further obligated to provide instructions for how consumers can vindicate those rights (including links to a request form or portal for making a request) and to describe how they will verify the request, including what information the consumer must provide.  For opt-out requests, businesses must include the contents of or a link to the opt-out notice described above.
  • Right to Non-Discrimination.  The regulations require businesses to explain that they may not discriminate against consumers who exercise their CCPA rights.
  • Authorized Agent.  Additionally, the policy must describe how a consumer can designate an authorized agent to make a request on the consumer’s behalf.
  • Miscellaneous.  The privacy policy must also include a business contact who the consumer can reach “using a method reflecting the manner in which the business primarily interacts with the consumer”; the privacy policy’s last updated date; and (potentially) certain tracking information about the business’s CCPA compliance, which is described in more detail below.

The Path Forward.  While the proposed regulations are significant, they are only a draft and not legally binding.  Moreover, there will be a fairly long and winding road before the Attorney General will be able to finalize the regulations – something that likely will not happen until well into the next year.   In particular, businesses and other members of the public can comment on the draft regulations and suggest changes until December 6th.  They can make comments in writing or during the four public forums scheduled around the state in early December.

Once this comment period closes, the AG must then respond in writing and explain reasons for its adoption or rejection of each comment. We expect this process to take some time, as the volume of comments will likely be substantial.  If the AG changes the regulations in response to the comments, the cycle begins again with a new notice and comment period (although, it could be shorter, depending on the type of changes that are made).

Once the AG finalizes a draft of the regulations, the Office of Administrative Law (“OAL”) will need to approve them to ensure they are consistent with the statute and other legal requirements.  The OAL has 30 working days to approve the regulations and file them with the Secretary of State.

In the unlikely event regulations are able to be filed by February 29th, they will be effective on April 1st.  If they are filed after February 29th, but before May 31st – the more probable course — they will take effect on July 1st, the statutory deadline.

Meanwhile, the CCPA itself still goes into effect on January 1, 2020, and businesses may quickly begin seeing data subject rights requests, let alone the potential for data breach litigation pursuant to the private right of action.  Even if the regulations are not final, they are useful as businesses prepare for the dawning of at least some parts of the new CCPA era.