CCPA In-Depth Series: Draft Attorney General Regulations on Consumer Requests

This post is the second in a three part series taking a deep dive into the five key articles of the Attorney General’s CCPA draft regulations:  Article 2 on Notice to Consumers; Article 3 on Business Practices for Handling Consumer Requests; Article 4 on Verification of Requests; Article 5 on Special Rules Regarding Minors; and Article 6 on Non-Discrimination.  Today we look at consumer requests.  Check back daily for the next installment, or visit the CCPA Monitor for a collection of all our CCPA insights.

Intro and Background.  In the summer of 2018, the California Legislature drafted and passed the California Consumer Privacy Act (CCPA) in record time.  Facing a procedural deadline for a ballot initiative, the Legislature acted with dispatch, as it did not want to add to the State Constitution, with its super-majority amendment requirements, many of the provisions that ultimately found their way into the CCPA.  This abbreviated legislative process produced a bill with numerous gaps and anomalies, however.  Businesses, consumer advocates, and privacy watchers have thus been eagerly waiting for over a year for the Attorney General to propose the regulations the CCPA requires him to promulgate.

On October 10, 2019, this wait finally ended.  As laid out below, the nature and breadth of the Attorney General’s proposed regulations explain why they took so long to produce.  Put simply, the proposed regulations are significant and will have substantial implications on businesses’ ongoing efforts to comply with the CCPA with less than three months left to go before the effective date.  Indeed, even if they do not resolve all of the Law’s many ambiguities, they do provide helpful implementation guidance – along with surprising new requirements, some of which may questionably extend beyond the CCPA itself.

Highlights.  The Attorney General’s proposed regulations are thick with important provisions, and businesses should study the full regulations carefully.  Nonetheless, before delving into a detailed analysis of certain aspects of the regulations, this alert highlights several key aspects of the Attorney General’s proposal, including that the regulations:

  • Provide detailed guidance on the major disclosures required by the CCPA, including notices “at or before the point of collection,” notices regarding consumers’ right to opt-out of the sale of personal information and be free from discrimination for exercising their privacy rights, and requirements for updated privacy policies.
  • Of particular note, the regulations clarify that businesses generally do not have to provide notice “at or before the point of collection,” if they are not collecting information directly from the consumer.  In such circumstances, however, before selling the information in question, a business must either give the consumer an opportunity to opt-out or obtain a “signed attestation” from the entity that collected the personal information that it provided notice at the point of collection to the consumer and provide a copy of that notice.
  • Detail specific requirements for verifying the identity of consumers making CCPA rights requests, including directly prohibiting businesses from disclosing social security numbers, driver’s license and government-issued ID numbers, financial account numbers, health insurance or medical identification numbers, account passwords, or security questions or answers.
  • Require businesses that provide financial incentives for different types of products or services based on the value of the consumer’s information (e.g., free vs. paid streaming), to quantify the value of consumers’ information and disclose the value and methods used to calculate it.
  • Put in place obligations that appear to extend beyond those contemplated by the CCPA, such as that businesses must: (1) pass on opt-out requests to entities that have purchased the personal information at issue within the past 90 days; and (2) maintain and disclose metrics if they handle the personal information of four million or more consumers each year.

Detailed Analysis On Business Practices for Handling Consumer Requests.  The draft regulations provide detailed guidance on – and potentially some significant new obligations regarding – how consumers must be able to submit right to know, deletion, and opt-out requests; how businesses must respond to those requests, and business’s related training and recordkeeping obligations.  We discuss each in turn.

Methods for Submitting Requests (§ 998.312, § 998.315).  Addressing some gaps in the CCPA, the regulations provide explicit guidance on how businesses must allow consumers to submit rights requests.

Right to Know and DeletionBusinesses need to make two or more designated methods for consumers to submit requests to know and deletion.  In particular, for requests to know, all businesses must provide a toll-free number and, if the business operates a website, it must also provide an interactive webform.  Moreover, if the business operates a website, but primarily interacts with consumers in retail locations, it will be required to add a third option that allows consumers to submit a form that can be submitted in person at those locations.

With respect to deletion requests, businesses have more flexibility to choose the two or more designated methods, although for both right to know and deletion requests “one method offered shall reflect the manner in which the business primarily interacts with the consumer.”  If a business, furthermore, “does not interact directly with consumers in its ordinary course of business,” one of the methods by which a consumer may submit a right to know or deletion request must be online.

The regulations also subject deletion requests to a two-step process.  Under the regulations, after a consumer submits a deletion request (step 1), a business must separately ask the consumer if they do, in fact, want their personal information deleted (step 2).

Finally, the regulations require businesses to be forgiving of consumers who make a mistake when submitting requests.  The business must either treat such requests as valid or respond by providing consumers with “specific directions” about how to properly submit a request.  (This rule does not pertain to requests that are deficient because they do not provide necessary verification information.)

Right to Opt-Out.  As with other types of requests, businesses must provide at least two methods of facilitating opt-out requests, one of which must be organic to the method in which the business primarily interacts with the consumer.  All businesses are required to provide an “interactive webform” accessible via a “clear and conspicuous link titled ‘Do Not Sell My Personal Information,’ or ‘Do Not Sell My Info,’” as one of the methods.

Importantly, the regulations also make clear that businesses that collect information online must “treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request” for the “browser or device, or, if known, for the consumer.”  These “user-enabled privacy controls” can serve as one of the two methods for facilitating opt-out requests.

Methods for Responding to Requests (§ 998.313-16, § 998.318).  Much as with the submission of requests, the Attorney General’s regulations also provide detailed guidance on responding to consumer requests.

Timing of Responses

Right to Know and Deletion.  While the CCPA requires that businesses respond to consumer requests to know or delete within 45 days, the regulations now require an interim step:  Within 10 days of receipt of a request, the business must confirm its receipt of the request and provide the requestor with information about how the business will process the request.  Those 10 days do not extend the 45-day response requirement, although the businesses may extend the deadline to a maximum total of 90 days if it provides consumers with notice and an explanation of the need for the extension.  (The regulations further states that businesses that store personal information on archived or backup systems are allowed to extend the time by which they must respond to deletion requests with respect to such data until the archived or backup system is next accessed or used.)

Right to Opt-Out of Sale.  The regulations clarify that businesses must respond to requests to opt-out within 15 days of receipt of the response, although they contain no requirement that a business provide an acknowledgement of receipt of such a request.

Specific Guidance on Right to Know Requests.

Security Concerns.  Addressing a key compliance issue for businesses, the proposed regulations provide a detailed set of rules on how businesses should incorporate data security concerns into their right to know responses.  In particular, the regulations state as follows:

  • If a business is unable to verify a consumer’s identity (using verification procedures discussed below) after the consumer requested specific pieces of information, the business “shall not disclose any specific pieces of personal information to the requestor and shall inform the consumer that it cannot verify their identity.”  The business shall also evaluate the consumer’s request as a request for categories of information, with its more forgiving verification standard.
  • If a business is unable to verify a consumer’s identify after the consumer requests categories of information, the business may deny the request to disclose the categories and inform the requestor that it cannot verify their identity.  If the business denies a request in whole or in part on these grounds, it must “provide or direct the consumer to its general business practices regarding the collection, maintenance, and sale of personal information set forth in its privacy policy.”
  • Business shall not provide consumers with “specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.”
  • The regulations flatly prohibit businesses from disclosing a consumer’s social security number, driver’s license number or government issued ID number, financial account number, health insurance or medical identification number, account password, or security questions and answers in response to right to know requests.
  • Businesses are required to use “reasonable security measures when transmitting personal information to the consumer.”  If a consumer has a password-protected account with the business, the business can satisfy this requirement by allowing the consumer to “access, view, and receive a portable copy of their personal information if the portal fully discloses” the consumer’s personal information, uses reasonable data security controls, and complies the regulations’ verification requirements.

Explanation of Denial.  The proposed regulations further require a business, if it denies a consumer’s verified request to know specific pieces of information because of a CCPA exception or conflict with federal or state law, to explain the basis for the denial to the consumer.  If a business partially denies a request, it must make the remaining information available to the consumer.

Content of Response.  In terms of the content of a business’s right to know response, the regulations make clear that it must provide information from the 12 months that pre-date the consumer’s request, regardless of how long it took to verify that request.  For each category of personal information the business has collected about the consumer, the business must provide the following information:

  • the categories of sources from which personal information was collected (with the regulations providing helpful guidance about the level of detail required in describing the categories of the sources of personal information collected, with examples including “from the consumer directly, government entities from which public records are obtained, and consumer data resellers”);
  • the business or commercial purpose for such collection;
  • the categories of third parties to whom the business sold or disclosed the particular category of personal information for a business purpose (with the regulations defining “categories of third parties” as “types of entities that do not collect personal information directly from consumers,” including advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and consumer data resellers); and
  • the business or commercial purpose for which it sold or disclosed the category of personal information.

Finally, the regulations make clear that businesses must provide an individualized response to requests to know categories of personal information collected, categories of sources, and/or categories of third parties, rather than rely on general statements in the business’s privacy policy.  This response must, moreover, describe the categories in a way that is meaningful to consumers.  If, however, its response would be the same for all consumers, the business may refer consumers to the privacy policy if the policy contains – as it should regardless – all of the information that is required to be in a response to a request to know such categories.

Specific Guidance on Right to Delete Requests

Methods of Deletion.  A business must also inform the consumer of the method it will be using to fulfil the consumer’s deletion request, with the proposed regulations providing three options:

  • By permanently and completely erasing the personal information on its existing systems, with the exception of archived or back-up systems;
  • De-identifying the personal information; or
  • Aggregating the personal information.

Denial of Deletion Requests and the Duty to Explain.  The regulations make clear that a business may deny a consumer’s deletion request if it is unable to verify the consumer’s identify, although it must inform the consumer of that fact and, importantly, then treat the deletion request as a request to opt-out of sale.  The regulations further note that businesses are required to maintain a record of when they deny deletion requests, and they may only do so if they: inform the consumer of the denial and its basis; delete the information not subject to the exception; and, importantly, do not use the personal information for any purpose other than that provided for by the deletion exception.

Partial Deletion Requests.  Finally, the regulations clarify that businesses may give consumers the choice to delete “select portions” of their personal information, so long as a global deletion option is “more prominently presented.”

Specific Guidance on Requests to Opt-Out of Sale. 

Obligation to Forward Opt-Out Requests.  One of the most substantial provisions in the proposed regulations concerns how businesses should respond to opt-out requests.  In particular, in what appears to be a new requirement that extends beyond those imposed by the CCPA itself, the regulations require businesses that sell personal information to forward any opt-out requests to any third parties to whom they sold personal information in the previous 90 days.  The business must further inform the consumer when this step has been completed, and the third party purchaser can continue to use, but cannot sell, the information.

No Verification for Opt-Out.  The regulations further make clear that opt-out requests need not be a verifiable consumer request, although businesses can refuse to comply with requests if they have a “good faith, reasonable, and documented belief” that the request is fraudulent and inform the requestor of that belief.  Consumers, moreover, may use authorized agents to submit opt-out requests on their behalf, if the consumer provides the agent with written permission to do so.  (The regulations stipulate that “user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information shall be considered a request directly from the consumer, not through an authorized agent.”)

Opting Back In After Opting Out.  Providing some clarity to an area of ambiguity in the CCPA, the regulations provide guidance on consumers opting back in to sale after previously opting out.  First, business must employ a two-step process in such circumstances, whereby the consumer makes an initial opt-in request and then separately confirms the choice.  Second, the regulations recognize that some transactions require the sale of a consumer’s personal information and that, when a consumer opts out of the sale of personal information, the business may not be able to complete the transaction.  In these situations, the regulations create an exception to the 12-month prohibition on asking opted-out consumers to opt back in by allowing businesses to explain that the transaction requires a sale and to provide the consumer with instructions for opting in.

Partial Opt-Out Requests.  Finally, much like with the right to delete, the regulations clarify that businesses may give consumers the choice to opt-out of sales of “certain categories” of personal information, so long as a global deletion option is “more prominently presented” than other choices.

Service Providers.  Addressing a set of questions that raised a significant number of implementation ambiguities, the regulations provide guidance on how service providers should respond to consumer requests.

Clarifying the Definition.  The CCPA defines a service provider as an entity that “processes” personal information on behalf of a business pursuant to a written contract.  The regulations helpfully clarify this definition by explaining that two types of entities can be service providers:  those acting as a service provider for entities that are not CCPA businesses (e.g., non-profits, governmental agencies); and those collecting personal information directly from a consumer on behalf of a business.  This is particularly helpful for entities that act as a service provider for “persons” who are not a corporate entity that would qualify as a “business” under the CCPA.

Limitations of Service Providers’ Use of Personal Information.  The regulations also clear up a statutory ambiguity by stating that a service provider cannot use the personal information provided to it or that it collects on behalf of a business to provide services to another person or entity.  The only exception to this general rule is when the service provider must combine personal information received from multiple businesses for to provide data security or protect against fraudulent or illegal activity.

Consumer Requests Made to Service Providers.  Finally, the regulations provide guidance on what service providers should do if they receive a request directly from a consumer “regarding personal information that the service provider collects, maintains, or sells on behalf of the business it services.”  First, the regulations acknowledge that service providers might in some cases “comply with the request.”  Second,  the regulations note that if the service provider does not respond to the request (presumably because it is not explicitly authorized or is explicitly prohibited by the business to do so), it shall provide an explanation “of the basis for the denial” to the consumer, and shall inform the consumer that they should submit the request directly to the business the service provider is servicing (with contact information “when feasible”).  This thus establishes affirmative response obligations on service providers that do not otherwise exist in the CCPA—which had previously put the burden of responses solely on the “business.”

Household InformationThe regulations attempt to address another area that has presented implementation challenges – household information.

Definition.  To begin, the regulations provide a welcome definition of “household”: a person or group of people occupying a single dwelling.

Limitations on Need to Respond to Household Requests.  Recognizing that one consumer’s rights could adversely affect the rights of others in the consumer’s household, the regulations provide two key limitations on household requests:

  • First, a business must only comply with an access request for household personal information if the request is jointly submitted by all consumers in the household and the business can verify the identity of each member of the household.
  • Second, at least insofar as the requests concern household information, businesses may respond to requests to know and delete submitted by consumers who do not have password-protected accounts by providing “aggregate household information.”

Recordkeeping and Training (§ 998.317).  The final portion of the section of the regulations discussing consumer requests concerns recordkeeping and training, and this section include some new requirements that may present compliance challenges for businesses.

Training.  First, the regulations require businesses to inform all “individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA” about “all the requirements in the CCPA and these regulations and how to direct consumers to exercise their rights under the CCPA and these regulations.”

Recordkeeping Requirements.  Second, businesses are required to retain records of CCPA requests and their response for at least 24 months.  The business may maintain these records in a ticket or log format, if the format includes the date and nature of the request, the manner in which the consumer made the request, the date and nature of the response, and the basis for any denial.  The business cannot use this recordkeeping information for any other purpose.

Metrics and Disclosures for Large Businesses.  Third, and most importantly, the proposed regulations impose significant new recordkeeping and disclosure obligations on businesses that “alone or in combination, annually buy, sell, receive or share for commercial purposes, the personal information of more than 4,000,000 or more consumers.”  These businesses must compile and disclose within their privacy policy or on their website the number of right to know, delete, and opt-out requests they receive; whether they complied with or denied, in whole or part, the requests; and the median time for response.  These businesses (i.e., ones that busy, sell, receive, or share the personal information of 4,000,000 consumers) must also have a documented, written training policy that informs individuals responsible for handling CCPA requests or the business’s compliance with the CCPA about the law’s requirements.

The Path Forward.  While the proposed regulations are significant, they are only a draft and not legally binding.  Moreover, there will be a fairly long and winding road before the Attorney General will be able to finalize the regulations – something that likely will not happen until well into the next year.

In particular, businesses and other members of the public can comment on the draft regulations and suggest changes until December 6th.  They can make comments in writing or during the four public forums scheduled around the state in early December.

Once this comment period closes, the AG must then respond in writing and explain reasons for its adoption or rejection of each comment. We expect this process to take some time, as the volume of comments will likely be substantial.  If the AG changes the regulations in response to the comments, the cycle begins again with a new notice and comment period (although, it could be shorter, depending on the type of changes that are made).

Once the AG finalizes a draft of the regulations, the Office of Administrative Law (“OAL”) will need to approve them to ensure they are consistent with the statute and other legal requirements.  The OAL has 30 working days to approve the regulations and file them with the Secretary of State.

In the unlikely event regulations are able to be filed by February 29th, they will be effective on April 1st.  If they are filed after February 29th, but before May 31st – the more probable course — they will take effect on July 1st, the statutory deadline.

Meanwhile, the CCPA itself still goes into effect on January 1, 2020, and businesses may quickly begin seeing data subject rights requests, let alone the potential for data breach litigation pursuant to the private right of action.  Even if the regulations are not final, they are useful as businesses prepare for the dawning of at least some parts of the new CCPA era.