Source: Canada US
Link: California Consumer Privacy Act: Are You Ready? (Part 2)
In Part 1, see https://www.canada-usblog.com/2019/10/23/california-consumer-privacy-act-are-you-ready-part-1/, we summarized the recent legislative changes regarding the California Consumer Privacy Act (“CCPA”). Bearing in mind the CCPA takes effect on January 1, 2020 and the Attorney General is required to issue regulations by July 1, 2020, these regulations both meet that timeframe, but also seek to provide much-needed guidance to industry.
Most of the legislative changes focused on narrowing the definition of personal information, clarified the timeframe which applies when a consumer demands information the business possesses about him or her, and also confirmed the CCPA applies to businesses, not non-profits or government entities. In this Alert, we summarize the regulations which were recently issued. However, even in the regulatory context, the starting point remains the same. Companies should begin by asking the following questions:
* Definitions for both “sell” and “disclose” appear below.
The term “consumer” has been defined from the outset as anyone who lives in California. Devices are defined at Civil Code § 1798.140(j) as “any physical object that is capable of connecting to the internet, directly or indirectly, or to another device.”
For regulatory purposes, the following questions should be added to the list:
The reason for these questions will become apparent as we discuss the new regulations. See here for the full regulatory details. The starting point is these regulations were issued as a proposal. The deadline to comment is 5:00 p.m. on December 6, 2019 (to PrivacyRegulations@doj.ca.gov or Privacy Regulations Coordinator, California Office of the Attorney General, 300 S. Spring St., First Floor, Los Angeles, CA 90013). Public hearings will also be held on December 2 (Sacramento), December 3 (Los Angeles), December 4 (San Francisco), and December 5 (Fresno).
The regulations focus on permitting consumers to obtain the basic information called for in the CCPA:
The business must provide two or more means by which the consumer may submit a request for information, one must be a toll-free phone number and, if the business has it, a website (if no website, the business must find other acceptable means of giving notice). The information must be provided within 45 days (an additional 45 days is possible for good cause, but does not extend the time within which the first response must be given). The data must be provided free of charge, the business may impose reasonable means to verify the identity of the recipient, and, when providing the data, it must be in an easily transferrable format. If the company declines to act on the request, such as because it cannot verify the requestor, it must still respond within the first 45 days, and explain the applicable appeal rights. The response process is discussed again below where more specifics are provided.
When it comes to verification, as noted, the method must be reasonable. The regulations define reasonable to include a consideration as to the sensitivity of the information and the risk of harm to the consumer from unauthorized access or deletion. If the consumer has a password protected account, that account may be used to provide the notice and also to detect any fraud. When it comes to non-account holders, at least two data points must be matched, and the result must yield a high degree of certainty. In some cases, a third data element can be required along with a signed declaration under penalty of perjury. When it comes to deletions, companies would be well advised to consider whether to rely on the password protected account, or more data points, depending again on the sensitivity of the data and the risk of harm to the consumer by unauthorized deletion.
The consumer data disclosed is for the 12 months preceding the date of receipt. Consumers may not make more than two (2) such requests in any 12 month period. The business may charge the consumer only if the requests are unfounded or excessive. If the consumer requests deletion of his or her records, that request is also subject to the 45 day rule. However, there are some exceptions. Companies may retain the data in order to:
1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, perform actions reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity.
3) Debug to identify and repair errors that impair existing intended functionality.
4) Exercise free speech, ensure another consumer’s right to exercise free speech, or exercise another right provided for by law.
5) Comply with the California Electronic Communications Privacy Act.
6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
7) Enable solely internal uses reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
8) Comply with a legal obligation.
9) Use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
The CCPA also includes the right to opt-out, which is why determining in advance what exactly is done with the data collected is critical. If you share that data with any third parties, you are obligated to provide an opt-out option. That is the case because the definition of “selling” includes “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration”. See Civil Code § 1798.140(t).
The rules about minors are unchanged. For minors under the agent of 13, the consent of a guardian or parent is required for all purposes, including consent to sell. If the minor is between 13 and 16, the minor must give consent for all purposes.
Businesses may not discriminate against consumers who exercise their CCPA rights. Discrimination is broadly described to include denying goods or services, charging different prices or rates, or providing a different level of service or quality of goods. However, such differences are permitted, including financial incentives, if that difference is reasonably related to the value provided to the business by the consumer’s data. More on this topic can also be found later.
There are specific disclosures also required:
If the business receives the data strictly from other sources, it need not give notice of collection to the consumer but must either contact the consumer directly and provide that notice or contact the source of the information and confirm the source has provided the required notice and obtain a signed attestation from that source describing how the source gave notice, to include a copy of the notice. These attestations are to be retained for at least 2 years and made available to consumers upon request.
In the documents supporting the proposed regulations, the Attorney General acknowledges the regulatory cost to the State will be $4.7 million for FY 2019-2020 and $4.6 million for FY 2020-2021. The estimated cost to business between 2020 and 2030 is said to be $467 million to $16,454 million. The documentation goes on to acknowledge there is a potential competitive disadvantage for California companies (the estimate is 15,000 to 400,000 businesses will be impacted) to companies which operate outside California and are not otherwise subject to the CCPA. For that reason, submissions proposing alternate means of implementation are requested which address the following topics:
i) The establishment of differing compliance or reporting requirements or timetables that take into account the resources available to businesses.
ii) Consolidation or simplification of compliance and reporting requirements for businesses.
iii) The use of performance standards rather than prescriptive standards.
iv) Exemption or partial exemption from the regulatory requirements for businesses.
If a company has a loyalty or other financial incentive program, those are still permitted, but there are specific notice requirements which generally mirror the criteria mentioned above regarding what must be included in the notice and how those incentives are to be explained. Similarly, if any cost or service differences do apply, they must meet the standard and also provide a “good-faith estimate” of the value of the consumer data which forms the basis for the differential, and also a description of the method used to calculate the value stated.
Given these regulatory mandates, here are some additional factors for business to consider:
The CCPA regulations also go on to address the use of service providers (third parties) which owe duties of indemnity and compliance to the businesses which hire them (and conversely the business owes a duty of indemnity to that service provider), dealing with the collection and use of the data collected. There are also general rules for verification of consumers, password protected accounts, non-account holders and authorized agents.
Clearly these regulations are complex and demanding. Companies would, therefore, be well-served to first make sure as to the specifics of their business model, the nature and extent of the personal data collected, and how that data is used and shared. A refresher to be sure the information in hand is current is recommended before proceeding further. Once all of that is clear, a carefully study of the requirements of the CCPA regulations is in order, so as to compare those requirements with current practices, and then, of course, update accordingly.
Bearing in mind individual and class action lawsuits are now permitted, someone is going to be the poster child for having messed up compliance. Whether you handle implementation yourself or we or another advisor assist you, getting it right the first time is critical to having a peaceful holiday season! Will you be ready?