Last week, the California AG’s office released proposed regulations implementing key provisions of the CCPA (”CCPA Regulations”). In the CCPA Regulations, the California Attorney General (AG) offered businesses clarifications–and, in some cases, new obligations–around consumers’ individual rights requests under the CCPA. In Issue 1, we provided an overview of the themes addressed by the regulations. In Issue 2, we gave an overview of the requirements related to Notices to Consumers. In today’s CCPA Week Issues, we cover the details of Article 3 – Best Practices for Handling Consumer Requests.
Methods for Submitting Requests to Know and Requests to Delete
The CCPA provides consumers with the right to request that a business disclose what personal information (PI) it holds about the consumer. The proposed rules newly define this as a “request to know,” which includes specific pieces of PI held by the business; categories of PI it has collected; categories of sources from which the PI is collected; categories of PI sold or disclosed about a consumer for a business purpose; categories of third parties to whom the PI was sold or disclosed for a business purpose, and the business or commercial purpose for collecting or selling PI. Likewise, consumers have the right to request deletion of their PI.
Notwithstanding the CCPA amendments signed into law by the Governor last Friday as described on Monday in Issue 1, the CCPA Regulations, which were released one day prior, stipulate that businesses must provide two or more designated methods for submitting requests to know, including, at a minimum, a toll-free telephone number, and if the business operates a digital property, an interactive webform accessible through the business’s website or mobile application. The CCPA Regulations do not prescribe a particular method for submission of requests to delete, but do generally require that for either requests to know or to delete, at least one method offered must reflect the manner in which the business primarily interacts with the consumer (even that it requires a business to offer three methods for submitting requests to know). For more information, see Section § 999.312.
Requests to Access or Delete Household Information
The CCPA defines PI to include information that could reasonably be linked with a household–such that requests to know, delete and opt-out may involve PI not only of individual consumers, but of consumers residing in the same household. The CCPA Regulations attempt to address this by balancing individual and group privacy rights. It does so by stating that a business may respond to a request to know or to delete in relation to household PI by providing aggregate household information, subject to verification, rather than individualized PI. Individualized PI may only be disclosed pursuant to such a request if the business is able to individually verify all the members of the household. The rules qualify this section with the condition “where a consumer does not have a password-protected account with a business,” in order to not disrupt existing individualized PI accessing procedures businesses may have for account holders of password-protected accounts.
Responding to Requests to Know and Delete
The CCPA Regulations add a new requirement to confirm receipt within 10 days of receiving requests to know or to delete. Such confirmations may be automated, but must describe the business’s verification process and when the consumer should expect a response. The rules also clarify that responses to requests to know or to delete must be responded to within 45 days–beginning on the day that business receives the request, “regardless of time required to verify the request.” Moreover, where necessary, an additional 45 days may be taken to respond to a request–“for a maximum total of 90 days from the day the request is received”–if proper notice and explanation for the delay is provided.
The rules also address not disclosing specific pieces or even categories of PI when the consumer’s identity cannot be verified by the business, or where disclosure creates a “substantial, articulable, and unreasonable risk to the security” of that PI, a consumer’s account or the business’s systems or networks. It is further set forth that businesses should never disclose a consumer’s Social Security number, driver’s license number, other government-issued IDs, financial account number, health insurance or medical ID number, account password, or security questions and answers, and, in any event, must use “reasonable security measures” when transmitting PI to the consumer. Consistent with general considerations regarding reasonable security set forth in CCPA Section 1798.150, the CCPA Regulations add an obligation in this section to “use reasonable security measures” when transmitting personal information to the consumer and “reasonable data security controls” when disclosing PI through a consumer portal.
Special Considerations for Deletion Requests
For requests to delete, businesses may comply by either “permanently and completely erasing” the PI from existing systems (save for archived or back-up systems, which are allowed a delay until they are next accessed or used); de-identifying the PI; or aggregating the PI. In any response to a deletion request, a business must specify the manner in which it has deleted the PI, as well as maintain a record of the request. Separately, the rules clarify that deletion requests should be a two-step process: consumers must first submit the request to delete and, then, separately confirm their desire for their PI to be deleted.
Requirements for Service Providers
Section § 999.314 of the CCPA Regulations addresses a number of concerns raised by the public during the Attorney General’s preliminary rulemaking activities concerning what organizations qualify as “service providers.” This issue is important, since the CCPA does not consider personal information used by or shared with a service provider to perform a business purpose to be a “sale” (Civ. Code, § 1798.140, subdivision (t)(2)(C)). The CCPA regulations also provide clarification as to how service providers are to handle consumer requests made pursuant to the CCPA. The CCPA defines a “service provider” as a for-profit legal entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.” (Civ. Code, § 1798.140, subdivision (v)).
The CCPA Regulations provide additional clarification by providing that:
(1) a person or entity providing services to a person or organization that is not a “business” as that term is defined in Civil Code section 1798.140, subdivision (c), but otherwise meets the requirements of a “service provider,”, shall be deemed a “service provider” for purposes of the CCPA (e.g., entities that process personal information on behalf of non-profit and government entities are “service providers,” even though the non-profit and government entities are not subject to the CCPA), and
(2) a person or entity that collects personal information directly from a consumer on the business’s behalf that otherwise meets all the other requirements of a “service provider,” will still be considered a “service provider” (i.e., despite the CCPA definition of “service provider” referring to an entity “to which the business discloses a consumer’s personal information”).
The CCPA Regulations provide additional clarification on the second half of the CCPA definition of “service provider” by noting that a service provider’s use of personal information collected from one business to provide services to another business would be outside the bounds of a “necessary and proportionate” use of personal information, since it would be advancing the “commercial purposes” of the service provider rather than the “business purpose” of the business. However, the CCPA Regulations now provide an exception for such use to the extent necessary to detect data security incidents or protect against fraudulent or illegal activity. The CCPA Regulations also address the situation where service providers may not be contractually allowed to disclose or delete the personal information it handles on behalf of businesses. In order to facilitate the consumer’s disclosure or deletion request, the CCPA Regulations would require service providers to explain the basis of the denial of the request, direct the consumer to the business in control of their information and, when feasible, provide the contact information for the business to the consumer. Finally, for an organization that acts as both a “business” and as a “service provider” under the CCPA, the CCPA Regulations require such an organization to comply with the CCPA and the CCPA Regulations with regard to any personal information that it collects, maintains, or sells outside of its role as a service provider.
Methods for Submitting Opt-Out Requests
The CCPA provides consumers with the right to direct a business that sells a consumer’s PI to other businesses or to third parties to stop selling that information. This “right to opt-out” must be further reinforced by a “Do Not Sell My Personal Information” link on a company’s webpage, and a 12-month requirement to honor a consumer’s opt-out decision (by no longer selling their PI and by not requesting them to opt back in for the year timeframe).
The CCPA also requires the AG to approve “designated methods for submitting requests” under the CCPA, which the CCPA Regulations aim to do by requiring businesses to provide two or more designated methods for submitting requests to opt-out, including a clear and conspicuously linked-to interactive “Do Not Sell My Info” webform on the business’s homepage (a shortened phrase for smaller screen viewability). This aligns with the minimum of two methods that businesses must provide for consumers to submit requests to know or to delete.
Other acceptable opt-out request submission methods include a toll-free phone number, a designated email address, a form submitted in person or via postal mail, and “user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism,” that communicate or signal the consumer’s choice to opt-out of the sale of their PI–such that businesses collecting PI from consumers online must treat such signals as a consumer’s election to opt-out of the sale of their PI for that browser or device. Businesses are required by the rules to consider the manner in which they sell PI to third parties, available technology, and the ease of use by the average consumer when determining which methods consumers may use to submit an opt-out request–with at least one method being required to reflect the manner in which the business “primarily interacts with the consumer.”
Providing consumers with granular opt-out options, such as for sales of certain categories of PI, is permissible if a global option to opt out of all PI is “more prominently presented” than the other choices. The CCPA Regulations also provide a new requirement that businesses acting on an opt-out request must do so no later than 15 days from the date the business receives the request, and must notify all third parties to whom it has sold the consumer’s PI within 90 days prior to the receipt of the opt-out request–instructing the third parties to not further sell the PI, and notifying the consumer when this has been completed. The intended result of consumers being more aware of the identity of the companies to whom businesses have sold their PI will come as a new deadlined, operational compliance burden for businesses. The rules also clarify that opt-out requests, unlike requests to know and requests to delete, need not be verified.
Requests to Opt-In
As the CCPA Regulations similarly set forth for requests for deletion, requests to opt-in to the sale of PI must use a two-step process whereby consumers must first clearly request to opt-in, and then, separately, confirm their choice to opt-in. The rules also clarify that, where the sale of PI is a condition of completing a transaction but the consumer has already opted-out of the sale of his or her PI, a business may inform the user of this along with instructions on how the consumer can opt-in–even if the required 12 month period (to abstain from requesting the consumer opt back in) has not passed.
To learn more, register for the webinar “Update Your CCPA Plan with Practical Insights into the Proposed Regulations, 2019 Amendments to the Law, and More.”
This update was provided by the TrustArc Privacy Intelligence News and Insights Service, part of the TrustArc Platform.