Last week, the California AG’s office released proposed regulations implementing key provisions of the CCPA (”CCPA Regulations”). In the CCPA Regulations, the California Attorney General (AG) offered businesses clarifications–and, in some cases, new obligations–around consumers’ individual rights requests under the CCPA. In Issue 1, we provided an overview of the themes addressed by the regulations. In Issue 2, we gave a recap of the requirements related to Notices to Consumers. In Issue 3, we provided best practices for handling consumer requests . In today’s CCPA Week Issues, we address a range of topics such as training, metrics, verification and minors.

Training

Among the proposed provisions of the CCPA Regulations are expanded requirements for training those individuals responsible for handling consumer inquiries regarding the business’s privacy practices or compliance with the CCPA. The CCPA Regulations expand the training scope from specific sections of the CCPA to all of the requirements of the CCPA and the CCPA Regulations. Additionally, businesses that buy, receive for commercial purposes, sell, or share for commercial purposes the personal information of 4,000,000 or more consumers must establish a training policy to govern the implementation of these training requirements.

Record-Keeping

The CCPA Regulations introduce record-keeping requirements for all businesses and enhanced record-keeping requirements for business that obtain, use, and share larger volumes of data for commercial purposes. Specifically, all businesses must maintain a record of consumer requests under the CCPA, as well as how they responded, for a period of 24 months. These records may not be used for any other purpose. Further, any business that “buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers” must maintain annual statistics of the number of requests from consumers (confirmation, deletion, opt out) and the median length of response time. These statistics must be made publicly available and accessible from the business’s privacy policy.   

Verification of Requests 

CCPA, similar to GDPR, requires businesses to take steps to verify the identity of the consumer making the request to ensure the consumer is indeed the consumer that the data pertains to and to protect against unauthorized access. Notably, the CCPA Regulations do not extend the verification requirement to requests to opt-out of the sale of personal information.

The CCPA Regulations establish general rules for verification, as well as verification rules for three specific scenarios: where consumers have a password-protected account, where consumers are not account-holders, and where a consumer uses an authorized agent to submit a request.

General Rules

Identity verification methods should be reasonable.Two primary approaches are provided: (1) match identity information with personal information already maintained by the business, or (2) use a third-party identity verification service. The proposed approach seeks to address concerns raised in recent months about the risks associated with responding to access requests by establishing six factors, such as the sensitivity of the data and the potential risk of harm to the consumer, for assessing the methodologies to use. Additionally, the rules establish purpose limitation and security controls to further mitigate the risks associated with verification and clarify that the requirements for providing access to or deleting personal information do not apply to de-identified information.  

Password-Protected Accounts

The approach for identity verification where the personal information is accessible via a password-protected account leverage established authentication approaches, such as user authentication to access the account, user re-authentication to delete personal information, and additional authentication checks where fraudulent or suspicious account activity is detected.

Non-Account Holders

The approach for non-account holders uses “degree of certainty” tests based on the risks associated with the request. For example, requests to know the categories of personal information require matching of two data points, whereas requests to know specific pieces of personal information require mapping of three data points. Requests to delete data require a degree of certainty that correlates with the sensitivity of the data that is requested to be deleted. The proposed rules also provide for how businesses should handle scenarios in which the requisite degree of certainty is unable to be achieved. In those scenarios, the business must provide an explanation to the requestor, however, where identity verification is not possible across the broader customer base, this must be disclosed in the business’s privacy policy and re-evaluated annually.

Using an Authorized Agent

The proposed rules address scenarios where one person may submit a request to know or a request delete on behalf of another person. Where the person making the request on behalf of a consumer has a power of attorney, those requirements will be honored. For other requests, an authorized agent may be appointed and the business may require evidence of written permission from the consumer granting the agent this status as well as verifying the consumer’s own identity.

Special Rules for Minors

There is ongoing recognition that information collected from minors requires special protections. CCPA is no exception. The United States put protections in place in 1998 by the passing of the Children’s Online Privacy Protection Act (COPPA) that requires verifiable parental consent prior to collecting personal information directly from children under age 13. The General Data Protection Regulation (GDPR) Article 8 requires parental consent prior to processing personal information collected from children. While COPPA focuses on collection and GDPR focuses on processing – CCPA requirements focus on the sale of children’s data and obtaining the appropriate opt-in consent from either the parent or the minor aged 13-16.

The CCPA Regulations provide specifications on how businesses should handle the two different groups of minors: those under 13 years of age and those 13-16 years of age.

Minors Under 13 Years of Age

In addition to meeting the applicable requirements under COPPA, the CCPA Regulations require additional steps beyond obtaining consent as required under COPPA to determine that the person authorizing the sale of the child’s personal information is the child’s parent or guardian. Measures for ensuring the person is the child’s parent or guardian include mechanisms similar to those allowed under COPPA for obtaining verifiable parental consent such as obtaining a signed consent form, using a credit card in conjunction with the transaction, communicating with trained personnel via a toll-free phone line or video conference, or verifying a government issued ID. General requirements relating to verification as described outlined in Article 4 of the CCPA Regulations apply. The business, upon receiving authorization from the parent, will inform the parent that they can opt-out of the sale of the child’s personal information at a later date and provide instructions for doing so. This is consistent with COPPA, giving the parent the right to withdraw consent to the collection and further use of the child’s information at any time.

Minors 13-16 Years of Age

If the business has actual knowledge it maintains personal information from children aged 13-16, then the business must establish, document, and implement a reasonable process for obtaining the minor’s opt-in consent for the sale of the minor’s personal information. The business must inform the minor that he or she may withdraw consent to the sale of their personal information at any time and include instructions for doing so.

Notices for Minors

The requirements related to the sale of personal information regarding minors under the CCPA Regulations also extend to the business’s Privacy Policy. Businesses subject to these requirements must include a description of how parents and minors can exercise their rights relating to the sale of the minor’s personal information in their privacy policies. Notably, for those businesses that only target minors under 16 years of age and do not sell the personal information of those minors without their opt-in consent, the CCPA Regulations clarify that these businesses do not need to provide Notice of the Right to Opt of the Sale of Personal Information.  

To learn more, watch the webinar “Update Your CCPA Plan with Practical Insights into the Proposed Regulations, 2019 Amendments to the Law, and More.” 

This update was provided by the TrustArc Privacy Intelligence News and Insights Service, part of the TrustArc Platform.

Share This

Share this post with your friends!

div>