Last week, the California AG’s office released proposed regulations implementing key provisions of the CCPA (”CCPA Regulations”). In the CCPA Regulations, the California Attorney General (AG) offered businesses clarifications–and, in some cases, new obligations–around consumers’ individual rights requests under the CCPA. In Issue 1, we provided an overview of the themes addressed by the regulations. In Issue 2, we gave a recap of the requirements related to Notices to Consumers. In Issue 3, we provided best practices for handling consumer requests . In today’s CCPA Week Issues, we address a range of topics such as training, metrics, verification and minors.
Among the proposed provisions of the CCPA Regulations are expanded requirements for training those individuals responsible for handling consumer inquiries regarding the business’s privacy practices or compliance with the CCPA. The CCPA Regulations expand the training scope from specific sections of the CCPA to all of the requirements of the CCPA and the CCPA Regulations. Additionally, businesses that buy, receive for commercial purposes, sell, or share for commercial purposes the personal information of 4,000,000 or more consumers must establish a training policy to govern the implementation of these training requirements.
Verification of Requests
CCPA, similar to GDPR, requires businesses to take steps to verify the identity of the consumer making the request to ensure the consumer is indeed the consumer that the data pertains to and to protect against unauthorized access. Notably, the CCPA Regulations do not extend the verification requirement to requests to opt-out of the sale of personal information.
The CCPA Regulations establish general rules for verification, as well as verification rules for three specific scenarios: where consumers have a password-protected account, where consumers are not account-holders, and where a consumer uses an authorized agent to submit a request.
Identity verification methods should be reasonable.Two primary approaches are provided: (1) match identity information with personal information already maintained by the business, or (2) use a third-party identity verification service. The proposed approach seeks to address concerns raised in recent months about the risks associated with responding to access requests by establishing six factors, such as the sensitivity of the data and the potential risk of harm to the consumer, for assessing the methodologies to use. Additionally, the rules establish purpose limitation and security controls to further mitigate the risks associated with verification and clarify that the requirements for providing access to or deleting personal information do not apply to de-identified information.
The approach for identity verification where the personal information is accessible via a password-protected account leverage established authentication approaches, such as user authentication to access the account, user re-authentication to delete personal information, and additional authentication checks where fraudulent or suspicious account activity is detected.
Using an Authorized Agent
The proposed rules address scenarios where one person may submit a request to know or a request delete on behalf of another person. Where the person making the request on behalf of a consumer has a power of attorney, those requirements will be honored. For other requests, an authorized agent may be appointed and the business may require evidence of written permission from the consumer granting the agent this status as well as verifying the consumer’s own identity.
Special Rules for Minors
There is ongoing recognition that information collected from minors requires special protections. CCPA is no exception. The United States put protections in place in 1998 by the passing of the Children’s Online Privacy Protection Act (COPPA) that requires verifiable parental consent prior to collecting personal information directly from children under age 13. The General Data Protection Regulation (GDPR) Article 8 requires parental consent prior to processing personal information collected from children. While COPPA focuses on collection and GDPR focuses on processing – CCPA requirements focus on the sale of children’s data and obtaining the appropriate opt-in consent from either the parent or the minor aged 13-16.
The CCPA Regulations provide specifications on how businesses should handle the two different groups of minors: those under 13 years of age and those 13-16 years of age.
Minors Under 13 Years of Age
In addition to meeting the applicable requirements under COPPA, the CCPA Regulations require additional steps beyond obtaining consent as required under COPPA to determine that the person authorizing the sale of the child’s personal information is the child’s parent or guardian. Measures for ensuring the person is the child’s parent or guardian include mechanisms similar to those allowed under COPPA for obtaining verifiable parental consent such as obtaining a signed consent form, using a credit card in conjunction with the transaction, communicating with trained personnel via a toll-free phone line or video conference, or verifying a government issued ID. General requirements relating to verification as described outlined in Article 4 of the CCPA Regulations apply. The business, upon receiving authorization from the parent, will inform the parent that they can opt-out of the sale of the child’s personal information at a later date and provide instructions for doing so. This is consistent with COPPA, giving the parent the right to withdraw consent to the collection and further use of the child’s information at any time.
Minors 13-16 Years of Age
If the business has actual knowledge it maintains personal information from children aged 13-16, then the business must establish, document, and implement a reasonable process for obtaining the minor’s opt-in consent for the sale of the minor’s personal information. The business must inform the minor that he or she may withdraw consent to the sale of their personal information at any time and include instructions for doing so.
Notices for Minors
To learn more, watch the webinar “Update Your CCPA Plan with Practical Insights into the Proposed Regulations, 2019 Amendments to the Law, and More.”
This update was provided by the TrustArc Privacy Intelligence News and Insights Service, part of the TrustArc Platform.