With the California Consumer Privacy Act of 2018 ("CCPA") set to take effect on January 1, 2020, California's Attorney General Xavier Becerra released yesterday the much-anticipated draft regulations operationalizing the CCPA.1 The CCPA (encoded in California Civil Code Sections 1798.100 to 1798.198), aims to give California consumers increased transparency and control over how companies use and share their personal information, and requires most businesses collecting information about California consumers to:

  • disclose data collection, use, and sharing practices to consumers;
  • delete consumer data upon request by the consumer;
  • permit consumers to opt out of the sale or sharing of their personal information; and
  • not sell personal information of consumers under the age of 16 without explicit consent.

As a reminder, the CCPA is a landmark privacy law with broad reach, that some have compared to Europe's General Data Protection Regulation (GDPR). Although the CCPA is California law, it applies to all entities doing business in California and collecting California consumers' personal information if they meet certain thresholds, thereby impacting a wide range of companies. More information and our prior client alerts can be accessed here, including a summary of the CCPA and initial amendments to the CCPA.

Yesterday's draft regulations flow from the law's requirement that on or before January 1, 2020, the Office of the Attorney General (OAG) promulgate and adopt implementing regulations for the CCPA.2 The attorney general is now accepting public comments on the draft regulations through December 6, 2019 and the OAG plans to hold four public hearings across California (Sacramento, Los Angeles, San Francisco and Fresno) in early December to collect additional feedback. If the OAG adheres to its previous guidance, we expect the final regulations to be promulgated 15 days following any changes to regulations, unless there are substantial changes, in which case another 45-day notice period will be triggered.3 The attorney general’s power to enforce the law is delayed until either July 1, 2020 or six months after the final regulations are issued, whichever comes first. At this time, given the timeline for public comments, it appears that commencement of enforcement will likely be July 1, 2020, and definitely no earlier than mid-June.

To provide some context for the scope of the draft regulations, we briefly summarize below a number of the key requirements. However, this description is not exhaustive, and you should consult with your regular Gibson Dunn counsel to determine how these draft regulations may affect you and your company. As the public comment period is an important opportunity for companies handling consumer information to provide feedback on the draft regulations, please feel free to contact any of the Gibson Dunn attorneys listed below, all of whom would be happy to assist in the formulation of responses in advance of the December 6, 2019 deadline.

Notice to be Provided to Consumers

Keeping in tune with the theme of transparency to consumers, the draft regulations generally require any notices to be in "plain, straightforward language [that] avoid[s] technical or legal jargon," visible and readable (including on small screens), available in the languages in which the business provides information, and accessible to consumers with difficulties. Businesses should keep in mind that this emphasis on accessibility to consumers has been the backbone of both the CCPA and the regulations. Hence, it will be important for notices and policies to be drafted in plain language for a general audience. More specifically, the draft regulations describe in some detail how companies should go about notifying consumers of: (1) their data rights at the point of collection (including for brick-and-mortar institutions, which had not expressly been considered by the text of the CCPA), (2) their ability to opt out of sale of personal information (the sample opt-out button or logo to be added in a modified version of the regulations4), (3) the financial incentive or price or service difference offered by allowing personal information to be used or sold, and (4) the business's privacy policy (which needs to be available in an additional format that allows a consumer to print it out as a separate document, and available in whatever form makes sense for the collection of information).5

Process Requirements for Businesses and Consumers

The draft regulations further describe how businesses should procedurally handle consumer data requests, including requests to opt out of the sale of information and requests to delete information.6 The draft regulations also specify how businesses should go about verifying consumers' identities when they receive these data requests.7 Notably, the regulations add further requirements, including that businesses must keep records of consumer requests for 24 months, and if a business buys, receives for commercial purposes, sells, or shares for commercial purposes personal information of 4 million or more consumers, the business is required to compile certain metrics and disclose them in the business's privacy policy.8 In addition, the regulations require businesses to at least provide a placeholder response within 10 days to consumer requests, even though substantive responses are not due for 45 days (or 90 days from the date of the request, should an extension be taken within the initial 45 days).9 Businesses are required to support at least two methods for submitting requests. This includes, at a minimum, a toll-free telephone number and, if the business operates a website, an interactive webform accessible through the website or mobile application.10 In other words, simply providing a contact email address in a privacy policy may not be sufficient (a webform will likely be required). Note, however, that the toll-free telephone number method may not be required if the pending legislation AB-1564 is signed into law.11 The draft regulations require a two-step process for opt-ins following a previous decision to opt out, and online requests to delete: first, a request submission, and next a separate confirmation (which could be a new email, form, click etc.).12

Collection of Information Only From Sources Other than the Consumer

The draft regulations contain important information for businesses that obtain information from publicly available government sources and not directly from the consumers:

A business that does not collect information directly from consumers does not need to provide a notice at collection to the consumer, but before it can sell a consumer's personal information, it shall do either of the following: (1) Contact the consumer directly to provide notice that the business sells personal information about the consumer and provide the consumer with a notice of right to opt-out in accordance with section 999.306; or (2) Contact the source of the personal information to: (a) Confirm that the source provided a notice at collection to the consumer in accordance with subsections a and b; and (b) Obtain signed attestations from the source describing how the source gave the notice at collection and including an example of the notice. Attestations shall be retained by the business for at least two years and made available to the consumer upon request.13

Interestingly, this seems to eliminate the need for data scrapers, or other businesses that are not obtaining information directly from the consumer, from providing notice at the time of collection from the consumer. However, the requirements for such businesses of providing notice or obtaining attestations when the data is sold may be burdensome. The draft regulations do not seem to anticipate obtaining information from non-government public sources, such as publicly available personal data from private websites on the Internet. Under those circumstances, it would seem that a business collecting from non-governmental sources (including posted publicly by the consumers themselves on social media or other sites), and then selling such information (under the broad definition of sale), may have to obtain attestations from companies and websites that host the data, and with whom the business likely has no relationship at all. If these regulations go into effect unchanged (e.g., without some form of identified safe harbor), the requirements for attestations may have a significant impact on data brokers that collect data from Internet sources.

Clarification of the Non-discrimination Requirement

There had been some speculation regarding how CCPA's non-discrimination provision would be enforced (pursuant to Civil Code section 1798.125, a business is not allowed to treat a consumer differently because the consumer exercised a right conferred by the CCPA). The draft regulations, using examples, clarified that "a business may offer a price or service difference if it is reasonably related to the value of the consumer's data as that term is defined in section 999.337."14 In other words, a business may charge a higher price to consumers who choose not to share their personal data, so long as the price differential is reasonably related to the "value of the customer's data". Section 999.337 provides eight methods, one or more of which can be used to calculate this value.

Conclusion

While the draft regulations have provided much-needed clarity to a number of process-related questions, several areas of uncertainty remain. Previously, the OAG had indicated that, in addition to what the regulations have addressed, they would also clarify or define (1) categories of personal information, (2) unique identifiers (things used to identify an entity connected to the internet), and (3) exceptions to the law (due to conflicts with state or federal laws, trade secrets, or other forms of intellectual property). However, the draft regulations do not appear to provide any significant guidance on such topics.

It is important to use the opportunity the OAG has provided for comments to weigh in on the issues that remain unclear. Companies currently undergoing compliance efforts for CCPA should continue to consider the additional insight gathered from these regulations, and we are available to assist with your inquiries as needed.

Footnotes

1 Press Release, Attorney General Becerra Publicly Releases Proposed Regulations under the California Consumer Privacy Act (October 10, 2019), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-publicly-releases-proposed-regulations-under-california. The entire text of the draft regulations is available at https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-proposed-regs.pdf.

2 Cal. Civ. Code § 1798.185(a)

3 See https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-public-forum-ppt.pdf

4 Draft Regulations §999.306 (e).

5 See Draft Regulations §999.305 (a)(2), §999.306 (a)(2), §999.307 (a)(2), §999.308 (a)(2).

6 Draft Regulations §§ 999.312-315.

7 Draft Regulations § 999.323.

8 Draft Regulations § 999.317.

9 Draft Regulations § 999.313.

10 Draft Regulations § 999.312.

11 AB-1564 is presently on Governor Newsom's desk, awaiting final approval.

12 Draft Regulations § 999.312(d), § 999.312(a).

13 Draft Regulations § 999.305(d) (emphasis added).

14 Draft Regulations § 999.336.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.