California Consumer Privacy Act Amendments and Proposed Rules: Benefit or Burden?
Almost in tandem, the California Office of the Attorney General (OAG) and California Governor Gavin Newsom each recently took significant steps in shaping the obligations of businesses under the California Consumer Privacy Act (CCPA). On October 10, 2019, the OAG released proposed regulations implementing the statute; the next day, Governor Newsom signed into law a series of bills amending the CCPA. Given the nature of the amendments, it seems likely that the OAG will issue additional proposed implementing rules, or at least tailor its final rules to account for the amendments.
Among the more impactful of the amendments are one-year exemptions from most of the CCPA's requirements with respect to personal information collected (i) in connection with a business-to-business transaction or (ii) in an employment-related context. Other amendments, such as an expanded exemption for consumer report information regulated under the Fair Credit Reporting Act (FCRA), are of less broad, but still appreciable, importance.
Although both the new statutory amendments and the proposed amendments provide some clarification of the CCPA's ambiguities, including those discussed in our Advisory regarding the enactment of the statute, they by no means fully resolve many perplexing aspects of the law. As businesses move forward in preparing for compliance, there will be a continued need to formulate the most reasonable interpretations possible, guided by general privacy principles, canons of statutory interpretation, and plain common sense about consumer expectations.
The OAG is inviting public comments and will be holding public hearings on the proposed rules December 2-5, 2019 in four cities across the state. Those hearings, as well as the option to submit written comments on the proposed rules by December 6, are meaningful opportunities for entities subject to the CCPA to provide input on the statute's appropriate interpretation, implementation, and enforcement.
Newly Enacted Amendments
The new CCPA amendments were contained in five separate bills. In addition, Governor Newsom signed related legislation amending the definition of "personal information" in California's data security and data breach notification statutes, which definition relates to the private right of action granted by the CCPA, as discussed below. Some of the notable amendments include:
- Exemption for Personal Information Collected as Part of Business-to-Business Communications. For some businesses, the temporary "business-to-business" exemption mentioned above substantially curtails the application of the CCPA to their activities. That exemption, contained in Assembly Bill 1355, provides that, until January 1, 2021, the CCPA notice, deletion, and reporting requirements do not apply to personal information "reflecting" a communication or a transaction between the business and a consumer who is acting as an employee or other representative of a company or other organization, if the communication or transaction occurs solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from, such company or organization. Notably, however, businesses must still give individuals whose personal information is collected in such a "business-to-business" context an opportunity to opt out of the business's sale of that information.
For financial institutions in particular, the "business-to-business" amendment signals broad—if temporary—relief from many CCPA obligations. That is because the CCPA separately exempts from the definition of "personal information" information that is collected or otherwise processed by a financial institution "pursuant to" the federal Gramm-Leach-Bliley Act (GLBA). Personal information governed by the GLBA is non-public personal information collected by a financial institution in connection with an individual's application for or obtaining a product or service from the institution for personal, family, or household purposes. Thus, coupled with the GLBA exemption, the new "business-to-business" exemption broadly removes most financial institution customer information from the scope of the CCPA.
- Exemption for Credit Report Information. AB 1355 also expands the CCPA's preexisting exemption regarding "consumer report" information under the FCRA. Prior to the amendment's enactment, the CCPA simply provided that it did not apply to "sales" of personal information by or to a consumer reporting agency if the information was intended to be included in a "consumer report" as permitted under the FCRA. The new, expanded exemption excludes from the CCPA's scope any "consumer report" information, provided it is collected, used, and shared in compliance with the FCRA.
- Partial Exemption for Employment-Related Information Assembly Bill 25 provides a one-year partial exemption from most of the CCPA obligations of a business with respect to personal information it collects from job applicants or the business's employees, owners, directors, officers, medical staff, or contractors, in the employment-related context. However, businesses must still provide these "consumers" with notice, prior to or at the point of collecting their personal information, regarding that collection, the purposes for it, and the categories of third parties whom the information may be shared.
- Designated Methods for Submission of Consumer Requests. Assembly Bill 1564 modifies the CCPA's requirement that businesses provide both a toll-free number and another means for consumers to submit requests pertaining to their personal information. Under AB 1564, businesses that operate exclusively online and have a direct relationship with consumers from whom they collect personal information are permitted to provide only an email address to consumers.
- Expanded Grounds for Data Breach Private Right of Action. Assembly Bill 1130 does not amend the CCPA itself, but expands the definition of "personal information" that, if subject to unauthorized access or disclosure due to a business' lack of "reasonable security measures," triggers the private right of action granted to consumers under the CCPA. AB 1130 also expands, in the same way, the definition of "personal information" in California's data breach notification statute. As so amended, "personal information" in those contexts can be a consumer's first name or first initial and last name coupled with any of the following: unique biometric data, tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document.
Proposed Regulations
The proposed regulations issued by the OAG provide guidance to businesses on several requirements of the CCPA, including:
- Notices to Consumers—e.g., notice of collection of personal information, notice of the right to opt out of sales of personal information, and notice of financial incentives to provide information.
- Notice of Collection. A business's notice that it will be collecting a consumer's personal information must be provided in plain, straightforward language, in a conspicuous format, and potentially in multiple languages. The notice must be accessible where consumers will see it before their personal information is collected, whether such collection occurs online or offline. (This could be provided as a link to the section of the business' privacy policy [described below] that describes personal information-collection.) Businesses that engage in multiple forms of personal information-collection will need to publish a notice of collection in multiple formats—for example, on the business's website, mobile application, and in printed materials and signage. And if a business intends to use a consumer's personal information for any purpose that was not disclosed at or before the time of collection, the business must obtain the consumer's explicit (opt in) consent to proceed with such use.
- Notice of Right to Opt Out. The CCPA requires businesses that "sell" personal information to provide a link titled "Do Not Sell My Personal Information" on their websites, which must enable consumers to opt out of such sale. The proposed regulations permit businesses alternatively to title the link "Do Not Sell My Info" and require that businesses provided a webform or other document that can be used to submit an opt-out request, together with a link to the business's privacy policy. The OAG will propose a sample opt-out button or logo for businesses' use in a later version of the regulations. A business that does not, and will not, engage in the sale of personal information and states so in its privacy policy is exempt from these opt-out-related requirements.
- Notice of Financial Incentive. The CCPA prohibits businesses from treating consumers who exercise their rights under the CCPA differently than other consumers. Thus, for example, a business may not charge a higher price of services to customers who have exercised their rights to opt out of the sale of their personal information, or requested deletion of their personal information, unless the price differential "is reasonably related to the value of the consumer's data." The proposed regulations require businesses to notify a consumer of each financial incentive or price or service difference offered in exchange for the retention or sale of the consumer's personal information. Such notice must include, among other things, a summary of the material terms of a financial incentive or price/service differential, instructions for providing and withdrawing consent for the retention or sale of the personal information, and an explanation of why the financial incentive or price/service differential is permitted under the CCPA, which must include a good faith estimate of the value of the consumer's personal information relative to the offering of the financial incentive or price/service differential, and a description of the method used to calculate such value.
- Privacy Policy Requirements. The proposed regulations clarify certain aspects of the privacy policy requirements of the CCPA, including that privacy policies must contain a comprehensive description of a business's online and offline personal information collection practices. The proposed regulations reiterate the statutory requirements for the content of privacy policies, including, among other items, information regarding consumers' right to (i) know about personal information that is collected, disclosed, or sold, (ii) request deletion of personal information, (iii) opt out of the sale of personal information, and (iv) non-discrimination in connection with their exercise of privacy rights.
- Responding to Consumer Requests. The proposed regulations provide guidance on how businesses should handle consumer requests about their data (i.e., "requests to know" and "requests to delete") and clarify acceptable methods for consumers to submit such requests and how businesses can verify them.
- Designated Submission Methods. Businesses must provide two or more designated methods for the submission of consumers' requests to know and requests to delete. These methods may include, for example, calling a toll-free telephone number, sending an email, writing through regular mail, or making a request in person. In designating these methods, businesses must consider the ways in which they interact with consumers and at least one designated method must reflect the manner in which businesses primarily interacts with consumers. If a business does not interact with consumers directly in the ordinary course of business, it must make available an online method for consumers to submit requests.
- "Do Not Ignore" Requirement. If a business receives a request to know or to delete other than via the business's designated submission channels, the business must either treat the request as if it had been submitted properly or provide the consumer with specific instructions to submit the request or address any deficiencies in the request that had been submitted. The business may not simply ignore the request.
- Responding to Requests to Know. The CCPA requires businesses to respond to consumer requests to know within 45 days (with a possible extension to 90 days if the consumer is notified of the delay). The proposed regulations add a requirement that businesses must confirm receipt of consumers' requests to know or delete within 10 days, and must include in such confirmation a description of the business's verification process and an estimate of when the consumer should expect to receive a substantive response. If a business is not able to verify the identity of the person making a request for specific pieces of personal information, it must not disclose any specific personal information to the requestor and must inform him or her that it was unable to verify his/her identity. In addition, in provisions that are welcome for businesses concerned about the risk of a data security breach in disclosing specific pieces of information upon request, the proposed regulations place several restrictions and conditions on the disclosure of personal information in response to a such a request. A business may never respond by providing Social Security numbers, driver's license or other government-issued identification numbers, financial account numbers, health or medical identification numbers, account passwords or security questions and answers, or provide any other personal information where doing so would create a risk to the security of the information or the business's systems or networks.
- Responding to Requests to Delete. The proposed regulations mandate specific types of methods to delete personal information when a business agrees to a consumer's request to delete. Businesses may use one of three methods of deletion: (i) complete erasure of personal information from the business's information systems (other than archives or back-up systems), (ii) de-identification of the information, or (iii) aggregation of the information (as defined in the CCPA). Businesses' responses must specify the manner of deletion and explain that the business will maintain a record of the request, including the personal information contained in the request.
- Service Provider Obligations. Although service providers that are not also "businesses" under the CCPA generally do not have direct obligations under the law (but are bound by the service provider contracts they enter into with businesses), the proposed regulations impose certain requirements on services providers. First, a service provider may not use personal information obtained from or on behalf of one business (or directly from a consumer) for the purposes of any other business. Second, if a service provider receives directly from a consumer a request to know or to delete, it may comply, or, if it chooses to deny the request, it must explain the basis for the denial and inform the consumer that he or she should submit the request directly to the business on whose behalf the service provider processed the consumer's personal information.
- Verification of Consumer Requests. While the CCPA requires businesses to verify the identity of consumers who submit requests to know or to delete, it does not prescribe methods for such verification. Nor do the proposed rules, but they do prohibit any verification method that is not reasonably based on several risk-indicative factors, including, for example, the type, sensitivity, and value of the personal information collected, the potential for unauthorized access to or deletion of such information, the likelihood that malicious actors may seek to access or obtain such information, and the manner in which the business interacts with consumers. A business that faces heightened risk in any of these areas should implement more stringent verification processes. Businesses are encouraged to avoid requesting additional information from consumers as part of any verification process. In the event, however, that a business requires and obtains additional information, it may use that information only for identity verification, security, or fraud-prevention purposes and must delete the information as soon as practicable upon processing of the consumer's request.
- Data Collection from Minors. The proposed regulations implement special rules regarding data collection from minors, including with respect to the processes that should be followed to ensure that consent is obtained from a minor's parent or guardian (rather than an unauthorized person), documentation of such processes, and certain disclosures that must be provided in connection with the offering of goods and services to minors.
Interpreting and implementing the CCPA's requirements will be an ongoing challenge for many businesses, even with the clarification provided by some aspects of the recent amendments and proposed rules. A meaningful understanding the purpose and value of data privacy regulation, coupled with sensitivity to consumer expectations, will help businesses considerably in finding their way toward compliance with the CCPA.
* * *
Arnold & Porter's Privacy and Data Security practice assists businesses in a wide range of industries, from e-commerce start-ups to global FORTUNE 100 companies, in the increasingly challenging task of protecting data consistent with applicable law. We provide data protection counsel to technology and business leaders in connection with the development and use of emerging technology platforms; to clients in the financial services and health industries; and to others involved e-commerce, software development and deployment, telecommunications, government contracting, and a host of other activities. Our team also advises clients on the collection and use of protected consumer data and assists clients in designing and implementing compliant consumer disclosures and data privacy risk management controls. For further information about these services, please contact any of the authors or your Arnold & Porter contact.
© Arnold & Porter Kaye Scholer LLP 2019 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.