Part 5: Data Privacy in California: Responding to Consumer Requests and Enforcement by the Attorney General Begins
Nearly seven months since the California Consumer Privacy Act (CCPA) went into effect, the Attorney General’s enforcement period is set to begin on July 1, 2020. Is your business in compliance with the CCPA and prepared to respond to consumer requests under the new law and regulations?
In Parts One through Four of our CCPA series, we provided an overview of the law:
In this Part Five of our series, we review the responses required for consumer requests under the CCPA, as well as the Attorney General’s upcoming enforcement of the CCPA and his final proposed regulations.
The potential issues, costs, and risks in regulatory enforcement and litigation for not complying with the CCPA can be expansive, and we cannot cover in full detail here all of the rights, obligations, and requirements that may impact your organization, so always consult counsel with any specific questions relating to your particular business and its associated risks.
Responding to Consumer Requests
As discussed in greater length in Part 2 of our series, consumers have numerous rights under the CCPA. These rights include:
- The right to notice of information being collected from them;
- The right to know (access) the information a business has collected on them;
- The right to request deletion;
- The right to opt-out of the sale of their information; and
- The right to equal treatment after exercising their rights under the CCPA.
The CCPA and the Attorney General Regulations lay out the requirements that businesses must follow so that consumers can exercise these rights.
1. Methods for Consumers Submitting Requests to Know (Access) and Delete
A business that conducts business exclusively online and has a direct relationship with a consumer from whom it collects information is only required to provide an email address for consumers to submit requests to know. However, all other businesses subject to the CCPA are required to provide a minimum of two designated methods for submitting requests. Although the Attorney General’s final proposed regulations eliminate the requirement for an interactive webform, businesses are still required to provide a toll-free telephone number as one of the minimum two methods for consumers to exercise their rights under the CCPA. Additional acceptable methods identified in the Attorney General Regulations for the second method include a designated email address, a form submitted in person, and a form submitted by mail, among others. But in adopting a second method, businesses are not limited to these options, and need to consider the methods by which it primarily interacts with consumers when determining which additional methods to use.
Business should also provide two or more designated methods for consumers submitting requests to delete. As a change from the earlier iteration of the proposed regulations, the final proposed regulations no longer require a two-step process for online consumer requests to delete. Rather, businesses now have the discretion whether to use a two-step process to confirm a consumer’s request to delete, where the consumer must first submit a request and then separately confirm they would like their personal information deleted.
If a consumer submits a request to know and/or delete in a way that is not one of the designated methods provided by the business, the business has the option of either treating the request as if it was properly submitted, or instructing the consumer how to submit the request or remedy any deficiencies.
2. Verifying Consumer Identities
Before disclosing any personal information to a requesting consumer, businesses are required to verify the identity of consumers making the request for information. Under the final regulations, businesses must establish, document, and comply with a “reasonable method” for verifying that a person making the request is the same person from whom the business has collected the information being requested. The Attorney General has emphasized that whether a business has employed a reasonable method for verifying consumers is based on the totality of factors based on the practices of the business and consumer concerns.
Wherever possible, a business must avoid requesting additional information from the consumer for purposes of verification and use the information already collected to verify a consumer’s identity. If, however, the business cannot verify the identity of the consumer from information already maintained, the business may request additional information from the consumer, to be used only for verification and/or security or fraud-prevention. However, a business must delete any new personal information collected as soon as practically possible after processing the request. Pragmatically, it is difficult to see how frequently this situation would arise, and as it imposes an additional obligation of deleting information, should be avoided.
Generally, businesses that maintain password-protected accounts may verify a consumer’s identity through any already existing authentication practices for that account (e.g., username, password, and/or security questions), but such businesses must require a consumer to re-authenticate themselves before disclosing or deleting any data. Businesses that do not maintain consumer accounts, however, will have to engage in different verification procedures.
For non-account holders, verification might be dependent on the type and sensitivity of information being sought by the request. For requests of categories of personal information maintained, the regulations require that a business verify the consumer’s identity to a “reasonable degree of certainty,” but for specific pieces of information, a “reasonably high degree of certainty”—a higher bar for verification—must be satisfied. The regulations suggest what businesses “may” do to meet these standards, including matching at least two data points of information from the consumer to obtain a “reasonable degree of certainty”, or three data points and a signed declaration for a “reasonably high degree of certainty.” Similarly, a business’s compliance with a request to delete may require that the business verify the identity of the consumer to a reasonable degree or a reasonably high degree of certainty, depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion.
As discussed below, however, the regulations also prohibit businesses from disclosing certain types of information regardless of the verification procedure, including social security numbers and biometrics. A business would still need to respond with a general description of what information is collected, but it could not disclose the actual data. For example, a business may be required to state that it collects biometric data including a fingerprint scan, but the business would be prohibited from disclosing those fingerprint scans.
The verification requirements are significant because of the potential for fraud or risks to data security that exist, but also because consumer requests may be denied if a consumer cannot be verified. Under the regulations, if there is “no reasonable method” by which a business can verify a consumer’s identity, the business must state so in a response to the consumer, but would not have to provide the information sought by the request.
3. Responding to Consumer Requests to Know and Delete
There are a few key timing deadlines to keep in mind when responding to requests to know and delete:
- Once a business receives a consumer request to know and/or delete, a business must confirm receipt of the requests within ten (10) business days, and explain how the business will process the request, including any verification procedures.
- Businesses have forty-five (45) calendar days to respond to the request and provide the information, or delete the information, as requested. This 45-day period will begin the day the request is received, and includes whatever time is necessary to verify the request, as well as the ten business days required to confirm the request. If a business cannot verify a consumer’s identity within the 45-day period, a business may deny the request, but if it does so it must inform the consumer of their decision.
- If necessary, businesses may take an additional 45 days, for a total of 90 calendar days, but must provide notice to consumer of why the extension is necessary.
Businesses must provide information to requests to know dating back twelve (12) months from the date the business receives the request. As mentioned above, it is also important to keep in mind that certain information may not be disclosed in response to a consumer request, including certain sensitive information such as social security numbers, government identification numbers, and biometric information, but the business must still inform the consumer with “sufficient particularity” that it has collected this type of information.
There are many intricacies to replying to consumer requests to know and delete, as well as exceptions that may apply, so consult counsel if you have specific questions as they relate to your business.
4. Responding to Requests to Opt-Out
If a business sells information, it is required to provide consumers with two or more designated methods for submitting a request to opt-out, including, at minimum, an interactive webform with a link labeled “Do Not Sell My Personal Information,” on its website or in its mobile application, if applicable. In assessing the second designated method, here, again, businesses must use their discretion to evaluate by which methods the business primarily interacts with consumers. No matter what method is utilized, however, it must be easy for consumers to execute and must require “limited steps” for consumers to be able to fully exercise their right to opt out. A business may not use a method that is designed with the purpose, or has the effect of, obstructing a consumer from opting out. Significantly, moreover, if a consumer has exercised their right to opt-out of the sale of their information, requests to opt-in for the sale of personal information must use a two-step opt-in process before a business may sell the consumer’s personal information.
Some Highlights of the Attorney General’s Final Regulations
The Attorney General’s proposed regulations for the CCPA have undergone an eight-month process from the initial draft of the proposed regulations issued in October 2019, including public hearings and public comment periods. On June 1, 2020, the Office of the California Attorney General submitted the final proposed regulations package under the CCPA to the California Office of Administrative Law (OAL). This is the final step before the regulations go into effect. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law. The Attorney General has requested an expedited review, and the OAL has 30 working days to review the package submitted by the Attorney General for procedural compliance with the Administrative Procedure Act. However, because of the COVID-19 pandemic, the OAL has an additional 60 calendar days under Executive Order N-40-20 to complete its review, if necessary.
Although many of the regulations have remained consistent, there have been some significant changes to certain provisions during the revision process from the initial proposed regulations to the final proposed regulations the Attorney General submitted to the OAL. Although this post cannot go into detail of all the changes, below are a few significant highlights or clarifications provided in the final proposed regulations:
- Possibly the most significant change (or, rather, deletion) in the regulations is the removal of the proposed Section 999.302 of the regulations. The February 2020 revision to the guidelines provided guidance for interpreting the definition of “personal information” under the CCPA. Specifically, the February revision proposed adding guidance that whether data constituted “personal information” depended on the manner in which a business maintained that data. Accordingly, data such as IP addresses would only have constituted “personal information” if it reasonably could be linked to an identifiable consumer or household. The March 2020 regulations, and now the final version of the regulations, deleted this guidance, potentially expanding the breadth of data that might encompass “personal information” for CCPA enforcement purposes.
- Businesses operating exclusively online are now only required to provide an email address for consumer requests, instead a webform and toll-free telephone number.
- Businesses no longer have the same responsibilities to search for personal information when responding to a request to know if they fulfill certain requirements. Businesses do not need to search for personal information that is not maintained in a searchable or reasonably accessible format, is only maintained for legal or compliance purposes, and is not sold or used for a commercial purpose. If each of these conditions is met, the business may instead describe to the consumer the categories of records that it did not search because these conditions were applied.
- Provisions on notice placement and conspicuousness of privacy policies clarifies that a privacy notice must be “made readily available” to consumers somewhere where they will “encounter it at or before the point of collection,” and, as an example, for online notices states that businesses “may post a conspicuous link to the notice on the introductory page of the business’s website.” No banner, however, is required under the regulations. Similarly, a “cookie banner” is not specifically required under the regulations, but this does not eliminate the need for a business to inform consumers if cookies are collecting information as part of its collection practices.
- The revised regulations add the language “materially different” to clarify the requirement for when a business needs to notify a consumer about and obtain consent for a new intended use of previously collected personal information. This is a helpful change, as previously the regulations seemed to require such a notice and consent when there was any different use of personal information.
- The regulations no longer require a specific logo/opt-out button for “opt-outs” to the sale of information, only a link to a webform as one of the methods.
- The regulations made a clarification to the right to delete notice. The language of the regulations was revised to state that a privacy notice must “explain that the consumer has a right to request the deletion of their personal information collected or maintained by the business.” The deleted “maintained” language could be important, as it appears to limit the right of deletion to only information collected by the business.
- If a business is unable to calculate a good-faith estimate of the value of consumer’s data, or price or service difference is reasonably related to the value of the consumer’s data, it may not offer a financial incentive or price or service difference in exchange for consumers providing their personal information.
Enforcement by the Attorney General
Attorney General Becerra has indicated that the COVID-19 crisis will not slow down his efforts to enforce the CCPA. Despite the current uncertainty regarding the effective date of the final regulation, the Attorney General has reiterated that his office remains committed to commencing enforcement on July 1, 2020, rejecting a request from coalition of various businesses to consider an additional six-month enforcement delay to January 2, 2021, due to coronavirus disruptions. Indeed, Becerra emphasized that consumers should be aware of their privacy rights, and how they may be impacted, and that businesses should be mindful of data security during the pandemic.
From the Attorney General’s public comments, moreover, his office has not eliminated the possibility of retroactive enforcement for violations that occurred during the first six months of the year since the CCPA went into effect on January 1, 2020. Although, in some relief, it seems any retroactive enforcement would focus on companies that handle large amounts of sensitive consumer and critical data and/or the treatment of children’s data.
Despite the complete lack of clarity regarding the regulations and enforcement, businesses subject to the CCPA should consider updating their privacy program with these proposed final regulations in mind, if necessary, even while they are pending OAL review and approval, since a violation of the law authorizes the Attorney General to seek civil penalties up to $7500 per violation.
Contact the authors and the other attorneys in the Data Security and Privacy Team at Atkinson Andelson Loya Ruud & Romo to help you navigate the very complex regulations of the CCPA and ensure your business is ready and CCPA-compliant. If your business is faced with a lawsuit or regulatory enforcement under the CCPA, AALRR has a team of data privacy litigators well-versed in the CCPA and related law ready to step in and defend you