California Attorney General Xavier Becerra’s Oct. 10 release of proposed regulations gives much needed clarity on some of the ambiguities found in the California Consumer Privacy Act (CCPA). But some of the draft regulations create requirements not found in the text of the statute. With the AG as the principal enforcer of the regulations, businesses subject to the CCPA may find themselves in a compliance quandary.
Should businesses operationalize compliance with the regulations as drafted or wait until they are finalized? And if provisions that arguably exceed the scope of the CCPA are nevertheless finalized, do businesses hedge their bets by disregarding them in anticipation of a favorable court ruling?
For those considering whether to walk the tightrope between draft and final or final and upheld, here’s closer look at a few of the allegedly ultra vires provisions to help privacy professionals assess their comfort level with compliance acrobatics.
The CCPA requires businesses to inform consumers, at or before the point of collection, not only the categories of personal information to be collected, but also the purposes for which the categories of personal information shall be used. Cal. Civ. Code § 1798.100(b). Fair enough.
And the CCPA prohibits a business from using personal information for additional purposes “without providing the consumer with notice consistent with this section.” Arguably, the only the requirements “consistent with this section” stipulate a notice that (1) identifies the categories, (2) identifies the purposes, and (3) is provided at or before the point of collection.
The draft regulation, however, adds a new element. It says that a business must obtain “explicit consent” from the consumer if the business wants to use the information for a new purpose. 11 CCR § 999.305(a)(3).
Section 1798.100 clearly does not contain a consent requirement, much less an “explicit consent” requirement. Indeed, looking at the statute as a whole, the CCPA discusses consent only in the context of selling the personal information of a minor, Cal. Civ. Code § 1798.120(d), and in the context of a financial incentive program, Cal. Civ. Code § 1798.125(b)(3).
Not only does § 999.305’s “explicit consent” requirement apparently go beyond the scope of the CCPA, but it also fails to explain how “explicit consent” is to be obtained. Whereas the parental consent requirements for the sale of minors’ personal information is set forth in great detail—“a consent form to be signed by the parent or guardian under penalty of perjury and returned to the business by postal mail, facsimile, or electronic scan”—the draft regulations provide no guidance on how consent should be obtained in the point-of-collection context.
The proposed regulations rightfully recognize that some businesses do not collect information directly from consumers and therefore are not in a position to provide notice at or before the point of collection.
Rather than exempt such businesses from point-of-collection requirements, however, the draft regulations create a new obligation. Businesses that wish to use personal information collected by others must ensure that consumers were given appropriate notice at the time of collection.
How must they do that? By either (1) contacting consumers directly, or (2) obtaining a “signed attestation” from the source of the information that consumers were properly notified. 11 CCR § 999.305(d). The regulation also requires businesses to retain signed attestations for two years and make them available to consumers “upon request.”
So a business that currently lacks direct contact with consumers must now either generate direct contact (to ensure that the original data collector complied with the CCPA) or anticipate direct contact (in case a consumer wants proof that the original data collector complied with the CCPA).
“User-Enabled Privacy Controls”
One of the principal features of the CCPA is the right of consumers to opt out of the sale of their personal information. And to facilitate that opt-out right, the CCPA requires businesses to provide a “clear and conspicuous link” titled “Do Not Sell My Personal Information,” which must link to a web page the enables a consumer to exercise that right. Cal. Civ. Code § 1798.135.
The draft regulations, however, authorize ways to opt-out other than through the use of a specific web page. In particular, the regulations recognize the use of “user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information.” 11 CCR § 999.315(a).
So now businesses are obliged to detect “do not track” (DNT) signals in addition to whatever interface they have established on their “do not sell” pages. Where is that required in the statute?
Moreover, regardless of the method by which customers convey their request to opt out, the draft regulations require a business to (1) notify all third parties to whom it has sold the personal information of the consumer within 90 days prior to the business’s receipt of the opt-out, (2) instruct them not to further sell the information, and (3) notify the consumer when this has been completed. 11 CCR § 999.315(f).
While the CCPA does authorize the Attorney General to establish rules governing “business compliance with a consumer’s opt-out request,” Cal. Civ. Code § 1798.185(a)(4)(B), it is arguable that such stringent requirements are not reasonably necessary to effectuate the purpose of the CCPA.
“Compile … Metrics”
The proposed regs also greatly expand recordkeeping obligations, especially for businesses that buy or receive the personal information of more than 4 million consumers. 11 CCR § 999.317(g) requires those businesses to compile and publish metrics setting forth not only the number and type of consumer requests for the preceding calendar year, but also the number of days it took to respond to each of those requests.
One can only speculate that the AG would claim that the metrics recordkeeping requirement falls under his catchall authority to “adopt additional regulations as necessary to further the purposes of this title.” Cal. Civ. Code § 1798.185(b). But are such metrics “necessary”?
Undoubtedly, objections will be raised during the comment period and court challenges will follow, but businesses need to determine now which actions to take in order to satisfy their compliance comfort level.
Taking a cue from the CCPA itself might not be a bad place to start. Business should at the very least employ efforts “necessary to further the purposes of this title.” And to the extent any of the questionable regulations are not “necessary” to further the purposes of statute, businesses may reasonably choose to devote resources elsewhere.