On Oct. 10, the California attorney general released a draft of proposed regulations implementing the California Consumer Privacy Act and is calling on all interested parties to submit comments at the scheduled public hearings, by mail, or by email by Dec. 6.
There are many reasons why all businesses, industries, and impacted parties should consider submitting comments. Below are our top five.
New Explicit Consent Requirements for Changes to ‘Just-in-Time’ Notices
Section 999.305(a) of the draft regulations provides that a business cannot use a consumer’s personal information for any purpose other than those disclosed in the notice at collection (referring to Section 1798.100(b)’s “just-in-time” notice requirements).
If the business intends to use a consumer’s personal information for a purpose that was not previously disclosed in the notice, the draft regulations requires the business to “directly notify the consumer of [the] new use and obtain explicit consent from the consumer to use it for [the] new purpose.”
Practically, this requirement will likely incentivize businesses to adopt broad just-in-time notices that list all possible uses of personal information, regardless of whether such use is ever put into practice.
It is also likely that these broad notices will follow a common form to avoid competitive and other pressure caused by more customized, practical notices, including avoiding the need to obtain “explicit consent” from consumers in the future. Doing so likely defeats the purpose of providing consumers notice in the first place—i.e., to provide consumers a meaningful understanding of how their personal information is used—and essentially undermines the goals and intent of the CCPA.
More Detailed Privacy Policy Requirements Would Worsen Notice Fatigue
With respect to consumer-facing privacy policies, the draft regulations arguably would require businesses to provide more detailed privacy policies, including more detailed than currently required by the CCPA itself.
As currently drafted, Section 999.308(b)(1)(d) requires businesses to provide certain information “for each category of personal information collected,” including the sources from which that personal information was collected and the business or commercial purpose(s) for which the information was collected.
Such a detailed notice would only worsen consumers’ privacy policy fatigue and heighten the likelihood of causing conflicts with the requirements that notices be “in a format that makes the policy readable.”
New ‘Just-in-Time’ Notice Requirements
Section 999.305(d) of the draft regulations provides that businesses which do not collect information directly from consumers would not need to provide just-in-time notices “before or at the point of collection.”
However, before these businesses can sell consumers’ personal information, they must either:
- contact the consumer directly to provide certain notices; or
- contact the source of the personal information to: (a) confirm the source provided the just-in-time notice and (b) obtain a signed attestation from the source describing how the source gave the notice at collection and including an example of the notice.
Businesses would be further required to make the attestation available to consumers upon request for at least two years.
This clarification attempts to resolve a key concern for many businesses, namely how a business can provide consumers with notice “before or at the point of collection” if the business does not maintain a direct relationship with the consumers. While the clarification is likely welcomed by many organizations, the draft regulations create other compliance concerns.
For example, with respect to the signed-attestation requirement, businesses will need to consider how they will obtain an “example of the notice” provided by the source to the consumer. The most likely scenario is that a business would require its source in the applicable contract to:
- represent and warrant that the source has complied with the CCPA’s just-in-time notice requirements; and
- attach an example of the notice.
However, because a business must make the attestation available to consumers upon request, such language should likely not be buried within the contract. Instead, businesses may want to include such language in a separate exhibit, which can be made available to consumers upon request and updated as needed.
Requires Businesses to Respond to All Consumer Requests
The CCPA requires businesses to designate certain methods to submit CCPA requests. Pursuant to the draft regulations, businesses would be required to respond to consumer requests no matter how such requests are submitted.
From a practical perspective, this requirement is extremely problematic as practically unmanageable. If there is any hope for compliance with this proposed requirement, then it will begin with proper employee training, regardless of their level or function.
Even then, however, keeping track and responding to requests submitted through any possible method will create a tremendous compliance obstacle for businesses seeking to comply. Ensuring that all such requests are properly handled is likely impossible.
Verification Procedures Vary Based on Type, Sensitivity, Value of Information Requested
As if businesses were not struggling enough to determine appropriate consumer verification methods, the draft regulations contemplate implementing verification methods depending on the “type, sensitivity, and value” of the personal information at issue.
For example, for information that is more likely to pose a risk of harm if disclosed to an unauthorized individual, the verification processes would be required to be more stringent.
Likewise, for requests to know “specific pieces of personal information,” businesses would be required to verify the identity of the consumer with a reasonably high degree of certainty, which is a higher bar for verification than required for requests to know “categories of personal information” (which would require only a reasonable degree of certainty).
From a practical perspective, one uniform verification process for all consumer requests would no longer be viable under the CCPA, and businesses may be forced to review each request individually to determine what level of verification is required, creating a moving target that will likely be resolved by subjective enforcement.
The deadline to submit comments is Dec. 6 at 5:00 p.m. (PST). Although the AG has not specified when the final regulations will be promulgated, the AG is not allowed to bring an enforcement action until six months after the final regulations are issued or July 1, 2020, whichever is sooner.
Given the time it took to issue the first draft of the regulations, it seems more likely that July 1, 2020, will be the enforcement date.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Author Information
Ron Raether leads the Cybersecurity, Information Governance and Privacy practice group at Troutman Sanders, and is a partner in the firm’s Financial Services Litigation group. He is known as the interpreter between businesses and information technology, and has assisted companies in navigating federal and state privacy laws for over 20 years.
Sadia Mirza, an attorney at Troutman Sanders LLP, focuses her practice on cybersecurity and privacy issues and compliance across the financial services industry. She is a knowledgeable transactional counsel with experience in-house, positioning her to interact effectively with business, compliance, legal and information security departments.
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.