On the 2nd of June, an announcement that we’re all waiting for has already been released. California Attorney General (AG) Xavier Becerra confirmed that he had submitted, finally, to the Office of Administrative Law (OAL) the final CCPA regulations package. OAL has 30 working days to review this package, and an additional 60 calendar days due to the current pandemic, provided under Exec. Order N-40-20. The final text must be reviewed if in compliance with the 1946 Administrative Procedure Act. Once the OAL approved it, the final regulations will be submitted with the SS (Secretary of State) and, by then, enforced to everyone by law. So, what are the updates?
Essentially the Same
The final proposed regulations are basically identical to the prior document, Second Modified Regulations, published by the AG on the 27th of March. Additionally, the AG released a Final Statement of Reasons (FSR) that outlines the modifications between the first draft released by February 2020 and the Final Text. The FSR also includes Appendices that have all the responses made by the AG to each comment received publicly during the process of rulemaking.
Despite this, businesses and consumers must still be informed of the latest updates of CCPA, to avoid any chance of failure in compliance. Below, you will see some of the essential provisions of the Final Text. These provisions will impose further demands or requirements on organizations (businesses, third-party service providers, data brokers), consequently pushing them to revisit the processes they created, or possibly create new ones. The demands of the CCPA are in no way easy, but the AG maintains that compliance with the regulations would not be overly difficult or result in restraining businesses or suppression of innovation. The regulations, the AG believes, are not oppressively burdensome, and implementing them is not impractical.
Updates for Businesses
Annual Disclosure of Request Statistics:
The Final Regulations require businesses or organizations that sell, purchase, receive, and disclose consumer information of California residents equal to or more than 10 million for business purposes during the calendar year to disclose by the 1st of July, 2021, the following, on the basis of data collected since the Regulations have come into effect:
- The complete number “request to know” or disclosure requests that a business received. That includes requests complied with wholly, partly, and denied;
- The complete number “request to delete” or deletion requests that a business received. That includes requests complied with wholly, partly, and denied;
- The complete number “request to opt-out” of selling the consumer’s information that a business received. That includes requests complied with wholly, partly, and denied; and
- The average response time in days in which a business typically responded to all types of requests.
A business or organization may compile this personal information and disclose for all their consumers, but an organization must have the ability to provide statistical data on Californian consumers to the AG upon request.
Global Privacy Controls:
Businesses must provide a method for the consumers to opt-out of the selling of their personal information that is readily available for consumers and easy to understand and navigate. If there is a conflict between the global privacy control and the consumer’s existing privacy setting within their business (business-specific), the business shall honor the global privacy control, but may communicate the conflict to the consumer and provide the option to confirm the privacy setting within their business. Furthermore, the AG’s response to comments about “do-not-track” settings was clear and considerate. The AG maintains that the CCPA is technology-neutral, meaning that the regulations have no prescribed technological method or mechanism in facilitating privacy controls. This promotes innovation in serving the consumers their inalienable right to opt-out. The regulations encourage technological leaders and entities to innovate and develop solutions to create an environment where the submission of consumer requests is easily accessible and understood.
According to the Final Statement of Reasons (FSOR), the obligation to comply with user-enabled privacy controls is necessary to prevent organizations from ignoring or undermining the tools of consumers to exercise their CCPA rights. In support of this argument, the FSOR states that the AG has reviewed organizations’ disclosures about how they respond to “do-not-track” signals, which the CalOPPA required. After the review, the AG concluded that organizations are very likely to disregard or even reject the user’s global privacy controls if the regulation allows them to act in their discretion.
Also, the Final Text clarifies that verification of consumers is not needed in requests to opt-out. But, if in good faith, an organization has a reasonable belief that an opt-out request is fraudulent, the organization may not comply with the request. The organization must inform or notify the requestor that the request is denied and the reason why the organization believes the opt-out request is fake or fraudulent.
Businesses may offer consumers “financial incentives” in exchange for collecting, selling, or deleting the consumers’ personal information, provided that businesses must first obtain the consumers’ consent to opt-in. The statute maintains that financial incentives must be proven as “directly related” or reasonably proportionate to the actual value provided to the company or business by the consumer’s personal information. Also, the notice of financial incentives, as regulations mandate, must provide, among other details:
- The incentive, its nature, and terms;
- Instruction as to how consumers may opt-out after accepting the incentive;
- A clear explanation as to how the incentive is directly or reasonably proportionate to the value the consumers’ information provides to the business, an estimate of the consumers’ information value (in good faith), and how the business calculated the value.
(However, the AG expressed that the requirement to disclose how the value was calculated does not include privileged information as to why a specific method was chosen.) The regulations also provide some examples of calculating financial incentives. The Final Text also clarifies that if the financial incentive is not related to collecting, selling, or deleting personal information (for example, a store’s “soft-opening” sale), then the beforementioned requirements do not apply.
Updates for Service Providers
The Final Text requires that the use of personal information by service providers (SP), which they receive from businesses, is for processing or maintaining personal information on behalf of the entity or business while honoring the written contract or agreement for CCPA’s required services. There are very few exceptions, such as building or updating the quality of services. It is noteworthy that those internal uses exclude the use of personal information for SP’s own business purposes, including building or modifying consumer profiles, or augmenting data obtained from another source.
Concerning the topic of matching, the FSOR emphasizes that the Final Text’s usage of the term “data” (in contrast to personal information) in subsection (c)(3) is intentional. The goal is to include the use of personal information obtained from a business for the purpose of re-identifying de-identified personal information acquired from another source.
Advertising of Service Providers:
Some comments ask the AG to codify regulations to prohibit service providers (SP) from using the personal information of consumers for purposes other than the services they are to provide that are indicated in the contract. In other words, SPs are only allowed to use, retain, and disclose personal information within the agreed services to be provided directly to the business they have a contract with. The AG clarified that the CCPA allows service providers to show ads to consumers on any website on behalf of the business who collected the personal information of the same consumers.
No Specified Contract Language:
The AG also explained that there is no mandatory, or even suggested, contract language that should appear in contracts or agreements with SPs, provided that both parties comply with the CCPA and its regulations.
Of Collecting Personal Information:
The Final Text and FSOR state that the status of being a “service provider” will not be lost from SPs merely for the reason that they collect personal information, provided that that collection is directed by and on behalf of the business. Furthermore, the AG also specified that the regulations do not explicitly prohibit SPs from combining consumer’s personal information acquired from multiple sources if such combination does not contradict or stay consistent with a commercial purpose and within the context of a contract. However, the AG warned that it shouldn’t be exploited and contradict the intention of the CCPA.
Of Subcontractors as Service Providers:
The Final Text states that SPs may employ subcontractors, as long as all the requirements will be met by the subcontractors for a “service provider” indicated in the California Consumer Privacy Act and its Regulations.
Contrasting Service Providers and Third Parties:
The AG responded to some comments that seek clarification of the terms “service provider” and “third party.” But the AG explained that a change in the regulations in this regard is unnecessary because the two different definitions are serving different purposes, albeit related.
Response to Requests to Know, Delete, Opt-Out:
SPs, whenever they receive a request to know or request to delete from a consumer, may respond to the request on behalf of the business or may inform the requestor that no actions will be taken since the request was sent to the SP, instead of the business the consumer has a direct relationship. But when SPs receive a request to opt-out from consumers, the AG maintains that SPs are not allowed to sell the requestor’s personal information.
Updates for Third Parties
Notice at Collection:
Third parties or data brokers must notify the consumers of their privacy practices if:
- Third parties or data brokers will sell the consumers’ personal information; and
- The collected information was not acquired directly from the consumers.
Format of Notice at Collection:
Regarding the “notice at collection,” whether to use cookie banners or other formats is left for the businesses to determine. No specific format was mandated or required as long as the notice is readily available at the point of (or before) the collection of the consumer’s information. The Final Text also provides illustrative examples for the most common business format.
The next and best step for businesses now is to revisit the regulations in its entirety, evaluate what actions or changes are needed to be made, and make sure that all requirements are complied with. Businesses must also take note of requirements that are left to businesses’ discretion. Attention to this point ensures that a company will not abuse the provision, and also provides a possible benefit in harnessing that provision.