Overview of the CCPA Regulations
On June 2nd, California Attorney General Xavier Becerra submitted the final proposed regulations for the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). The regulations will be approved and enforceable by law sometime between July 1st and October 1st.
Executive Summary
The executive summary is this: businesses must absolutely consult the CCPA Regulations as they are quite prescriptive as it relates to a business' obligations re: notices, how to handle consumer requests to access/delete/opt-out of sales, and how to verify consumer requests. Businesses should literally print out the regulations and give to the teams responsible for the website (e.g. to update the privacy policy and the notices when information is collected, and to add a link to let consumers opt-out of the sales of their personal information); the customer support and marketing teams who will likely handle consumers requests; and lastly the security teams who need to figure out a safe and secure way to verify consumer requests without having a hacker impersonate a consumer and steal or delete a consumer's personal data. All of course coordinated and led by the business' privacy head (aka data protection officer) with significant input and review from the legal department.
In this blog post I will give an overview of the Regulations, and then in subsequent posts drill down in more detail on these key Articles of the CCPA Regulations that I referenced above: Notices to Consumers, the Business Practices for Handling Consumer Requests and the Verification of Requests. If you want to read the source material, here is a link to the CCPA regulations and here is a link to the CCPA law itself.
So Why Even Have Regulations and not just Reference the Law Itself?
The question above may immediately jump out, i.e. why can’t the law just be the “sole source” for CCPA compliance? Well, the California State Legislature believed that given “changes in technology, data collection practices, obstacles to implementation, and privacy concerns” that a more dynamic set of rules should be created. So, they inserted Section (aka "§") 1798.185 into the CCPA that instructed the Attorney General (AG) to “solicit broad public participation and adopt regulations to further the purposes of this title” and do so before July 1, 2020. This public feedback process kicked off in December of 2019 with final comments solicited at the end of the March of 2020, culminating in the final proposed Regulations that should be enforceable in the very near future.
What the CCPA Law Called for Regulation-Wise
§ 1798.185 in the CCPA calls for the AG to create Regulations “including, but not limited to, the following areas”:
Update and enhance the definitions of “personal information,” “unique identifier,” “designated methods” and the revenue size of a “business”
Further specify any exceptions re: state and federal laws
Provide rules and procedures that business must follow around consumer’s opt-out requests, the placement a button and homepage link to let a consumer take advantage of the their right to “Do Not Sell” their personal information, privacy and rights notices, financial incentive offerings, how authorized third parties can represent a consumer with regards to their rights, and how to do verify consumer requests to access and/or delete their personal information.
So, the executive summary is that the CCPA calls for the AG to create Regulations to better define four terms, specify any additional exceptions due to state/federal law, and provide rules in eight areas of CCPA enforcement that businesses must follow. The table below breaks these down in detail.
The CCPA Regulations
So, what in the end did the AG come up with based on “public participation” in terms of CCPA Regulations? The are grouped into seven articles:
Article 1 — General Provisions that provide an overview of the scope of the regulations and as well as new and enhanced definitions of key terms referenced in the CCPA and its regulations.
Article 2 — spells out the four Notices to Consumers that must be provided by businesses to consumers: (a) notice at collection of personal information; (b) notice of right to opt-out of sales of personal information; (c) notice of financial incentive (i.e. program or benefit that could include payment to consumers when personal information is collected or sold); and (d) the privacy policy.
Article 3 — spells out the Business Practices for Handling Consumer Requests including (a) supported methods for consumers to submit requests to know and requests to delete; (b) how businesses should respond to these requests; (c) how service providers should respond; (d) how to respond to opt-out and opt-in requests; (e) what training and record keeping should occur to track these requests; and (f) how to respond to requests to access or delete household information.
Article 4 — discusses the regulations regarding Verification of Requests from consumers including (a) general rules; (b) how to verify consumers who have password-protected accounts with the business; (c) how to verify consumers who don’t have an online account; and (d) how to work with authorized agents who represent consumers in their requests to know/delete/opt-out etc.
Article 5 — provides Special Rules Regarding Minors including a section on notices to minors under 16 years of age.
Article 6 — rules regarding a Consumers right to Non-Discrimination with specific discussion of discriminatory practices and how to calculate the value of consumer data (e.g. when it comes to financial incentive programs)
Article 7 — the Severability section that says if any part of the regulation is found to be unconstitutional or becomes inoperative, such a decision shall not affect the validity of the remaining portion of these regulations.
Below is a detail table that breaks down each section of the Regulations by Article.
Did the CCPA Regulations Meet what the CCPA Called for Regulation-Wise?
Finally, let’s map what the law itself in § 1798.185 said should be in the CCPA Regulations and what ended up in the actual final regs. Here is a table the shows the mapping.
[One bit of trivia is that the Regulations decided to forgo the "opt-out logo or button." We will cover in more detail the Notices in a separate blog post.]
Interestingly, the California AG office decided to take advantage of the “including, but not limited to” language and added some regulations that were not called out by the law itself. They are:
So that’s a 30,000-foot view of the CCPA regulations. In my next three blog posts, I will drill down into the sections on the Notices to Consumers, the Business Practices for Handling Consumer Requests and the Verification of Requests respectively.