Last week the state of California released the “final” set of regulations that round out the California Consumer Privacy Act, six months after it went into effect. These new regulations provide much better context around several key aspects of how the Act should be interpreted and how businesses can best comply. However, the new details do not address all outstanding areas and create some new questions. While these regulations are “final” it is best to think of them as an evolving set of regulations that will probably see some additional clarification by year’s end.
Why years’ end? Three reasons. First, there has been no shortage of changes to CCPA so far so why stop now. Second, pending lawsuits could require additional clarifications. Finally, CCPA was created in part to keep more restrictive data privacy legislation off the ballot. However, post-CCPA implementation, data privacy advocates have collected more than the required number of signatures to get the more restrictive California Privacy Rights Act (“CPRA”) on the November 2020 ballot, so there may be changes in an effort to keep it off the ballot. Polling also shows 88% of California voters would vote for this initiative so support is high. In the meantime, here are the highlights from the newly released regulations.
What Got Cleared Up?
– Businesses with existing login procedures can use that infrastructure, often in the form of a Preference Center, to meet this requirement.
– The channels a business uses to fulfill rights requests should be logically tied to their business model, reducing the burden to add channels that were not previously used by the business.
– Not all personal information is to be shared even when requested. For data points such as social security number, drivers license number, passwords, security questions, etc., businesses should only state that it has this information on file, but not provide the actual contents.
– The inconsistencies in rights execution timeline was clarified. The maximum number of days to respond, including the extension period, was confirmed at 90 days.
– Requests for access and deletion needs identity verification, but a request to opt-out of data sales does not.
– For the identity verification process, businesses may use a two-step process or use existing password protected logins.
– A tiered process is recommended so that access to more sensitive information is subject to a more stringent level of identity verification.
– Guidelines for identity verification of authorized agents is outlined as are restrictions on the agents.
– Any data collected prior to the time when consumers were notified of their right to opt-out of the selling of their personal data cannot be sold until they give “affirmative authorization”.
– One of the unexplained issues with GDPR was how to prove you complied with a request for erasure if a business truly erased everything. Under the new CCPA regulations, businesses should maintain a record of the request for audit purposes and to delete any additional occurrences such as in archived data.
True to form, CCPA is a “two steps forward, one step back” piece of legislation. While in the vein of improving data privacy and empowering consumers, the additional complexities outlined in the new CCPA regulations are a departure from existing GDPR processes and will place additional burdens on businesses.
– Rejected Deletion Requests: In cases where the request to delete the data is rejected, businesses are required to delete any personal data that is not subject to the reason the request was rejected. Additionally, when rejecting a request, businesses must remind consumers of their right to opt-out of the sale of their data. To execute these requirements, businesses will need to think through their data strategy, data classification schemas, create deletion request and rejection classifications, automation processes, and require businesses to have more manual overrides than previously thought.
– Price Discrimination: Four examples were provided demonstrating when price discrimination is, and is not, permissible. Avoiding price discrimination violations will require each business to conduct an analytical exercise to determine what the reasonable value of a consumer’s data is. Businesses will also need to reconsider their offer strategies to focus on incentives that are tied to maintaining data instead of generic offer strategies that do not require a business to maintain consumer data in order to fulfill the incentive.
– Householding Definition: CCPA households are not household’s like marketers normally think of them. Based on CCPA’s definition, they must share a group account number and share a common device or service. Luckily, the process for rights execution at the household level is such a pain, businesses are not likely to see very many requests as it requires all household members to request deletion and be verified.
While the newly released regulations provide greater clarity on CCPA, additional refinements are expected as courts interpret the law and as additional changes are made to CCPA which will trickle down to the associated regulations. With national U.S. legislation stuck in early phases, and this being an election year, CCPA is likely to maintain its status as the benchmark for U.S. data privacy well into 2021.