Hey, CCPA-heads, the moment you’ve been waiting months for has arrived.
The California attorney general’s office on Thursday published the first draft of its implementation regulations for the California Consumer Privacy Act. [Click here to read the full text.]
The purpose of the regulations is to operationalize the law and provide practical guidance. It’s the sort of info that businesses need to comply with the law, and that the AG is required to provide prior to enforcement.
And California AG Xavier Becerra seems fairly eager to enforce. “Our personal data is what powers today’s data-driven economy and the wealth it generates,” he said in a statement about the regulations. “It’s time we had control over the use of our personal data – that includes keeping it private.”
Defining terms
The regulations start off with a list of clarifying definitions.
“Household,” for example, is a person or group of people occupying a single dwelling, which clears up confusion as to whether roommates are included in the notion of a household. “Third parties” are defined incredibly broadly as entities that don’t collect personal information from consumers directly. That includes, but is not limited to, ad networks, internet service providers, data analytics providers, operating systems and platforms, social networks, consumer data resellers and government entities.
The CCPA makes a distinction between third parties and service providers, which are defined similarly to data processors under Europe’s General Data Protection Regulation. The transfer of personal information to a third party always counts as a sale according to CCPA, but that isn’t necessarily always the case for service providers.
As long as there’s a contract between the business and the service provider that the service provider sticks to – and the terms of the contract don’t contravene the law – the service provider doesn’t have to deal with data access and deletion requests. That’s the contracting business’s responsibility. Think life insurance company or law firms. (That’s a reminder to call your lawyer. The CCPA goes into effect in less than three months.)
All in all, it sounds a little less onerous to be classified as a service provider, and ad tech companies, ISPs and seemingly Facebook appear to be out of luck on that front.
Also noteworthy is the fact that the AG’s regulations don’t provide a more specific definition of the word “sell.” The main tenet of CCPA is that consumers have the right to opt out of the sale of their personal information.
Under the law, the word sale is still broadly defined as “selling, renting, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or third party for monetary or other valuable consideration.”
In a statement, the Interactive Advertising Bureau expressed apprehension that the regulations don’t go far enough in clearing up remaining ambiguities in the law.
“We have initial concerns that further remedy of some of the unintended consequences of CCPA is still needed to help businesses meet their obligations and to empower Californians with more control over their information,” said Dave Grimaldi, EVP for public policy at the IAB.
The AG’s advice
The regulations also get into the weeds on procedures across the following key areas:
How to provide notice
Under the law, businesses are required to notify consumers, either at or before the time of collection, what categories of personal data will be collected and how the data will be used. According to the AG, notices have to use plain, straightforward language, avoid technical or legal jargon and be clearly visible and readable, even on small screens.
Clear opt-out
Businesses that sell personal information need to include a button on their homepage titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” that links to the notice. The button also must appear on any webpage where personal information is collected, while apps need to include the link on their download page.
The AG’s office is planning to share a proposed version of what the opt-out button should actually look like in a modified version of the regulations coming soon.
What needs to be in a privacy policy
Beyond the button, the regulations also lay out what makes a privacy policy kosher under CCPA, which includes clearly written information on a consumer’s rights under the law, a list of what personal information the business has collected about consumers in the preceding 12 months and disclosures on whether that info is being sold.
Verification and handling customer data
Rounding out the regulations is advice on how to verify that the particular consumer making a request is actually the individual in question and not an imposter, and recommendations for how to process the requests themselves.
Businesses, for example, should use a two-step process for online deletion requests in which consumers must separately confirm that they really do want their data deleted. Companies can comply with deletion requests by “permanently and completely” erasing the personal information on its existing systems, by de-identifying the data or by aggregating it so that it’s no longer identifiable to an individual.
Coming up next
The release of the first draft of the regs kicks off a nearly 60-day public comment period that ends Dec. 6. The AG’s office is also holding four public hearings to collect comments on its guidance in early December in Sacramento, Los Angeles, San Francisco and Fresno.
The law requires that the AG’s office promulgates and adopts finalized implementation regulations for the CCPA by July 1, 2020.
Separately, California Governor Gavin Newson has until Oct. 13 to sign a handful of remaining amendments to the CCPA, including bills to exempt employee data and aggregate consumer information from the law.
