Data Protection

CCPA In-Depth Series: Draft Attorney General Regulations on Verification, Children’s Privacy and Non-Discrimination

By ALAN CHARLES RAULCOLLEEN THERESA BROWNCHRISTOPHER FONZONE AND SHERI PORATH ROCKWELL

This post is the third in a three part series taking a deep dive into the five key articles of the Attorney General’s CCPA draft regulations: Article 2 on Notice to Consumers; Article 3 on Business Practices for Handling Consumer Requests; Article 4 on Verification of Requests; Article 5 on Special Rules Regarding Minors; and Article 6 on Non-Discrimination. Today we look at verification, children’s privacy and the non-discrimination provisions. Visit the CCPA Monitor for a collection of all our CCPA insights.

INTRO AND BACKGROUND. In the summer of 2018, the California Legislature drafted and passed the California Consumer Privacy Act (CCPA) in record time. Facing a procedural deadline for a ballot initiative, the Legislature acted with dispatch, as it did not want to add to the State Constitution, with its super-majority amendment requirements, many of the provisions that ultimately found their way into the CCPA. This abbreviated legislative process produced a bill with numerous gaps and anomalies, however. Businesses, consumer advocates, and privacy watchers have thus been eagerly waiting for over a year for the Attorney General to propose the regulations the CCPA requires him to promulgate.

On October 10, 2019, this wait finally ended. As laid out below, the nature and breadth of the Attorney General’s proposed regulations explain why they took so long to produce. Put simply, the proposed regulations are significant and will have substantial implications on businesses’ ongoing efforts to comply with the CCPA with less than three months left to go before the effective date. Indeed, even if they do not resolve all of the Law’s many ambiguities, they do provide helpful implementation guidance – along with surprising new requirements, some of which may questionably extend beyond the CCPA itself.

HIGHLIGHTS. The Attorney General’s proposed regulations are thick with important provisions, and businesses should study the full regulations carefully. Nonetheless, before delving into a detailed analysis of certain aspects of the regulations, this alert highlights several key aspects of the Attorney General’s proposal, including that the regulations:

  • Provide detailed guidance on the major disclosures required by the CCPA, including notices “at or before the point of collection,” notices regarding consumers’ right to opt-out of the sale of personal information and be free from discrimination for exercising their privacy rights, and updated privacy policies.
  • Of particular note, the regulations clarify that businesses generally do not have to provide notice “at or before the point of collection,” if they are not collecting information directly from the consumer. In such circumstances, however, before selling the information in question, the business must either give the consumer an opportunity to opt out or obtain a “signed attestation” from the entity that collected the personal information that it provided notice at the point of collection to the consumer.
  • Detail specific requirements for verifying the identity of consumers making CCPA rights requests, including directly prohibiting businesses from disclosing social security numbers, driver’s license and government-issued ID numbers, financial account numbers, health insurance or medical identification numbers, account passwords, or security questions or answers.
  • Require businesses that provide financial incentives for different types of products or services based on the value of the consumer’s information (e.g., free vs. paid streaming), to quantify the value of consumers’ information and disclose the value and methods used to calculate it.
  • Put in place obligations that appear to extend beyond those contemplated by the CCPA, such as that businesses must: (1) pass on opt-out requests to entities that have purchased the personal information at issue within the past 90 days; and (2) maintain and disclose metrics if they handle the personal information of four million or more consumers each year.

DETAILED ANALYSIS ON VERIFICATION, CHILDREN’S PRIVACY AND NON-DISCRIMINATION.

Verification of Requests (Article 4).

Recognizing the challenges raised by the need to verify consumer requests, the CCPA directed the Attorney General to make this topic one of the key points covered in the regulations. The regulations do not disappoint in this respect, as they provide detailed verification guidance.

General Rules (§ 998.323). The regulations lay out a number of general principles to govern verification responsibilities.

Written Verification Plan. First, businesses must have a written verification plan that documents the methods the business will use to verify the identities of people who submit requests to know or delete personal information. While businesses must consider various factors (described below) in developing the plan, the regulations are designed to provide businesses with “a significant amount of discretion and flexibility,” while setting the baseline requirement that the methods chosen be “reasonable.” Initial Statement of Reasons at p. 29. Critically, while some of the regulation’s provisions are required, many of the specific procedures are crafted with safe harbor language, advising on what a business “may” do to verify certain categories of consumers.

In particular, the proposed regulations direct businesses, where feasible, to try to verify by matching information provided by the consumer with information the business already has on file and to avoid collecting additional personal information unless it is necessary for verification purposes. (If a business collects personal information to verify, it must use it only for the purpose of verification or for security or fraud prevention, and it must delete the information as soon as practical after processing the request.) The regulations further direct businesses to consider the following six factors in develop their plans:

  • the “type, sensitivity, and value” of the personal information collected;
  • the risk of harm to the consumer posed by any unauthorized access or deletion;
  • the likelihood that bad actors will seek the personal information at issue;
  • the degree to which any personal information provided for verification will protect against “fraudulent requests or being spoofed or fabricated”;
  • the manner in which the business interacts with the consumer; and
  • available technology for verification.

Need for Security Measures. The regulations require businesses to implement “reasonable security measures” to detect “fraudulent identity-verification activity” and accordingly prevent unauthorized access or deletion request.

No Need to Re-Identify. Confirming an important aspect of the CCPA, the regulations make clear that if a business maintains consumer information that is de-identified, “a business is not obligated to provide or delete this information in response to a consumer request or to re-identify individual data to verify a consumer request.”

Verification for Password-Protected Accounts (§ 998.324). The regulations require businesses to use a two-factor verification process, at a minimum, to authenticate consumers with password-protected accounts who submit access or deletion requests. First, the business may verify consumers who using the existing authentication procedures for the account. Second, the business is required to have the consumer re-authenticate themselves in another manner consistent with the type, sensitivity and value to the consumer of the information. Moreover, these verification procedures represent a floor: if the business suspects fraudulent activity, it may require additional verification, as it can if the type of information that may be disclosed requires even greater security.

Verification for Non-Accountholders (§ 998.325).

Standards for Verification. The standards a business must use to verify the identity of consumers who do not have an account with the business vary depending on the type of request made:

Access Request for Categories of Personal Information. In order to verify access requests for categories of information, businesses need to obtain “reasonable degree of certainty,” which “may include matching at least two data points provided by a consumer” with reliable data points maintained by the business.

Access Request for Specific Pieces of Personal Information. Given the sensitivity of these requests, the regulations require businesses to verify the identity of the consumer with a “reasonably high degree of certainty.” Although the regulations provide no one-size-fits-all way to meet this standard, they do provide as an example: (a) matching three pieces of personal information provided by the consumer with personal information maintained by the business, and (b) obtaining a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. (Businesses are to maintain all such signed declarations as part of their 24 month recordkeeping responsibilities.)

Requests to Delete. For deletion requests, businesses are to use a different verification standard (“high” or “reasonable” certainty) depending on the sensitivity of the personal information and the risk of harm to the consumer posed by any unauthorized deletion. Regulations use a request to delete family photographs as an example that would require a high level of certainty, as opposed to a request to delete browsing history, which would require a “reasonable” level of certainty.

No Reasonable Method. If a business concludes that there is “no reasonable method” by which it “can verify the identity of the consumer to the degree of certainty required” by the regulations, the business must explain this to the consumer and, “if this is the case for all consumers whose personal information the business holds,” note it in the business’s privacy policy. The business shall further revisit this conclusion on a yearly basis. This provision may be critical for businesses that collect certain limited technical information about site visitors, but are unable to necessarily match such information to particular individual consumers to respond to an access request.

Authorized Agents (§ 998.326). The regulations do not provide detailed guidance on levels of verification required from authorized agents. Rather, absent the agent having a valid proof of attorney, the regulations simply state that a business may require a consumer to verify their identity directly with the business, even when it wants to use an authorized agent. Businesses can further require agents to present written proof of authorization and may deny the agent’s request if they fail to do so.

Special Rules Regarding Minors (Article 5).

Minors Under 13-Years-Old (§ 998.330). A business that has actual knowledge that it collects or maintains the personal information of children under the age of 13 shall establish, document, and comply with a “reasonable method for determine that the person affirmatively authorizing the sale” of the child’s information is the parent or guardian of the child. Moreover, this authorization must be “in addition to any verifiable parental consent required under the Children’s Online Privacy Protection Act,” or COPPA, and the business must notify the parent or guardian of the right to opt-out at any time.

According to the regulations, reasonable methods for determining a parent or guarding is the one providing authorization include:

  • providing a written consent form returned by postal mail, fax or electronic scan (not email);
  • requiring the parent to use a credit or debit card or other payment system that provides notification of each transaction;
  • having a parent or guardian connect to trained personnel by phone, videoconference or in person; and
  • checking the parent or guardian’s government-issued ID against databases that would facilitate verification.

Minors 13 to 16 Years of Age (§ 998.331). Children under 16 must use a two-step opt-in process to consent to the sale of their personal information: an initial opt-in consent followed by a separate second consent. Businesses must also, “at a later date,” notify the children of their right to opt-out.

General Provisions (§ 998.332). A business that is subject to the requirements detailed above with respect to the personal information of children under the age of 16 must include a description of the processes set forth above in its privacy policy. That said, “a business that exclusively targets consumers under 16 years of age and does not sell the personal information of such minors without their affirmative authorization, or the affirmative authorization of their parent or guardian for minors under 13 years of age, is not required to provide the notice of right to opt-out.”

Non-discrimination (Article 6).

The proposed regulations echo the CCPA itself, in that they emphasize that a business violates the CCPA’s non-discrimination principle if it treats consumers differently simply because they exercise their CCPA rights. Nonetheless, the regulations make clear that, as the most recent CCPA amendments clarified, a business may offer a price or service difference if it is “reasonably related to the value of the consumer’s data to the business” and that, moreover, charging a fee for a manifestly unfounded or excessive rights request is not discriminatory. The regulations further state that a business shall use a reasonable and good faith method to calculate the value of the consumer’s data, using one or more of the following methodologies:

  • The marginal value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data;
  • The average value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data;
  • Revenue or profit generated by the business from separate tiers, categories, or classes of consumers or typical consumers whose data provides differing value;
  • Revenue generated by the business from sale, collection, or retention of consumers’ personal information;
  • Expenses related to the sale, collection, or retention of consumers’ personal information;
  • Expenses related to the offer, provision, or imposition of any financial incentive or price or service difference;
  • Profit generated by the business from sale, collection, or retention of consumers’ personal information; and

Any other practical and reliable method of calculation used in good faith.

THE PATH FORWARD. While the proposed regulations are significant, they are only a draft and not legally binding. Moreover, there will be a fairly long and winding road before the Attorney General will be able to finalize the regulations – something that likely will not happen until well into the next year.

In particular, businesses and other members of the public can comment on the draft regulations and suggest changes until December 6th. They can make comments in writing or during the four public forums scheduled around the state in early December.

Once this comment period closes, the AG must then respond in writing and explain reasons for its adoption or rejection of each comment. We expect this process to take some time, as the volume of comments will likely be substantial. If the AG changes the regulations in response to the comments, the cycle begins again with a new notice and comment period (although, it could be shorter, depending on the type of changes that are made).

Once the AG finalizes a draft of the regulations, the Office of Administrative Law (“OAL”) will need to approve them to ensure they are consistent with the statute and other legal requirements. The OAL has 30 working days to approve the regulations and file them with the Secretary of State.

In the unlikely event regulations are able to be filed by February 29th, they will be effective on April 1st. If they are filed after February 29th, but before May 31st – the more probable course — they will take effect on July 1st, the statutory deadline.

Meanwhile, the CCPA itself still goes into effect on January 1, 2020, and businesses may quickly begin seeing data subject rights requests, let alone the potential for data breach litigation pursuant to the private right of action. Even if the regulations are not final, they are useful as businesses prepare for the dawning of at least some parts of the new CCPA era.