California Attorney General Finalizes CCPA Regulations

California Attorney General Finalizes CCPA Regulations

June 22, 2020, Covington Alert

On June 1, California Attorney General Xavier Becerra announced that he has submitted to the Office of Administrative Law the final regulations implementing the California Consumer Privacy Act (“CCPA”). While the final regulations do not make any changes to the second modified version of the regulations released in March, the commentary released by the Attorney General (“AG”) in connection with the final regulations provides insight into how the regulator is thinking about the CCPA and what enforcement might be forthcoming.

This commentary includes several hundred pages of responses to comments received from consumer advocates, industry stakeholders, and other interested parties over the course of three different public comment periods. The AG also published a final statement of reasons justifying the regulations. In this client alert, we are providing a high-level overview of some of the most significant points from the voluminous commentary.

The AG’s commentary also identifies a number of areas where the AG will continue to evaluate the need for regulatory clarifications, emphasizing that some open issues require further study and analysis that could not be completed before the statutory July 1, 2020 deadline for adopting regulations. Consequently, future rulemaking activity and informal guidance may address the more complicated issues and edge cases that were raised in response to the initial drafts but which the AG did not address in the proposed final rules.

Definitions and Scoping

• Business. The AG’s responses to comments clarify that the revenue threshold in the “business” definition is not limited to revenue generated in California or from California residents. Additionally, the AG’s responses implied that “doing business in the State of California” should be construed in accordance with its plain meaning and other California law. The AG elsewhere appeared to assume that an out-of-state entity that sells to California residents may meet this threshold in at least some circumstances. See, Responses To Initial Comments, Appendix A, (“Appendix A”), row 11.
• IP Addresses. Although the AG recognized that IP addresses are included in the statute as “unique personal identifiers,” he also emphasized that whether any data element (such as an IP address) constitutes “personal information” is a fact-specific inquiry. Appendix A, row 15.

Notices to Consumers

• Privacy Notices. The AG’s commentary suggests that businesses have the discretion to include all the information contained in the opt-out, financial incentive, and just-in-time notices in one place through the privacy policy in some circumstances. The AG explicitly disapproved of an interpretation of his regulations that § 999.305(c) permits the notice at collection to be included in the business’s privacy policy in all circumstances, however. Appendix A, row 107. He explained that if a business collects personal information offline, “simply posting the required information in a privacy policy may not be sufficient” without more. This statement did not appear, however, to necessarily exclude (for example) providing URLs to online notices on paper forms and similar offline mechanisms.
• Privacy Policies. To date, companies have taken varying approaches to address statutory requirements to include certain information in online privacy policies. The AG makes clear that the regulations were crafted to provide businesses discretion and flexibility to craft privacy notices and the privacy policy “in a way that the consumer understands them.” Appendix A, row 97.

Verifying Consumer Access and Deletion Requests

• Determining residency. The AG declined to provide express guidance where a person is not associated with a specific state of residence in a business’s records, but his response to another comment noted that there is no statutory obligation to collect personal information that a business would not otherwise collect in the ordinary course of business. However, he then went on to state that, “if a consumer demonstrates that they are a resident of California, the business should comply with the consumer’s request.” Appendix A, row 16.
• Verifying Identity. The AG emphasized that whether a business has employed a “reasonable method” for verification of consumers is “based on the totality of its specific business and consumer concerns.” Appendix A, row 720. He also specifically addressed whether businesses may collect additional information from consumers in particular circumstances, although questions remain:
  • Some commenters had requested clarification about what happens when a consumer submits a request to delete an IP address, browser cookie, or mobile ad ID and associated data but the business has no other information with which to verify the request. The AG declined to revise the regulations, concluding that the regulations provide sufficient guidance and that businesses are not prohibited from asking for additional information provided that it is only used for the purpose of verifying the identity of the consumer and deleted afterwards.
  • The AG clarified that although the regulation states that businesses should generally avoid collecting additional personal information in the verification process, in some instances businesses may have to do so to verify. Specifically, in response to a comment expressing concern that businesses may maintain personal information in a manner that is not associated with a named actual person and that the regulations could “force businesses to investigate consumer identities by procuring more data than they normally would in their normal course of business in order to verify consumers,” the AG noted that “[t]he proposal which provides that businesses are not required to collect or maintain personal information to verify, however, may go too far because in some instances, some personal information may have to be collected by the business to verify a consumer’s identity.” Appendix A, row 734.
  • However, he refused to clarify whether collecting additional information such as a driver’s license was a “necessity,” explaining in response to a related comment that if “the business cannot verify the identity of the consumer from the information already maintained by the business, the business may request additional information from the consumer, which shall only be used for the purposes of verifying the identity of the consumer seeking to exercise their rights under the CCPA, and for security or fraud-prevention purposes.” Appendix A, row 731 (emphasis added). The AG was clear in other places, such as in his discussion of whether businesses are required to use the procedures he outlined to verify a consumer’s identity to a required level of certainty, that the use of the word “may” is permissive and suggests what a business can but is not required to do. Appendix A, row 751.

Understanding Consumer Rights to Access and Deletion Requests

• 12-month lookback. The comments clarify that the 12-month lookback in the CCPA applies to access requests only, and does not apply to deletion requests. The AG did not provide further guidance on how to measure the 12-month lookback.
• Exceptions. Generally, the AG noted that “the exceptions under the CCPA may be fact-specific and businesses may determine on a case-by-case basis whether the personal information falls within an exception.” Appendix A, row 40. However, the AG also specifically addressed certain exceptions of relevance in connection with responding to access and deletion requests. In particular:
  • Compliance with law exception. Section 1798.145(a)(1) of the statute notes that the CCPA does not restrict a business’s ability to comply with federal, state, or local law. When asked to clarify that the CCPA does not restrict or conflict with requirements and directives imposed by state agencies via formal or informal regulatory activities, the AG declined to do so. He noted that this interpretation was inconsistent with the CCPA and specifically that “[w]hether an agency’s formal or informal regulation, policy, or guidance is a legal obligation depends on the circumstances.” Appendix A, row 54.
  • Fraud exceptions. The initial proposed regulations included language that explicitly permitted businesses to reject requests that created a risk of fraud. While this language was stricken in subsequent drafts, the AG clarified that the edits were made because the language was “unnecessary and duplicative.” Final Statement of Reasons (“FSOR”), 25. Consequently, businesses should continue to have strong arguments that they can refuse requests that create risks of fraud even without the omitted language.
  • Reidentification and relinking exceptions. As noted above, the AG declined to amend the rules to provide that IP addresses and similar identifiers alone are, by definition, not “personal information.” However, he noted in response to a comment seeking that change that the statute does not require a business to reidentify or link information that is maintained in a manner that would not be considered personal information. This suggests a relatively broad view of the exception that might be helpful to businesses evaluating their obligations with respect to information that is not tied to conventional identifiers in response to an access or deletion request.
  • Intellectual property exemption. Despite the statutory mandate for the AG to establish exemptions for the protection of trade secrets and intellectual property rights as required by state or federal law, the AG concluded that the comments failed to show that a “blanket exemption” was required. His commentary focused on the lack of a record to support a categorical exception for IP and trade secrets. However, he did not address statutory language that could be read to relieve businesses from responding to access requests where there would be negative implications for the protection of trade secrets or intellectual property on a case-by-case basis. Further, the commentary does not foreclose relying on such arguments and suggests the AG may consider the issue in future rulemakings.

The Mechanics of Handling Consumer Access and Deletion Requests

• Toll free numbers. For businesses that need to provide a toll-free telephone number, the responses clarify that businesses do not need to provide a dedicated CCPA toll-free telephone number.
• Extension. While the statute contemplates that businesses may extend the time period to respond to consumer access and deletion requests by 90 days, the AG has expressly stated that businesses are permitted an extension of only 45 days (beyond the additional 45-day period) to respond to the request. The AG has also clarified that if a business cannot verify the identity of the requestor within the initial 45 days, the business can refuse to respond to the request.
• Timing for publication of consumer request metrics. Despite significant pushback in the comments, the final regulations retained the requirement that businesses keep records of how they respond to requests and to publish certain metrics related to those requests if the specified threshold is met. The obligation to keep records only comes into play once the regulations become effective. Businesses have until July 1 of each year to publish the statistics for the previous calendar year, so the first reporting of metrics is not required until July 1, 2021.

Sales

• Sale meaning. The AG refused to resolve commenters’ divergent views of how the “sale” definition should be interpreted and applied, concluding further analysis is required to determine whether a regulation is necessary on this issue.
  • However, the AG’s commentary emphasizes that whether a particular disclosure constitutes a “sale” raises legal questions that would require a fact-specific determination. Factors to be considered include, for example, (1) whether the information was exchanged for monetary or other valuable consideration, (2) whether the consumer directed the business to intentionally disclose the personal information, and (3) whether the parties involved were service providers. Appendix A, row 47.
  • With regard to the meaning of the phrase “or other valuable consideration,” the AG stated that these phrases should be given their plain meaning and be based on how such terms are commonly used in business transactions. Appendix A, row 45, 48.
  • With respect to online advertising, in particular, the AG refused to change the regulation but provided some helpful commentary. Responding to a request to clarify (a) whether the definition of “sale” includes “use of website cookies shared with third parties”; (b) that “sale” includes only “transactions where the personal information is the primary object of the sale and not merely incidental to the exchange” and “something that looks like a sale and not the mere acceptance of free services from another business”; and (c) that “sale” not include “disclosures of personal information unless disclosed for monetary or other valuable consideration,” the AG replied: “Whether the particular situations raised in the comments constitute a ‘sale’ raises specific legal questions that would require a fact-specific determination, including whether or not there was monetary or other valuable consideration involved, the consumer directed the business to intentionally disclose the personal information, and whether the parties involved were service providers.” Appendix A, row 47; see also Appendix A, row 655. Similarly, in refusing to specify that “sale” includes “real-time bidding in online advertising, the passing of information for targeted advertising, [and] any data transfer between unrelated companies,” the AG responded: “No change has been made in response to this comment. Civil Code § 1798.140(t) defines the term ‘sale.’ Whether the particular situations raised in the comments constitute a ‘sale’ raises specific legal questions that would require a fact-specific determination, including whether or not the parties involved are third parties or service providers. The proposed change to deem any data transfer between unrelated companies as a ‘sale’ would be inconsistent with the definition set forth in the CCPA. The OAG cannot implement regulations that alter or amend a statute or enlarge or impair its scope.” Appendix A, row 43. And in refusing a request by consumer groups to clarify that personal information can’t be shared with service providers for “cross-context behavioral advertising” if a consumer has opted out, the AG responded: “Depending on the fact-specific context, the comment’s characterization of cross-contextual advertising may be prohibited by [Civil Code § 1798.140(t)(2)(C)] and other provisions.” However, the AG also stated: “§ 999.314(c) also limits how a service provider may use, retain, or disclose that personal information.” Responses to 1st Revised Draft Comments, Appendix C (“Appendix C”), row 197; Responses to 2nd Revised Draft Comments, Appendix E (“Appendix E”), row 66.
• Cookie banners. The AG’s commentary does not specifically address whether businesses may rely on a cookie banner to support an argument that consumers have intentionally interacted with third-party advertising or analytics cookies. However, the AG specified that provisions in § 999.305(c) that require notice at or before the point of data collection does not necessarily require a pop-up notice for cookie data collection.
• Do-not-track. The AG is explicit that honoring Do Not Track (“DNT”) signals is voluntary, and that businesses have “discretion” on whether to treat a DNT signal as a “useful proxy” for a sale opt-out: “The business has discretion to treat a “do not track” signal as a useful proxy for communicating a consumer’s privacy choices to businesses and third parties. However, it is not required.” Appendix C, row 216; see also, e.g., Appendix A, row 572, 574, 582, 587; Appendix C, row 202, 207, 209; Appendix E, row 68. Furthermore, the AG noted that “the regulations do not prescribe a particular mechanism or technology” and that the regulation is intended to be “forward looking” for mechanisms that may be developed in the future.
• Posting “Do Not Sell” for Mobile Applications. In response to comments, the AG declined to clarify the rules to permit mobile applications to post a Do Not Sell link only on the mobile app’s “Settings” or menu page only. The AG noted that the statute defines “homepage” in the mobile app context to mean “the app’s platform page or download page, a link within the app, and any other location that allows consumers to review the notice requirement.”

Service Providers

• Contracts. The responses clarify that there is no magic language that must be included in service provider agreements. According to the AG, “neither the CCPA, nor the regulations, specify any mandatory contract language.” Appendix A, row 169.
• Certified Third Parties. There is language in the statute’s definition of “third parties” that provides that certain entities subject to contractual restrictions and who certify compliance with those restrictions are not “third parties.” See Cal. Civ. Code § 1798.140(w). The statute does not specifically address the relationship between this language and the “service provider” definition. However, the AG appears to interpret the statute to create a separate category of “non-third party persons” distinct from “service providers.” According to the AG, “the two different definitions serve related but different purposes . . . . If an entity qualifies as a service provider, it need not also attempt to qualify as a non-third party person under subsection (w)(2)(a).” This suggests the converse also is true: if a person qualifies as a non-third party person, it need not also qualify as a “service provider.” Appendix A, row 516.
• Scope of Services. The AG provides multiple pages of commentary in the Final Statement of Reasons detailing his reasoning for the language he landed on in the Final Regulations, which states:

A service provider shall not retain, use, or disclose personal information obtained in the course of providing services except: (1) To process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA; (2) To retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and these regulations; (3) For internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source; (4) To detect data security incidents, or protect against fraudulent or illegal activity; or (5) For the purposes enumerated in Civil Code section 1798.145, subdivisions (a)(1) through (a)(4).

This commentary is nuanced, and we urge businesses review pages 30 to 36 of the Final Statement of Reasons carefully to assess how the service provider regulations affect their contractual relationships.

• Notably, however, the AG declined to dilute the exception in § 999.314(c)(4) that permits service providers to use personal information to protect against fraudulent or illegal activity. The AG noted that, “the risks to consumers from illegal or fraudulent activity appear to outweigh the risks that the regulation will be abused as outlined in the comment, given the high prevalence of illegal and fraudulent activity and the low likelihood that businesses will act as the comment warns.” Appendix A, row 548.

Minors

• Consistency with COPPA. The AG in several places attempted to clarify why he believes the CCPA and Children’s Online Privacy Protection Act (“COPPA”) (which preempts inconsistent state laws) regulate different things, and are not inconsistent with one another.
• Actual knowledge standard. The AG rejected requests to clarify that the “actual knowledge” standard in the CCPA’s provisions relating to minors is the same as COPPA’s actual knowledge standard. He contends there is a meaningful distinction between the two because the FTC’s guidance on COPPA refers to actual knowledge of collecting personal information, whereas the CCPA refers to actual knowledge of selling personal information. He also emphasized that COPPA only covers personal information collected online from a child under 13, whereas the CCPA prohibits the sale of children’s personal information “whether collected online, offline, or from a third party.”
• Consent. The AG clarified that parental consent for the CCPA is needed in addition to COPPA consent, because the AG believes they are consent for different things.

Non-Discrimination and Financial Incentives

• When notice is required. There has been much confusion around the meaning of the financial incentives provisions in both the statute and the regulations. In February, the AG revised the draft rules to define a “financial incentive” to include any benefit “related to” the collection of personal information. Some businesses were concerned that this change should be construed to require notice of a financial incentive any time a business collects personal information from a consumer, even if solely for the purpose of delivering a product or carrying out a transaction. But the AG clarified that such an interpretation “would not make sense in this context because the regulations are implementing Civil Code § 1798.125, which prohibits discrimination because of the exercise of rights under the CCPA.” Appendix E, row 1 (emphasis added). Elsewhere, the AG states that the regulations treat comparably “financial incentives” and “prices or service differences” because financial incentives are a type of price or service difference. FSOR, at 3.
• Good faith estimate of the value of consumer data. The AG’s responses suggest that a business may not offer a financial incentive or price or service difference if it is unable to estimate the value of the consumer’s data. He explained why “a good-faith estimate” of the value of a consumer’s data to the business is necessary in the notice of financial incentive, noting that it is a “material term” of a financial incentive program. As noted above however, the AG appears to be construing a “financial incentive” somewhat narrowly.
• Loyalty programs. The AG refused to clarify that loyalty programs are permitted financial incentives or create a blanket exception for loyalty programs because some of them may in fact be discriminatory. According to the AG, the illustrative examples shed further light on what types of loyalty programs may or may not be permitted.
• Market research. The AG also declined to create a blanket exception for consumers’ participation in marketing research, although the AG’s commentary does not shed light on whether traditional marketing research incentives typically would qualify as a “financial incentive” under the regulations.

If you have any questions concerning the material discussed in this client alert, please contact the following members of our Data Privacy and Cybersecurity practice.