Cross-posted from The Global Privacy Watch blog.
Attorney General Becerra’s office posted the long-awaited draft CCPA regulations a little before 2:00 pm (PST) October 10th. It was a bit of a curve ball, to be perfectly honest (considering the final swath of amendments to the CCPA are not even final until Governor Newsom signs them, or on October 13th). Tellingly, the California Administrative Procedure Act requires the California Department of Finance to approve “major regulations” (and they have 30 days to do that) prior to publication. Based on this, it would seem that these regulations were drafted prior to the amendments to the CCPA going through the legislature. This does not seem like an effective way to draft regulations, but hey, no one should tell the AG he shouldn’t jump the gun! They are now out there so, one reviews anyway.
Topping out at a modest 24 pages (the CCPA itself is 19 pages), the regulations are organized into seven articles. We’re directing our comments to the issues that pop out to us initially, and as always, we’ll post further observations as things progress.
First, the draft regulation includes much needed definitions and clarification in several instances. Unfortunately, some definitions were not clarified, such as ‘Business’ (and how the $25 million is calculated). Further, ‘Household’ is now defined as a person (or group) occupying a single dwelling. So, Personal Information ‘attributable’ to a consumer, will now be ‘attributable’ to any person or group within a single dwelling. Given the broad definition of Person under the CCPA, this now means it’s easier for an organization to meet the ‘Business” definition under Section 1798.140(c)(1)(B).
Second, regarding the notice required for collection of personal information offline: to be compliant, notice may be provided to the consumer of personal information collected via paper or through posting prominent signage directing consumers to a web address. This has the obvious consequence of requiring the business to provide notice to everyone – even those not meeting the definition of Consumer. However, it does give guidance to brick-and-mortar stores on how they are supposed to provide a policy in an environment which does not lend itself to the provision of dense content (like reading a privacy notice).
While we applaud the decision to include a ‘laundry list’ of requirements a business must have in a privacy notice, we note that it is silent as to why a business must comply with a provision requiring a 12 month ‘look back’ on personal information collected, sold or disclosed prior to the operational date of the law. How, exactly is this supposed to work?
Third, notice is to be written ‘in a manner that provides consumers a meaningful understanding of the information being collected.’ This doesn’t provide objective criteria to apply in making that determination. Further, ‘meaningful understanding’ appears elsewhere in the draft regulation with equal ambiguity. Additionally, Section 999.312(a) still includes the requirement for a toll-free number as one of the mandatory contact methods included in a notice. This section seems to ignore the last round of amendments to the CCPA which put a limitation on that requirement. (Namely, AB 1355 and AB 1564). This goes back to the AG writing the draft regulations without waiting on the final form of the law.
Fourth, when responding to requests to know, the regulations mandate that a business respond by providing categories of sources, purpose, third parties to whom personal information was sold, and business or commercial purpose for which it was sold or disclosed for each identified category of personal information it’s collected about the consumer. This may not be problematic for one or two categories collected, but this certainly could be very problematic if those numbers are higher. This level of detail may well lead to “notice fatigue”. This is the reason the FTC and the FFIEC simplified the notice requirements under Gramm-Leach-Bliley. The detail of the notices was getting to the point it wasn’t providing any ‘meaningful understanding’ to consumers. The AG could take a lesson from the FTC in this regard.
Fifth, in responding to requests to delete, if a business cannot verify a requester’s identity as authorized under the regulations, the business may deny the request. Upon notifying the requester, the business must treat the request as a request to opt-out of the sale. If a requester’s identity cannot be verified it should not matter what the request relates to. Yet, the regulations provide that a request to opt-out need not be a verifiable consumer request (a Business may refuse to do as directed upon a showing of fraud).
The scope of these requests are not related. One is to delete any data collected about the consumer, the other is to opt-out of data sold to a third party. By forcing a business to treat a deletion request as an “opt-out,” the regulations create a presumption that all businesses are selling data to third parties – and this is not actually true. Further still, the business duty is to provide a mechanism through which the consumer may opt-out (under the ‘general rule’) and it is up to the consumer to exercise that right. (see 1798.135) THAT right has not been exercised; rather, it has been shifted to the Business instead, where opt-out procedures must be followed absent a showing of fraud. (See section 999.315 of the Draft regulations).
Sixth, the draft regulations attempt to introduce a hierarchy of personal informational verification processes which includes factors to consider depending on the type, sensitivity, and value of the personal information collected. This is aligned with the CCPA’s requirement that the AG promulgate regulations describing how to a “verifiable consumer request” is supposed to operate.
Unfortunately, none of the enumerated criteria related to a “verifiable consumer request” have anything to do with “verifying” the identity of the consumer. More simply put, none of the criteria mentioned in the draft rulemaking have anything to do with identity. Identity management is a difficult thing in the best of circumstances. The requirements provided in the AG proposed rulemaking do literally nothing to provide direction as to how to identify a consumer who is asking for access, deletion, or opt-out. In this area, the draft regulations are so inadequate as to be functionally irrelevant – which is not helpful to any business attempting to achieve compliance.
Critically, this is one of the most important gating factors in the CCPA. The vast majority of business obligations around consumer control over their data rely on the “verifiable consumer request”. If this fundamental requirement isn’t set out, along with safe harbors establishing what is sufficient, then the entire enforcement structure becomes tenuous, if not outright ineffective. Without a AG-mandated means if verifying the identity of an individual, it is also very possible the “verifiable consumer request” will become a tool for hackers to steal individual’s data from businesses because the business will want to provide access to personal information in order to avoid liability under the CCPA.
Obviously, we’ll have more comments in the days ahead, so stay tuned.