Canada: California Consumer Privacy Act: Are You Ready? (Part 2)

Last Updated: November 5 2019
Article by Susan K. Ross

In Part 1, see https://www.canada-usblog.com/2019/10/23/california-consumer-privacy-act-are-you-ready-part-1/, we summarized the recent legislative changes regarding the California Consumer Privacy Act ("CCPA"). Bearing in mind the CCPA takes effect on January 1, 2020 and the Attorney General is required to issue regulations by July 1, 2020, these regulations both meet that timeframe, but also seek to provide much-needed guidance to industry.

Most of the legislative changes focused on narrowing the definition of personal information, clarified the timeframe which applies when a consumer demands information the business possesses about him or her, and also confirmed the CCPA applies to businesses, not non-profits or government entities. In this Alert, we summarize the regulations which were recently issued. However, even in the regulatory context, the starting point remains the same. Companies should begin by asking the following questions:

  • Is our annual gross revenue at least $25 million (not limited to California income alone)?
  • Do we have the personal information of at least 50,000 California consumers, households or devices?
  • Do we sell* the personal data we have of those California consumers, households or devices? If so, do we derive 50% or more of our annual revenues from those sales?
  • Even if we do not sell that personal data, do we disclose* any portion of it to any third parties?

* Definitions for both "sell" and "disclose" appear below.

The term "consumer" has been defined from the outset as anyone who lives in California. Devices are defined at Civil Code § 1798.140(j) as "any physical object that is capable of connecting to the internet, directly or indirectly, or to another device."

The regulations finally provide a definition for household at proposed Civil Code § 999.301(h) to mean "a person or group of people occupying a single dwelling." The term "privacy policy" is also expanded at proposed Civil Code § 999.301(m) to mean a statement the business provides describing its practices on and off line regarding the "collection, use, disclosure and sale of personal information and of the rights of consumers regarding their own personal information."

For regulatory purposes, the following questions should be added to the list:

  • Does our website serve all our users or do we have a California only facing section of our website?
  • Do we have a privacy policy on our website? If so, it is conspicuously displayed?
  • Do we currently track when users accept our terms and conditions**?
  • Do we keep a record of the changes we make to our terms and conditions** each time we update?
  • Is the means we use to receive acceptance of our privacy policy by users adequate to meet our current and future needs?

** While we are focused on the privacy policy for CCPA compliance purposes, the same general concept of tracking acceptances for terms of use applies. Do you retain versions that are updated and replaced? Do you apply version numbers or dates to track changes? Do you track acceptance by users when new versions are posted? If so, how long do you retain those records? Do you rely on click-through acceptance or other means? Do you notify users by email when terms and conditions are updated?

The reason for these questions will become apparent as we discuss the new regulations. See here for the full regulatory details. The starting point is these regulations were issued as a proposal. The deadline to comment is 5:00 p.m. on December 6, 2019 (to PrivacyRegulations@doj.ca.gov or Privacy Regulations Coordinator, California Office of the Attorney General, 300 S. Spring St., First Floor, Los Angeles, CA 90013). Public hearings will also be held on December 2 (Sacramento), December 3 (Los Angeles), December 4 (San Francisco), and December 5 (Fresno).

The regulations focus on permitting consumers to obtain the basic information called for in the CCPA:

  • What specific pieces of personal information the business collected;
  • The categories of personal information collected and sold about that consumer;
  • The purpose for which the personal information was collected or sold; and
  • The categories of third parties to whom the business sold or disclosed that data.

The business must provide two or more means by which the consumer may submit a request for information, one must be a toll-free phone number and, if the business has it, a website (if no website, the business must find other acceptable means of giving notice). The information must be provided within 45 days (an additional 45 days is possible for good cause, but does not extend the time within which the first response must be given). The data must be provided free of charge, the business may impose reasonable means to verify the identity of the recipient, and, when providing the data, it must be in an easily transferrable format. If the company declines to act on the request, such as because it cannot verify the requestor, it must still respond within the first 45 days, and explain the applicable appeal rights. The response process is discussed again below where more specifics are provided.

When it comes to verification, as noted, the method must be reasonable. The regulations define reasonable to include a consideration as to the sensitivity of the information and the risk of harm to the consumer from unauthorized access or deletion. If the consumer has a password protected account, that account may be used to provide the notice and also to detect any fraud. When it comes to non-account holders, at least two data points must be matched, and the result must yield a high degree of certainty. In some cases, a third data element can be required along with a signed declaration under penalty of perjury. When it comes to deletions, companies would be well advised to consider whether to rely on the password protected account, or more data points, depending again on the sensitivity of the data and the risk of harm to the consumer by unauthorized deletion.

The consumer data disclosed is for the 12 months preceding the date of receipt. Consumers may not make more than two (2) such requests in any 12 month period. The business may charge the consumer only if the requests are unfounded or excessive. If the consumer requests deletion of his or her records, that request is also subject to the 45 day rule. However, there are some exceptions. Companies may retain the data in order to:

1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, perform actions reasonably anticipated within the context of a business's ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.

2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity.

3) Debug to identify and repair errors that impair existing intended functionality.

4) Exercise free speech, ensure another consumer's right to exercise free speech, or exercise another right provided for by law.

5) Comply with the California Electronic Communications Privacy Act.

6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses' deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.

7) Enable solely internal uses reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business.

8) Comply with a legal obligation.

9) Use the consumer's personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

It is reasonable to anticipate that those businesses whose function is not platform related are most likely going to primarily rely on (1) completing the intended transaction, (7) use the data as expected, and (9) use the information in a lawful manner (see points above). This means companies must be careful how they describe why they are collecting the data and what they intend to do with it. This means, for example, that if one of the routine actions your company takes with consumer data is to distribute marketing materials, your privacy policy will now need to specifically mention that use. The Privacy Policy itself must also be posted online through a conspicuous link using the word "Privacy" which must be positioned on the home page of the website or the landing page of the mobile app.

The CCPA also includes the right to opt-out, which is why determining in advance what exactly is done with the data collected is critical. If you share that data with any third parties, you are obligated to provide an opt-out option. That is the case because the definition of "selling" includes "selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or third party for monetary or other valuable consideration". See Civil Code § 1798.140(t).

The rules about minors are unchanged. For minors under the agent of 13, the consent of a guardian or parent is required for all purposes, including consent to sell. If the minor is between 13 and 16, the minor must give consent for all purposes.

Businesses may not discriminate against consumers who exercise their CCPA rights. Discrimination is broadly described to include denying goods or services, charging different prices or rates, or providing a different level of service or quality of goods. However, such differences are permitted, including financial incentives, if that difference is reasonably related to the value provided to the business by the consumer's data. More on this topic can also be found later.

There are specific disclosures also required:

  • At or before the point of collection, the business must inform the consumer as to the categories of personal information collected and the purposes for which that data is collected. If the business later decides it wants more data or it wants to put the existing data to different uses, it must first obtain the consumer's consent.
  • The method and means by which the consumer may opt-out. This includes the need to have a "clear and conspicuous" link on the website titled "Do Not Sell My Personal Information" or "Do Not Sell My Info." The Attorney General intends to provide a recommended logo format, but wants input before finalizing the design. This notice is to appear on the home page of the website or the landing page of the mobile app.
  • Any financial incentives which are offered must be stated.
  • The privacy policy must also include a description of the consumer's rights under the CCPA, how he or she may submit requests for disclosure, deletion and opting-out, and, of course, additional information about data collection and sharing practices. This would seem to mean the same data would appear in two places – once at sign-up and once in the Privacy Policy itself. However, elsewhere, there is an indication notice may be provided through a link to the relevant section of the online privacy policy.
  • Training is also required of the individuals responsible for handling consumer requests, to include directing consumers to how they may exercise their CCPA rights. The Attorney General has interpreted this provision to apply only once the business handles 4 million or more consumer records. Such entities will also be required to post online the number of requests to know, delete and opt-out received in the previous calendar year, and the median number of days in which they took to respond.

Other recommendations from the Attorney General include being sure to use "plain, straightforward language, a format that draws the consumers' attention to the notice, and providing the notice in the languages in which the business providers consumer contracts, and other things" which mirrors the requirements of proposed Civil Code § 999.305(a)(2). Those requirements include access for those with disabilities. The regulations underscore that notice must be given prior to the collection of any information, but the notice itself may be given by providing a link to the relevant section of the online privacy policy.

If the business receives the data strictly from other sources, it need not give notice of collection to the consumer but must either contact the consumer directly and provide that notice or contact the source of the information and confirm the source has provided the required notice and obtain a signed attestation from that source describing how the source gave notice, to include a copy of the notice. These attestations are to be retained for at least 2 years and made available to consumers upon request.

In the documents supporting the proposed regulations, the Attorney General acknowledges the regulatory cost to the State will be $4.7 million for FY 2019-2020 and $4.6 million for FY 2020-2021. The estimated cost to business between 2020 and 2030 is said to be $467 million to $16,454 million. The documentation goes on to acknowledge there is a potential competitive disadvantage for California companies (the estimate is 15,000 to 400,000 businesses will be impacted) to companies which operate outside California and are not otherwise subject to the CCPA. For that reason, submissions proposing alternate means of implementation are requested which address the following topics:

i) The establishment of differing compliance or reporting requirements or timetables that take into account the resources available to businesses.

ii) Consolidation or simplification of compliance and reporting requirements for businesses.

iii) The use of performance standards rather than prescriptive standards.

iv) Exemption or partial exemption from the regulatory requirements for businesses.

A business is exempt if it does not and will not sell (bearing in mind the broad definition of "sell") consumer personal data and so states in its privacy policy. If exempt, the opt-out logo is not required.

If a company has a loyalty or other financial incentive program, those are still permitted, but there are specific notice requirements which generally mirror the criteria mentioned above regarding what must be included in the notice and how those incentives are to be explained. Similarly, if any cost or service differences do apply, they must meet the standard and also provide a "good-faith estimate" of the value of the consumer data which forms the basis for the differential, and also a description of the method used to calculate the value stated.

Given these regulatory mandates, here are some additional factors for business to consider:

  1. How will you give the required notice to consumers?
  2. What form will the update to your privacy policy take?
  3. Are you required to provide an opt-out option and the corresponding logo?
  4. Do you reflect the last date updated on your privacy policy?
  5. Do you provide a contact for more information?
  6. The requirement is two or more designated methods for the consumer to request data, to include a toll free telephone number, a link or form on the website, a designated email address, a form submitted in person or a form submitted through the mail. Which of these do you currently provide? How does the business usually interact with consumers? Where on the list of methods of notice do your usual means of consumer interaction fall?
  7. Deletion requests are subject to two steps; first, the consumer submits the deletion request and then separately confirms deletion is desired. How will you implement this process?
  8. If the consumer submits a request in other than a proscribed method, the company must decide whether it will treat the request as properly submitted or provide instructions to the consumer as to how to submit his/her request or remedy any deficiency. Which will you opt for?
  9. Businesses must respond to requests within 45 days, but must confirm receipt within 10 days and confirm how the business will process the request and when it expects to provide a substantive respond. While verification of the identity of the requestor is permitted, the response time clock starts at time of receipt, not when the verification is completed. Businesses are barred from disclosing a Social Security, driver's license, or other government issued identification number, along with the financial account, health insurance or medical identification number, an account password or security questions and answers. Generally individualized responses are required. How will you implement this mandate?
  10. If the request is to delete, the business may respond by erasing the data from its systems or by de-identifying or aggregating the data unless the business determines to not comply with the request. If so, it is then necessary to provide that response to the consumer along with the grounds for refusal. The business may also offer the consumer the ability to delete selected portions only if the global option is also offered and more prominently displayed. How will you implement this requirement?

The CCPA regulations also go on to address the use of service providers (third parties) which owe duties of indemnity and compliance to the businesses which hire them (and conversely the business owes a duty of indemnity to that service provider), dealing with the collection and use of the data collected. There are also general rules for verification of consumers, password protected accounts, non-account holders and authorized agents.

Clearly these regulations are complex and demanding. Companies would, therefore, be well-served to first make sure as to the specifics of their business model, the nature and extent of the personal data collected, and how that data is used and shared. A refresher to be sure the information in hand is current is recommended before proceeding further. Once all of that is clear, a carefully study of the requirements of the CCPA regulations is in order, so as to compare those requirements with current practices, and then, of course, update accordingly.

Bearing in mind individual and class action lawsuits are now permitted, someone is going to be the poster child for having messed up compliance. Whether you handle implementation yourself or we or another advisor assist you, getting it right the first time is critical to having a peaceful holiday season! Will you be ready?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions