The draft CCPA regulations reviewed: Key takeaways

Jana Terry, JD, CCEP-US, CIPP/US, CFE

Jana Terry (jterry@becksteadterry.com) is a partner with Beckstead Terry PLLC, a boutique employment, compliance, and privacy law firm in Austin, Texas, USA.

On October 10, 2019, the California Attorney General’s office published draft regulations to operationalize the California Consumer Privacy Act (CCPA).[1] Although the draft regulations are still subject to comment and will not be in final, enforceable form until July 2020, they provide helpful insights into how the final regulations are likely to look. And they are the only guidance that companies have as they start to implement the now-effective CCPA. These are the key takeaways from the draft regulations that companies should consider as their CCPA compliance programs go into effect.

Expect initial compliance costs to be high

In conjunction with the draft regulations, the California Department of Justice published an Economic Impact Statement that recognizes that the CCPA will have a large impact.[2] The attorney general projects that it will initially cost the “typical” business $75,000 to come into compliance with the CCPA. Annual ongoing costs (for “typical” businesses) are predicted to be $2,500 per year. For small businesses, the initial costs are predicted to be $25,000, and the ongoing costs are predicted to be $1,500 per year. These numbers are an indication of how seriously businesses are expected to take their obligations. For compliance professionals who are having trouble obtaining adequate resources to implement effective CCPA compliance programs, citation to the attorney general’s expectations may be helpful to their arguments.

How to comply with notice obligations: Consult the regulations

The draft regulations are substantially easier to understand than the text of the CCPA, particularly with respect to the who, what, when, where, and how of providing notices to consumers. The draft regulations break down the notice obligations into four types: (a) Notice at Collection of Personal Information (PI), (b) Notice of Right to Opt-Out of Sale of PI, (c) Notice of Financial Incentive, and (d) Notice of Consumer Rights (via the Business’s Privacy Policy).[3] All of these notices must be easy to read, understandable to the average consumer, posted conspicuously and in an attention-getting format, accessible to consumers with disabilities, and available in the languages in which the business provides other information to consumers. The contents of the notices are specified by the draft regulations.

Notice at collection

This is the notice that must be provided to consumers at the point where PI is going to be collected. It must contain the following information (or a link to the section of the business’s privacy policy that contains the same information):

  • A list of categories of PI that is collected about consumers;

  • For each of the categories, the business or commercial purpose for which the information will be used;

  • If the business sells PI, a link titled either “Do Not Sell My Personal Information” or “Do Not Sell My Info.” (In the case of offline notices, provide the web address for the webpage to which the “Do Not Sell” link directs consumers); and

  • A link to the business’s privacy policy. (In the case of offline notices, provide the web address of the business’s privacy policy).

Notice of right to opt-out of sale of PI

A business that “sells” PI (as defined in the CCPA) must post the notice of right to opt out on the web page to which the consumer is directed after clicking the “Do Not Sell” link on the download or landing page of a mobile application. It must contain the following information (or a link to the section of the business’s privacy policy that contains the same information):

  • A description of the opt-out right;

  • The web form by which the consumer can submit their request to opt out online or, if the business does not operate a website, the offline method by which the consumer can submit an opt-out request;

  • Instructions for any other method by which to request to opt out;

  • Any proof required when a consumer uses an authorized agent to exercise the opt-out right—or, in the case of a printed form containing the notice, a web page, online location, or URL where consumers can get information about authorized agents (the possibility of consumers exercising rights through an authorized agent is mentioned several times in the draft regulations; companies need to anticipate that this may be common); and

  • A link to the privacy policy (or, if offline, the URL of the web page where consumers can access the privacy policy).

Notice of financial incentive

If the business offers a financial incentive or price or service difference (a “financial incentive”) in connection with obtaining PI, the business must post a notice with the following information:

  • A “succinct” summary of the financial incentive;

  • A description of the material terms, including the categories of PI that are implicated;

  • How the consumer can opt in;

  • The consumer’s right to withdraw at any time and how to exercise that right; and

  • An explanation of why the financial incentive is permitted under the CCPA, including a good faith estimate of the value of the consumer’s data and how that value was calculated.

Privacy policy

According to the draft regulations, the purpose of the privacy policy is “to provide the consumer with a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information.” In addition to the easy-to-read and accessible requirements for all CCPA-required notices, the privacy policy must:

  • Be available in an additional format that a consumer can print out as a separate document, and

  • Be posted online through a conspicuous link using the word “privacy” on the business’s website homepage or on the download or landing page of a mobile application. (If the business does not operate a website, it must make the privacy policy conspicuously available to consumers).

With regard to content, the draft regulations provide a detailed explanation regarding how the privacy policy must:

  • Advise consumers about their CCPA rights;

  • Provide instructions about how consumers can exercise their rights and describe the verification process;

  • List the categories of PI the business has collected in the preceding 12 months and, for each category, provide:

    • The business or commercial purpose for collecting the PI.

    • The “categories of third parties” with whom the PI is shared. According to the draft regulations, categories of third parties means “types of entities that do not collect personal information directly from consumers including but not limited to advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and consumer data resellers.”

  • State whether or not the business sells the PI of minors under 16 years old without affirmative authorization;

  • State whether the business has disclosed or sold any PI to third parties for a business or commercial purpose in the preceding 12 months and, if PI has been sold or disclosed, list the categories of PI disclosed or sold;

  • Explain how a consumer can designate an authorized agent to make CCPA requests on the consumer’s behalf;

  • Provide a contact for questions or concerns using a method that reflects the manner in which the business primarily interacts with consumers;

  • Identify the date the privacy policy was last updated; and

  • If the business annually buys, receives, sells, or shares the PI of 4 million or more consumers, disclose certain metrics regarding the number of CCPA requests and the median number of days that it took the business to respond.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings