CCPA Practice Tip SeriesPDF
The California Consumer Privacy Act of 2018 (CCPA) went into effect on Jan. 1, 2020, creating an array of new obligations and legal risk regarding the personal information of California consumers for businesses covered by the law. Complying with the CCPA can be challenging, but Robinson Bradshaw attorneys are here to help. We are providing a series of CCPA Practice Tips to help businesses understand the new requirements and implement compliance strategies. Drawing on our experience helping clients to prepare for the CCPA, we will break down the challenge of compliance into small, digestible pieces and address key practical issues facing businesses. Of course, every business covered by the law will need a compliance strategy tailored to its unique circumstances. If you have questions about any of the information provided here or about how the CCPA may apply to your business, please do not hesitate to contact any member of our Cybersecurity and Privacy Practice Group for assistance.
Please note that our CCPA Practice Tips take into account not only the text of the CCPA as amended but also the proposed implementing regulations submitted by the California attorney general (as first revised in February 2020 and further revised in March 2020) and other guidance that may become available by the time of publication. As the text of the proposed regulations could change again before they become finalized, we plan to update our guidance here as needed to reflect such changes (if any). Please contact us for the most up-to-date information.
Tip #1: Step-by-Step Approach to Compliance
Originally published Jan. 2. Updated Feb. 27.
As the CCPA has now gone into effect, businesses will have about six months before July 1, 2020, when the California attorney general can begin enforcing the CCPA. It could be even longer before the CCPA's implementing regulations are finalized. However, consumers covered by the law can now begin submitting certain types of legal requests to businesses handling their personal information. Businesses also can face litigation under the CCPA's limited private right of action for data breaches of certain personal information.
This first Practice Tip of our series provides an overview of what the CCPA requires from most businesses covered by the law and then outlines a general step-by-step approach to compliance. In future Practice Tips, we will address the applicability of the CCPA, including what types of business are covered and how key terms are defined, and examine important aspects of compliance in greater detail.
Overview of CCPA Obligations
Generally, for most businesses covered by the CCPA, there are four basic requirements that must be addressed from the outset to comply. The business has to do the following:
- Honor consumers' rights to request specific information about what personal information the business collects, uses, discloses and sells about that consumer (a "request to know") and to request the deletion of that consumer's personal information collected by the business (a "request to delete").
- Update contracts with service providers and other businesses with which the business shares personal information.
- Adopt commercially reasonable data security measures to protect personal information from unauthorized access, theft or disclosure.
Notably, there are additional obligations for a business that:
- Sells consumers' personal information to third parties, using a special definition for what "sell" means;
- Collects the personal information of individuals under the age of 16;
- Treats consumers differently based on their agreement to provide additional personal information or permit the sale of such information, or based on their exercise of their CCPA rights; or
- Annually handles the personal information of 10 million or more Californians.
These situations trigger special requirements under the CCPA that are beyond the scope of this Practice Tip. Please contact us for more information if you have questions about compliance in such situations.
Finally, the CCPA's obligations do not currently extend to the personal information of a business's own employees or job applicants or to the personal information of the individual employees or other personnel of business entity clients, customers, service providers or partners/collaborators (e.g., B2B services). The CCPA's obligations around treatment of personal information from these types of individuals have been suspended until Jan. 1, 2021.
Step-by-Step Approach to Compliance
Each business is unique and will need a compliance strategy tailored to its needs. However, we have developed the step-by-step approach outlined below through our experience helping companies prepare for the CCPA. These basic steps provide a helpful framework and starting point for businesses working to comply with the CCPA.
- Gather Relevant Information. In particular, obtain a detailed understanding of personal information "flow" within your business, including what type of information is collected and how it is used and shared. Confirm that your business's databases are configured to handle consumers' requests to know and requests to delete, such as whether an individual's personal information can be searched and erased. Finally, confirm whether your business "sells" personal information or treats consumers differently based on the permissions given for their personal information.
- Establish Channels for Consumers to Submit Requests. Put in place required methods for consumers to submit requests applicable to your business, such as a toll-free telephone number or an online interactive form. If your business maintains a password-protected online account with a consumer, also put in place a secure self-service portal for consumers to submit and verify requests. Have personnel who are trained and ready to receive and respond to such communications, and keep appropriate records of the responses.
- Implement Processes for Responding to Requests. Develop an action plan for when consumers submit requests to know and requests to delete. Special attention should be paid to establishing a secure, sensible, consistent and repeatable process for verifying the identities of consumers submitting requests, so as not to inadvertently expose personal information to the wrong persons.
- Update Contracts with Third Parties. Identify all contracts with service providers and other third parties with whom your business is sharing consumers' personal information. Review those contracts to confirm they feature the commitments required for compliance with the CCPA and update them as necessary.
- Enhance Data Security. For compliance with CCPA cybersecurity requirements, you should consider hiring a chief information security officer or engaging an outside data security firm to assess and help your business implement the appropriate safeguards and align your program with an industry-standard data security framework.
In future installments of our CCPA Practice Tip Series, we will focus on specific steps for compliance in greater detail. Before we do that, however, our next Practice Tip will address the scope of the CCPA and what businesses are covered by the law. If you have questions about any of the information provided here or about how the CCPA may apply to your business, please feel free to contact any member of our Cybersecurity and Privacy Practice Group or any other Robinson Bradshaw attorney with whom you are working.
Tip #2: Which Businesses Must Comply
Originally published Jan. 9. Updated Feb. 27.
This second Practice Tip of our series explores the threshold issue of who must comply with the CCPA that has now gone into effect. In general, the obligations apply only to "businesses" collecting consumers' personal information. The CCPA's concept of a "business" generally means:
- Any for-profit entity that
- Does business in California,
- Collects personal information of consumers (including through a service provider),
- Determines the purposes and means of processing such information, and
- Satisfies one or more of the following requirements:
– Has annual gross revenues in excess of $25 million;
– Annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices; or
– Derives 50% or more of its annual revenues from selling consumers' personal information.
"Business" also includes any entity that is an affiliate of and shares common branding with an entity meeting the above definition. This likely covers any affiliate with a shared name, service mark or trademark.
Doing Business in California
The CCPA's phrase "does business in the State of California" is not defined any further in the statute. However, based on prior legislation, it is clear that a physical operation in California is not required. Also, given how the statute includes an exception for situations where every aspect of the collection and use of consumers' personal information takes place wholly outside of California, the drafters of the CCPA clearly believed that businesses domiciled outside of California may be subject to the law. Thus, lots of businesses located throughout the United States, especially those with an online presence, will likely be regarded as "doing business" in California for purposes of the CCPA.
Collects Personal Information of Consumers
Here "consumer" means any individual California resident. Of course, this is much broader than how the word is typically used. For example, a company's own personnel and job applicants as well as the employees and other individual representatives of its business clients (e.g., when engaging in business-to-business transactions) are technically "consumers" under the CCPA so long as they are California residents. However, because of an amendment regarding this issue, the effective date of the CCPA has been delayed to Jan. 1, 2021, regarding these types of individuals.
Also bear in mind that the CCPA applies both when a business collects personal information on its own and also when the business directs a third-party service provider to collect the information on behalf of the business. Indeed, when service providers are involved, the CCPA includes requirements for what to include in the service agreement.
Determines the Purposes and Means of Processing Personal Information
The CCPA only directly places obligations on a business that "alone, or jointly with others, determines the purposes and means of the processing" of consumers' personal information. Generally, this occurs when the business has a direct relationship with the consumer – that is, they are "your" customer or client – or in other situations where the business is able to dictate and control how the personal information is used. In contrast, service providers that collect, store or otherwise process personal information on behalf of a business client or customer as directed are generally only obligated to comply with certain elements of the CCPA.
The Extent of the Business, Personal Information and Revenue
Finally, the business must also either (i) have annual gross revenues in excess of $25 million, (ii) annually buy, receive, sell or share the personal information of 50,000 or more consumers, households or devices or (iii) derive 50% or more of its annual revenue from selling (as defined in the CCPA) consumers' personal information. As to the first threshold, there is some debate over whether the $25 million revenue threshold is revenue globally, nationally or in the state of California. Until more guidance is provided, it is safest to assume global revenue should be considered. Additionally, due to the broad definition of "consumer" discussed above, many more businesses will meet the second threshold than a first glance would suggest.
Even if you operate a "business" covered by the CCPA, the law's requirements would not apply to your processing of certain types of personal information, including the following:
- Certain types of personal information already governed by federal or California laws focused on specific industries, such as:
– Health information covered under the California Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act (HIPAA);
– Information collected in a clinical trial subject to the Federal Policy for the Protection of Human Subjects (the Common Rule);
– Personal information transferred to or from a consumer reporting agency if such information is already protected by the Fair Credit Reporting Act (FCRA);
– Consumer financial information protected by the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act (FIPA); and
– Personal information covered by the federal Driver’s Privacy Protection Act.
- Publicly available personal information from federal, state or local government records.
- Deidentified or aggregated consumer information.
- Information collected and used where every aspect of the collection and use takes place wholly outside of California (e.g., the paper guestbook at a resort in North Carolina).
Tip #3: Scope of "Personal Information" and "Sales"
Originally published Jan. 16. Updated Feb. 27.
After determining that the CCPA applies, a business will need to carefully assess so-called "data flows" of personal information in order to develop a compliance strategy. To this end, here are some key questions to be answered:
- What personal information is collected?
- From where and how is it collected?
- How is the information used and stored?
- To whom is it sold or otherwise disclosed?
The answers to these questions will go a long way to defining the scope of a business's obligations under the CCPA. For example, the CCPA imposes stricter requirements on businesses that "sell" personal information, collect the personal information of persons under the age of 16, or treat consumers differently based on their agreeing to the collection or sale of personal information or their other exercise of CCPA rights. Accordingly, for this third Practice Tip, we focus on what counts as "personal information" and "selling" such information for purposes of the CCPA.
"Personal information" is broadly defined in the CCPA. It means "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
Beyond this general definition, the CCPA provides a list of examples of items that would be personal information if reasonably linked or linkable with a particular consumer or household:
- "Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers."
- The CCPA references another definition of "personal information" in Section 1798.80, which mentions various other types of information associated with "a particular individual," including "his or her … signature, … physical characteristics or description, … telephone number, … insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information."
- "Characteristics of protected classifications under California or federal law." This would cover information about a person's inclusion within a protected class under the law, such as his or her race, color, national origin, religion, age, sex and gender, sexual orientation, physical or mental disability, and veteran status.
- "Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies."
- "Biometric information." The CCPA defines this term elsewhere to mean "an individual's physiological, biological, or behavioral characteristics," including DNA, that "can be used, singly or in combination with each other or with other identifying data, to establish individual identity." Some example specified by the CCPA are "imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information."
- "Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement." Notably, this may include IP addresses and similar data that are collected when a person visits a website.
- "Geolocation data."
- "Audio, electronic, visual, thermal, olfactory, or similar information."
- "Professional or employment-related information."
- "Education information" as defined in the Family Educational Rights and Privacy Act.
- "Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes."
As these examples make clear, the CCPA's concept of personal information goes far beyond the typical categories of personally identifiable information found in U.S. privacy laws. Thus, you must think expansively in the assessment of data flows within your business to identify all personal information that may be covered by the CCPA.
The CCPA does specify a number of exceptions which provide some limits to the scope of personal information subject to the law. For example, "deidentified" personal information, "aggregate consumer information," and 'publicly available information" (i.e., available from federal, state or local government records) are specifically excluded. Furthermore, as mentioned in our earlier Practice Tip concerning the scope of the CCPA, certain types of personal information already governed by industry-specific federal or California laws are also carved out of the statute. Finally, two key areas of personal information have been carved out of the CCPA until Jan. 1, 2021. These are, broadly speaking, a company's own personnel and job applicants as well as the employees and other individual representatives of its business clients, such as when engaging in business-to-business transactions.
Sales of Personal Information
A business that "sells" personal information faces additional requirements under the CCPA, including more disclosure obligations and the requirement to have a mechanism for consumers to opt out of the sale of their personal information. Accordingly, after figuring out the data flows of personal information, businesses must also determine whether any of their disclosures of personal information would be considered a "sale" for CCPA purposes.
"Sell," "selling" and the like basically mean a business's disclosure of personal information to a third party for anything of value. Specifically, the term is defined very broadly to mean "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."
As with the concept of personal information, this definition of selling goes well beyond what the term typically means. In particular, "other valuable consideration" could mean a wide range of things, such as getting access to another's marketing list or learning additional consumer insights to help with marketing. Thus, in assessing whether a disclosure of personal information to a third party could amount to "selling" under the CCPA, it is important to consider the whole relationship with the third party and how the business may benefit from the disclosure.
The CCPA does specify a number of exceptions, however. The following transfers of personal information are not considered "sales" under the CCPA:
- A business uses or shares with a service provider a consumer's personal information that is necessary to perform a specified business purpose, but only if the business gives the required disclosures to the consumer and the service provider does not further collect, sell or use the personal information except as necessary for the business purpose. The business should have a written contract that obligates the service provider to comply.
- A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party (so long as that third party does not, in turn, sell such information except in accordance with the CCPA). An example would be where the business has a mobile app that integrates with another mobile app or online service, transferring personal information to the third party's mobile app or online service at the consumer's direction. For this exception, the CCPA warns that the disclosure must involve an "intentional interaction" where "the consumer intends to interact with the third party, via one or more deliberate interactions," and that "hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a third party."
- The business provides an identifier for a consumer for the purpose of alerting the third party that the consumer has opted out of the sale of his or her personal information.
- The business transfers personal information to an acquirer in a merger, acquisition, bankruptcy or similar transaction, so long as the acquirer does not materially alter how the personal information is handled.
Tip #4: Notices Required by the CCPA
Originally published Jan. 24. Updated April 2.
Under the CCPA and proposed implementing regulations, businesses will need to update their posted privacy policies to ensure that the policies inform consumers about all of the following:
- The categories of personal information the business has collected, and the business or commercial purposes for which the information was collected;
- The categories of sources from which the personal information is collected, such as from the consumer directly or from advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks or data brokers;
- The categories of third parties with whom the business shares personal information (and the categories of personal information shared with such third parties), including whether the information was sold to any third parties;
- Whether the business sells the personal information of minors under the age of 16, and, if so, what process the business will use to obtain affirmative authorization to do so from the minor (if the minor is between 13 to 16 years of age) or from the minor's parent or guardian (if the minor is under age 13);
- The consumer's right to request specific information about what personal information the business collects, uses, discloses and sells about that consumer;
- The consumer's right to request the deletion of his or her personal information collected by the business;
- Instructions for the consumer to submit a request to know or request to delete (as described above) and a general description of the process the business will use to verify the identity of the consumer making the request;
- The consumer's right to opt-out of the sale of their personal information and the mechanism for exercising this right, or, if the business does not sell personal information of consumers to third parties within the meaning of the CCPA, a statement informing consumers of this fact;
- The consumer's right not to receive differential treatment by the business for the exercise of his or her CCPA privacy rights;
- The consumer's right to designate an authorized agent to exercise the consumer's rights under the CCPA on the consumer's behalf and instructions on how an authorized agent can make a request under the CCPA on the consumer's behalf; and
Notice at Collection
In addition to the disclosures in privacy policies, the CCPA also requires businesses to provide notice to a consumer at or before the time a business collects personal information from that consumer. This new, separate type of notice is referred to in the CCPA as "Notice at Collection." This notice must contain:
- A list of categories of personal information about consumers that will be collected by the business;
- The business or commercial purposes for which the personal information will be used;
- If the business sells personal information to third parties within the meaning of the CCPA, a link to the "Do Not Sell My Personal Information" notice (described below); and
"Do Not Sell" Notice
If the business sells the personal information of consumers to third parties – that is, in the broad meaning of "sell" under the CCPA – then it must also provide a Notice of Right to Opt-Out of Sale of Personal Information. This notice must inform consumers about:
- The consumer's right to opt-out of the sale of their personal information by the business;
- The interactive form by which the consumer can submit their request to opt-out online; and
- Instructions for any other method by which the consumer may submit their request to opt-out, particularly if the business does not operate a website.
Notice of Financial Incentive
Finally if the business offers financial incentives to consumers in exchange for the collection of or permission to sell their personal information, or if the business offers different pricing or quality of goods or services to consumers as a result of their sharing of or permission to sell their personal information, then the business must also provide a Notice of Financial Incentive to the consumer. This notice describes the financial incentive or price or service difference that is provided to consumers based on their decision to share or allow the sale of personal information, as detailed in the CCPA regulations.
Form of the Notices
Generally, the proposed CCPA regulations would require that each type of notice:
- Use plain, straightforward language and avoid technical or legal jargon.
- Use a format that draws the consumer's attention to the notice and makes the notice readable, including on smaller screens if applicable.
- Be available in languages in which the business ordinarily provides contracts, disclaimers, sale announcements and other information to consumers.
- Be reasonably accessible to consumers with disabilities, including (1) by following generally recognized industry standards such as version 2.1 of the Web Content Accessibility Guidelines published by the World Wide Web Consortium for all notices provided online or (2) providing information on how a consumer with a disability may access the notice in an alternative format for offline notices.
- Be available in a format that allows a consumer to print it out as a separate document.
- Be updated at least once every 12 months.
Tip #5: Submission of Consumer Requests
Originally published Jan. 31. Updated April 2.
The CCPA gives consumers (a) the right to request specific information about what personal information a business collects, uses, discloses and sells about that consumer (a "request to know"); (b) the right to request the deletion of that consumer's personal information collected by the business (a "request to delete"); and (c) the right to opt-out of the sale of that personal information by the business (a "request to opt-out").
To ensure that consumers can easily exercise these rights, the CCPA and proposed regulations require businesses to make available to consumers certain specified methods for submitting requests, and to train their employees on handling such requests. Furthermore, upon receiving one of these consumer requests, the business must take steps to verify the identity of the individual making the request – so as to prevent unauthorized access to or deletion of the consumer's personal information – and then either comply with the request or, if an exception or valid reason to deny the request applies, explain this exception or denial in a written response to the consumer. The business must also maintain records of how it has processed such consumer requests under the CCPA.
This Practice Tip will focus on the specific methods a business must make available for consumers to submit requests to know, requests to delete and requests to opt-out according to the proposed regulations. In future Practice Tips, we will address the remaining requirements in greater detail.
Methods for Consumers to Submit Requests to Know and Requests to Delete
With respect to consumers' requests to know: A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address to allow consumers to submit requests to know (though it can certainly offer additional methods if it so chooses). All other businesses must provide at least two designated methods to allow consumers to submit requests to know, including, at a minimum, a toll-free telephone number. Other examples of acceptable methods include (but are not limited to) a form submitted in person or a form submitted through the mail.
With respect to consumers' requests to delete: All businesses (including businesses that operate exclusively online) must provide at least two designated methods to allow consumers to submit requests to delete. Examples of acceptable methods include (but are not limited to) a toll-free telephone number, a link or form available online through a business's website, a designated email address, a form submitted in person or a form submitted through the mail.
Businesses must consider the methods by which they primarily interact with consumers when determining which methods to provide for consumers to submit requests to know and requests to delete. For example, if the business primarily interacts with consumers in person, the business must consider providing an in-person method to submit requests to know and requests to delete, such as through a printed form the consumer can submit through the mail, by providing an on-site tablet or computer portal that allows the consumer to complete and submit an online form, or by providing a telephone by which the consumer can call the business's toll-free telephone number for submitting such requests.
If the consumer has a password-protected account through the business's website, mobile app or similar online service, the business can enable consumers to submit requests to know and requests to delete through a secure, self-service portal on the business's website, mobile app or other online service after the consumer has logged in to their account. This method has many advantages for reasons that will be described in future Practice Tips.
A request to delete that is processed online may be implemented using a two-step confirmation process where the consumer must first, clearly submit the request to delete and then second, separately confirm that he or she wants the personal information deleted. Additionally, the business may present the consumer with a choice to delete select portions of his or her personal information, but only if the business also offers the consumer a global option to delete all of the consumer's personal information (and the global option must be more prominently presented).
In the event that a consumer submits a request to know or request to delete in a manner that is not one of the business's designated methods, the business has two choices. It can treat the request as if it had been submitted in accordance with one of the business's designated methods, or it can provide the consumer with instructions on how to properly submit the request through one of the business's designated methods.
Methods for Consumers to Submit Requests to Opt-Out
If a business sells consumers' personal information within the meaning of the CCPA, it must additionally make available to consumers certain specified methods for the consumer to exercise his or her right to opt-out of such sales. The business must provide at least two designated methods for submitting requests to opt-out. If the business operates a website or mobile app, at least one method must include an interactive form accessible via a clear and conspicuous link on the website or mobile app titled "Do Not Sell My Personal Information," or "Do Not Sell My Info."
Other acceptable methods for submitting these requests include, but are not limited to, a toll-free telephone number, a designated email address, a form submitted in person, a form submitted through the mail, or user-enabled global privacy controls (such as a browser plugin, privacy setting, device setting or similar mechanism that clearly communicates or signals the consumer's choice to opt out of the sale of their personal information).
At least one method offered for requests to opt-out must reflect the manner in which the business primarily interacts with the consumer. For example: if a business operates a website but primarily interacts with its customers in-person at a brick-and-mortar store, the business would need to offer a form that can be submitted in-person at the retail location in addition to the other methods it makes available for submitting requests to opt-out.
The proposed regulations emphasize that a business's methods for consumers to submit requests to opt-out must be easy to execute and require minimal steps to allow the consumer to opt-out. Additionally, a business must not utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer's decision to opt-out. Methods that require a lot of steps, take a lot of time, or are otherwise frustrating or difficult to navigate for consumers run afoul of both the spirit of the statute and the text of the proposed regulations, and businesses should design their request to opt-out submission processes accordingly.
Please note: If a business collects personal information from consumers online, the business must treat user-enabled global privacy controls, such as a browser plugin, privacy setting, device setting or other similar mechanism that clearly communicates or signals the consumer’s choice to opt out of the sale of their personal information, as a valid request to opt-out with respect to the applicable browser or device (and, if known, the consumer using the browser or device), regardless of whether the consumer has separately submitted a request to opt-out through one of the business's designated methods.
The CCPA does not specify how businesses should treat consumers' requests to opt-out that are not submitted through one of the business's designated methods. Until further guidance is provided, the business's safest course of action would be to comply with the consumer’s request to opt-out regardless of the form in which the request is submitted.
Required Employee Training
In the proposed regulations, businesses are required to provide certain training to individuals responsible for handling consumer requests under the CCPA. This training must cover the business's privacy practices, the business's CCPA compliance efforts, and how the employee should direct consumers to be able to exercise their rights under the CCPA.
Tip #6: Verifying Consumers' Identity in Requests to Know/Delete
Published Feb. 27. Updated April 2.
After receiving a consumer's properly submitted "request to know" or "request to delete," a business's first step is to verify the identity of the individual making the request. The concern, of course, is that a bad actor may pretend to be a particular consumer in order to gain unauthorized access to, or cause the unauthorized deletion of, that consumer's personal information. This Practice Tip will focus on the duty to establish reasonable methods to verify consumers' identities in connection with requests to know or delete and will provide some specific guidance for businesses.
The Burden to Verify
The CCPA and the proposed regulations place the burden on businesses to establish a "reasonable method" for verifying consumer identities in connection with consumer requests to know and requests to delete. This can put businesses in a difficult position. On one hand, businesses must comply with properly submitted and verifiable requests to know or delete, and they cannot create unreasonable hurdles for consumers submitting such requests. On the other hand, a business could be held responsible for a failure to "implement reasonable security measures to detect fraudulent identity-verification activity and prevent the unauthorized access to or deletion of a consumer's personal information." Verification procedures that are too difficult for consumers to navigate may cause them to complain or create a perception that the business is intentionally putting up barriers so as not to comply with the CCPA. But verification procedures that are not stringent enough may leave consumers' personal information exposed and violate the business's fraud prevention and data security obligations under the CCPA.
Precisely what constitutes a "reasonable method" for verifying identities is not spelled out in any detail in the text of the CCPA. The proposed regulations do provide a clear mechanism to verify a consumer's identity in the scenario where the consumer maintains a password-protected account with the business (described in further detail below), but for all other scenarios businesses are given only limited guidance and examples. Additional guidance may be forthcoming, whether in the form of revised regulations from the California attorney general, interpretations of the existing regulations through disputes worked out in the courts, or commonly understood "best practices" across the industry. In the meantime, a business will need to navigate this "verification" step with particular caution.
Identity Verification for Consumers with Password-Protected Accounts
According to the proposed regulations, if the consumer maintains a password-protected online account with a business through the business's website, mobile application or other online service, then the business may utilize this existing authentication process to verify the consumer's identity. Specifically, upon receiving a consumer's request to know or delete personal information, the business would ask the consumer to log in to their existing password-protected account so as to authenticate their identity by entering their username and password. Once the consumer has completed this step, the consumer could then be directed to submit their request to know or delete through a secure, self-service portal made available by the business for this purpose.
In this scenario, even if the consumer submits a request by calling in to the business's toll-free telephone number, using an online webform or any other method, the proposed regulations permit the business to respond by directing the consumer to log into their existing password-protected account to verify their identify and use the self-service portal. This approach has the dual advantages of utilizing the business's existing, secure online authentication practices and funneling all consumer requests through a single, consistent and efficient process, regardless of the origin of the request.
Identity Verification for Consumers without Password-Protected Accounts
For businesses that do not maintain password-protected accounts for consumers, it will be trickier to verify consumers' identities. The California attorney general's proposed regulations spell out some general requirements for how a business must work to verify the consumer's identity:
- Whenever feasible, the business must match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that performs this function. Depending on the type, sensitivity and value of the personal information involved, this includes matching at least two or three pieces of personal information provided by the consumer with the personal information already maintained by the business (two data points when handling less-sensitive information and three data points when handling more-sensitive information, where more stringent verification processes are advised). As a practical matter, to the extent possible, the business should rely on data points that a fraudulent or malicious actor could not easily obtain from publicly available sources (e.g., a telephone number or mailing address that would appear in the phone book or through a simple online search). As an example, if a retailer maintains a record of purchases made by a particular consumer, the retailer may require the consumer to identify items that the consumer recently purchased from the retailer or the dollar amount of the consumer's most recent purchase.
- The business generally should not request new information from the consumer for purposes of verification unless there is no other way to verify the consumer's identity to a reasonable degree of certainty. If the business must collect additional personal information to verify identity, it should delete that personal information as soon as practicable after processing the consumer's request.
- The business must avoid collecting the types of personal information specified in California's breach notification law (Civil Code Section 1798.81.5(d)) unless necessary for the purpose of verifying the consumer's identity. The breach notification law refers to particularly sensitive forms of personal information such as social security numbers, financial account numbers or drivers' license numbers.
- When working to verify the requestor's identity, the business should take into account the sensitivity and value of the personal information and the likelihood of fraudulent or malicious actors seeking out the personal information that would otherwise be disclosed in response to a request to know. For more sensitive or valuable forms of personal information (or information likely to be sought after by fraudulent or malicious actors), more stringent verification methods should be used.
- The business may not require a consumer to create a password-protected online account with the business solely for the purposes of verifying the consumer's identity in connection with a request to know or request to delete.
- The business may not require a consumer or the consumer's authorized agent to pay a fee in connection with verifying the consumer's request to know or request to delete. The example given by the proposed regulations is that a business may not require a notarized affidavit to verify the consumer's identity unless the business reimburses the consumer for the cost of notarization. This appears to prohibit requiring the consumer to incur separate costs in connection with verifying the consumer's request unless the business reimburses the consumer for the costs (in addition to prohibiting charging the consumer a fee directly to process the consumer's requests).
Requests to Opt-Out of Sales Are Different
Requests to opt-out of the "sale" (as defined in the CCPA) of a consumer's personal information are treated differently under the CCPA and do not need to be verified. Because the policy concerns of accidentally disclosing or deleting a consumer's personal information are not present, a business may deny a request to opt-out only if the business has a good-faith, reasonable and documented belief that the request is fraudulent. Even then, the business must notify the consumer that it will not comply with the request and explain why the business believes the request is fraudulent.
Tip #7: Responding to a Consumer's "Request to Know"
Published March 5
Under the CCPA, consumers have a right to request information about the personal information a business has collected about that consumer (a "request to know"). In connection with a valid, verifiable request to know, a consumer may request (and a business must provide in its response) one or more of the following pieces of information:
- The categories of personal information the business has collected about that consumer in the preceding 12 months;
- Specific pieces of personal information the business has collected about that consumer in the preceding 12 months;
- The categories of sources from which the personal information is collected;
- The business or commercial purpose for collecting or selling the consumer's personal information;
- The categories of third parties with which the business shares personal information;
- The categories of personal information that the business sold in the preceding 12 months, and for each category identified, the categories of third parties to which it sold that particular category of personal information (or, if the business has not sold any of the consumer's personal information in the preceding 12 months, a statement to this effect); and
- The categories of personal information that the business has disclosed for a business purpose in the preceding 12 months, and for each category identified, the categories of third parties to whom it disclosed that particular category of personal information (or, if the business has not disclosed for a business purpose any of the consumer's personal information in the preceding 12 months, a statement to this effect).
General Guidance for Providing a Response
Additionally, a business is not permitted to charge a fee to the consumer in connection with the consumer's request to know. However, the business is only required to respond to a request to know from a particular consumer a maximum of two times in a 12-month period.
1. Requests for Categories of Personal Information
A consumer may request information about the "categories of personal information" the business has collected about the consumer. "Categories of personal information" refers to the categories described in our previously published CCPA Practice Tip #3: "identifiers," "characteristics of protected classifications," "commercial information," "biometric information," etc. If a consumer requests information about the "categories of personal information" the business has collected about the consumer, the business could respond by listing out the categories and indicating whether the business has collected any information about the consumer within the specified category. The purpose is to identify for the consumer, generally, the types of personal information the business has collected about the consumer.
2. Requests for Specific Pieces of Personal Information
A consumer may request the specific pieces of personal information the business has collected about the consumer. As an example, if the business collects the consumer's first and last name, and the consumer's first and last name is John Smith, then the business should respond by indicating that the business has collected "identifiers" about John Smith, including that 'John Smith" is the consumer's first and last name. As a further example, if the business has in its records that John Smith weighs 195 pounds, the business should respond by indicating that the business has collected "biometric information" about John Smith, including the fact that John Smith weighs 195 pounds. Keep in mind that specific information is only required to be disclosed to the consumer if it is maintained by the business in identifiable form, i.e., linked with or reasonably capable of being linked with a particular, identifiable consumer. The information is not "personal information" (and thus does not need to be disclosed in response to a valid request to know) if the information is maintained in de-identified or aggregated form only.
Notwithstanding the foregoing, the CCPA specifically states that, in connection with a request to know, a business should not at any time disclose a consumer's social security number, driver's license number or other government-issued identification number, financial account number, any health insurance or medical identification number, account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of the consumer's characteristics. In other words, in response to a request to know, the business (per items #1, #5, #6 and #7 in the list above) should indicate that it has collected this type of information and that it has sold or disclosed this type of information to third parties (and the categories of third parties to whom it has sold or disclosed the information), in each case where it is true, but the business should not (per item #2 in the list above) actually disclose the specific pieces of information in these prohibited categories to the consumer.
Under certain limited circumstances, a business is not required to exhaustively search its systems and records for specific pieces of personal information about a particular consumer in response to the consumer's request to know. This is true if all of the following conditions are met: (1) the business does not maintain the personal information in a searchable or reasonably accessible format, (2) the business maintains the personal information solely for legal or compliance purposes, (3) the business does not sell the personal information and does not use it for any commercial purpose, and (4) the business, in its response to the consumer, describes to the consumer the categories of records that may contain personal information that the business did not search because it met the conditions stated above.
3. Requests for Categories of Sources
A consumer may request the "categories of sources" from which the personal information is collected. This refers to the types or groupings or persons or entities from which a business collects personal information about consumers. Examples include from the consumer directly, advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks and data brokers.
4. Requests for the Business Purpose and Commercial Purpose for Collecting or Selling the Consumer's Personal Information
A consumer may request to know the "business purpose" or "commercial purpose" that a business has for collecting or selling a consumer's personal information. These terms have specific meanings under the CCPA.
A "business purpose" is the use of personal information for the business's (or its service provider's) operational purposes, or for other notified purposes that are reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or to achieve another operational purpose that is compatible with the context in which the personal information was collected. Business purposes include the following:
- Auditing related to a current interaction with the consumer and concurrent transactions (such as counting ad impressions to unique visitors or verifying positioning and quality of ad impressions), and auditing compliance with this specification and other standards.
- Detecting security incidents and protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer's experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
- Performing services on behalf of the business or its service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for or controlled by the business, and to improve, upgrade or enhance the service or device that is owned, manufactured, manufactured for or controlled by the business.
A "commercial purpose" is any use that advances a person's commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide or exchange products, goods, property, information or services, or enabling or effecting, directly or indirectly, a commercial transaction.
5, 6 & 7. Requests for Categories of Third Parties
A consumer may request the "categories of third parties" to whom the business has sold or disclosed for a business purpose the consumer's personal information. "Categories of third parties" refers to the types or groupings of third parties with whom the business shares personal information. Examples include advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks and data brokers.
Tip #8: Responding to a Consumer's "Request to Delete"
Published March 12
Upon a business's receipt of a valid, verifiable request from a consumer to delete the personal information the business has collected about that consumer (a “request to delete”), the business must delete the consumer's personal information from its records, and it must direct any service providers with whom it has shared the consumer's personal information to do the same.
A business may "delete" the personal information by doing one of the following:
- Permanently and completely erasing the personal information on its systems. With respect to archived or back-up systems, the proposed implementing regulations permit the business to delay permanently and completely erasing the personal information until the archived or back-up system is restored to an active system or until the archived or back-up system is next accessed or used by the business for a sale, disclosure or commercial purpose (and otherwise the business may allow the personal information to be deleted in the ordinary course of the business's data retention policies for the archived or back-up system).
- De-identifying the personal information.
- Aggregating the information.
"De-identify" has a specific meaning under the CCPA. It means to make sure the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, and the business must also (1) implement technical safeguards and processes that prohibit and prevent re-identification, (2) implement processes to prevent inadvertent release of de-identified information and (3) make no attempt to re-identify the information.
"Aggregate" information is information that relates to a group or category of consumers, from which individual consumer identities have been removed, and that is not linked or reasonably linkable to any consumer or household, including via a device linked with the consumer or household.
Finally, the business must provide a written response to the consumer informing the consumer whether or not the business has complied with the request (see below and Practice Tip #9 for exceptions and grounds for denying a request) and state in such response that it will retain a record of the consumer's request as required by California Civil Code Section 1798.105(d) (see Practice Tip #9 for more information regarding recordkeeping requirements in connection with consumer requests).
Exceptions to Requests to Delete
This obligation to delete is not absolute. Notable exceptions where the business will be permitted to retain personal information, despite a valid, verifiable request to delete, include the following:
- The business needs to retain the information to detect security incidents or to protect against malicious, deceptive, fraudulent or illegal activity, or to prosecute those responsible for that activity. As an example, if the business offers a 30-day free-trial period for its online service or mobile app, the business would be permitted to retain personal information that is reasonably necessary to identify and prevent consumers from fraudulently repeating free-trial periods.
- The business needs to retain the information to fulfill the terms of a written warranty program (e.g., track and verify product purchases for this purpose) or otherwise perform a contract the business has with the consumer.
- The business needs to retain the information to complete a transaction or follow through on providing a product or service that is requested from the consumer.
- The business needs to retain the information to comply with the CCPA's requirement to keep a record of all consumer requests to know and requests to delete (see Practice Tip #9 for more information on recordkeeping requirements in connection with consumer requests).
- The business needs to retain the information for wholly internal uses that are reasonably aligned with the consumer's expectations based on its relationship with the business or is compatible with the context in which the consumer provided the information.
- The business needs to retain the information to comply with some other legal obligation.
Even if one or more exceptions apply, the business is still obligated to delete all personal information which is not necessary to be retained under the applicable exception(s), and the business must also implement a sunsetting mechanism for any personal information that is retained under an exception (i.e., delete the personal information when the exception no longer exists). For example, if a consumer purchased a product with a three-year warranty and then requests deletion of his or her personal information after six months, the business would be obligated to immediately delete all personal information that is not necessary for the business to process a potential future warranty claim (unless another, separate exception applies), and then, at the end of the third year when the warranty has expired, the business should delete the rest of the consumer's personal information. Further, the business is not permitted to use retained personal information for any purpose except for the purpose provided for by the relevant exception.
Next week's Practice Tip will take a step back and cover the general mechanics of responding to both requests to know and requests to delete, including the timing of the business's response, grounds for the business denying a request, and recordkeeping requirements imposed on the business by the CCPA.
Tip #9: Additional Requirements for Responding to Requests to Know/Delete
Published March 20
Previous installments in this CCPA Practice Tip Series have provided guidance on the specific requirements for responding to a consumer's request for information about the personal information a business has collected about that consumer (a "request to know") or for responding to a consumer's request to delete the personal information the business has collected about that consumer (a "request to delete"). This installment provides further guidance on requirements that apply across both types of requests, including the deadline for responding, grounds for denying requests, recordkeeping requirements, dealing with requests for household information and processing requests from a consumer's authorized agent.
Deadline for Responding to Requests
Upon receiving a valid, verifiable request to know or request to delete, the business must:
- Within 10 business days confirm receipt of the request and (unless the business is simultaneously responding by complying with the request or denying it) provide information about how the business will process the request, including a general description of the business's verification process and when the consumer should expect a response; and
- Within 45 calendar days respond to the request, either by complying with the request or denying the request.
A business may provide its initial confirmation in the same manner in which the request was received. For example, if the request is made over the phone, the confirmation may be given on the phone during the phone call with the consumer making the request.
If necessary, the business may take up to an additional 45 calendar days to respond to the request (for maximum total of 90 days from receipt of the request) so long as the business notifies the consumer and explains the reason the business needs additional time.
A business is not obligated to comply with a request to know or request to delete and may deny the request under the following circumstances:
- The request is not submitted through one of the business's designated methods;
- The business is unable to verify the consumer's identity to the degree of certainty required by the proposed regulations (which varies depending on the nature of the request and personal information involved, as summarized in Practice Tip #6);
- With respect to a request to delete only, one of the exceptions enumerated in California Civil Code Section 1798.105(d)(1)-(9) (and summarized in Practice Tip #8) applies; or
- The request conflicts with the business's obligations under another federal or state law.
The denial response must be submitted to the consumer in writing. If the business denies a consumer's request because it is not properly submitted, the business must at a minimum provide directions to the consumer on how to properly submit the request. If the business denies a consumer's request for any other reason, it must explain the basis for the denial (i.e., cite the exception that applies).
Finally, if the business denies a request to delete and that business also sells consumers' personal information, then, unless the business is aware that the consumer has already made a request to opt-out of sales of his or her personal information, the business must ask the consumer if the consumer would like to opt-out of such sales and include the contents of or a link to the business's "Do Not Sell My Personal Info" disclosure.
Businesses must maintain records of consumers' requests under the CCPA and how the business responded for at least 24 months. Each record should include the date of the request, the nature of the request, the manner in which the request was made, the date of the business's response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part. Information maintained for recordkeeping purposes may not be used for any other purpose except as reasonably necessary for the business to review and modify its processes for compliance with the CCPA. This information also may not be shared with any third party (other than any third parties that qualify as the business's "service providers" under the CCPA) except as necessary to comply with a legal obligation.
Requests to Access or Delete Household Information
The CCPA is unusual in that it defines personal information as information that relates to a particular consumer or household. One consequence is that a consumer's right to submit a request to know and request to delete technically provides the consumer with a right of access to (or a right to delete) the personal information of other members of the consumer's household. Businesses must comply with these requests, subject to the following further guidance provided in the proposed regulations:
- If a consumer has a password-protected account with a business that collects personal information about a household, the business may process requests to know and requests to delete relating to household information through the business's existing business practices and in compliance with the CCPA.
- If a household does not have a password-protected account with a business, a business shall not comply with a request to know specific pieces of personal information about the household or a request to delete household personal information unless all of the following conditions are satisfied: (1) all consumers of the household jointly request access to specific pieces of personal information for the household or the deletion of household personal information, (2) the business individually verifies the identities of each consumer of the household in the manner required by the CCPA and (3) the business verifies that each consumer making the request is currently a member of the household.
We recommend consulting with a Robinson Bradshaw attorney before responding to any request to know or request to delete as it pertains to household personal information.
Consumers' Use of Authorized Agents
Consumers are permitted to designate one or more authorized agents to make requests to know and requests to delete on their behalf. Businesses are permitted to require the authorized agent to submit proof that the agent has actually been authorized to act on the consumer's behalf. Additionally, if the authorized agent submits a request to know or request to delete on a consumer's behalf, the business is still permitted to require the consumer to verify the consumer's own identity using the business's typical verification process and require the consumer to directly confirm with the business that the consumer provided the authorized agent permission to submit the request, unless the consumer has provided the agent with a valid power of attorney (in which case the business is prohibited from separately requiring the consumer to take these additional actions).
We recommend consulting with a Robinson Bradshaw attorney before dealing with any requests to know or requests to delete purporting to come from a consumer's authorized agent.
Tip #10: Responding to Requests to Opt-Out
Published March 27
The past few Practice Tips have focused on requests to delete and requests to know. This Practice Tip will focus on how a business that sells consumers' personal information should respond to a consumer's request to opt-out of the sale of the consumer's personal information (a "request to opt-out"). Recall that Practice Tip #5 (Submission of Consumer Requests) describes methods a business must make available for consumers to submit requests to opt-out (assuming the business sells consumers' personal information).
General Timeline and Response
According to the proposed CCPA implementing regulations, a business that sells consumers' personal information must comply with a request to opt-out as soon as feasibly possible, but no later than 15 business days after the date the business receives the request.
Also according to the proposed regulations, in response to a request to opt-out, a business may present a consumer with the choice to opt-out of sales for only certain uses of the consumer's personal information as long as there is a global option to opt-out of all sales of the consumer's personal information and the global option is presented more prominently than the other choices.
To comply with a request to opt-out, the business must do the following:
- Going forward, refrain from selling personal information collected by the business about the consumer that made the request;
- Respect the consumer's decision to opt-out for at least 12 months before requesting that the consumer authorize the sale of the consumer's personal information; and
- Per the proposed regulations, if a business sells the consumer's personal information to any third parties after the consumer submits his or her request but before the business actually complies with the request, the business must notify those third parties of the consumer's request to opt-out and direct those third parties not to sell that consumer's information.
Except in the very specific circumstances described in no. 3 above, a business is not required to notify third parties to whom the business has sold the consumer's personal information of the consumer's request to opt-out, nor is the business required to direct third parties to whom the business has sold the consumer's personal information to refrain from further selling the consumer's personal information.
As with requests to know and requests to delete, a business must maintain records of consumer's requests to opt-out and how the business responded to those requests for at least 24 months. Please see Practice Tip #9 for a summary of the CCPA recordkeeping requirements applicable to consumer requests.
Limited Reasons for Denying a Request to Opt-Out
Neither the CCPA nor the proposed regulations specify how a business should treat consumers' requests to opt-out that are not submitted through one of the business's designated methods. Therefore, until further guidance is provided, a business's safest course of action would be to comply with a consumer's request to opt-out regardless of the form in which the request is submitted.
A request to opt-out does not have to be verifiable. However, a business may deny a request to opt-out if the business has a good-faith, reasonable and documented belief that a request to opt-out is fraudulent. Even then, the business must inform the requestor that it will not comply with the request and provide an explanation for why it believes the request is fraudulent.
Finally, a consumer may designate an authorized agent to submit a request to opt-out on the consumer's behalf if the consumer provides the authorized agent signed, written permission. A business may deny a request if an authorized agent fails to submit proof that the agent is authorized by the consumer. However, the proposed regulations state that a global privacy control that signals a consumer's choice to opt-out of the sale of their personal information will be considered a request directly from a consumer and not as being submitted by an authorized agent.
User-Enabled Global Privacy Controls and Requests to Opt-Out
It is worth noting again that the proposed regulations permit requests to opt-out to be submitted through a user-enabled global privacy control (such as a browser plug-in, privacy setting or device setting) if the business collects personal information from consumers online and so long as the privacy control clearly communicates or signals that a consumer intends to opt-out of the sale of personal information. If a consumer's browser or device signals or communicates the consumer's choice to opt-out of the sale of the consumer's personal information, then the business must treat this the same as a request to opt-out received directly from the consumer and respond accordingly.
According to the proposed regulations, if the signal or communication from a global privacy control conflicts with the consumer's existing business-specific privacy settings or the consumer's participation in a business's financial incentive program, the business must still comply with the request to opt-out submitted in this fashion, but may notify the consumer of the conflict and give the consumer the choice to confirm the consumer's business-specific privacy setting or participation in the financial incentive program.
Opting Back In
Consumers may be given the choice to opt back in to the sale of their personal information, but such choice must be a two-step process where the consumer needs to (1) clearly request to opt-in to the sale of their personal information and (2) separately confirm their choice to opt-in.
If a consumer who submitted a request to opt-out later initiates a transaction or attempts to use a service that requires the sale of the consumer's personal information, the business should inform the consumer that the transaction or service requires the sale of their personal information and provide instructions on how to opt-in to the sale of their personal information using the business's two-step process.
Tip #11: Data Security Obligation
Published April 2
The CCPA and California Civil Code Section 1798.81.5 give businesses an affirmative "duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect [a consumer’s] personal information." This duty can be enforced by the California attorney general just like other parts of the CCPA. However, this duty can also be enforced by the consumer directly through a limited private right of action. The CCPA provides that where a business's violation of the duty of reasonable security leads to unauthorized access and exfiltration, theft, or disclosure of a consumer's non-encrypted and non-redacted personal information, then under certain circumstances that consumer would be able to sue the business for statutory damages of not less than $100 and up to $750 per incident (or actual damages, if they are greater) and other court-ordered relief. This could pave the way for class action lawsuits based on data breaches, with a potential award calculated by the number of consumers affected. Thus, businesses should be prepared to demonstrate how they have complied with the "duty to implement and maintain reasonable security procedures and practices."
Notably, neither the CCPA nor Section 1798.81.5 defines what would constitute "reasonable security" to satisfy this duty. The answer will depend, in part, on the type, amount and sensitivity of the personal information; on available technology and on what are considered "industry standard" and "best practices" within the business's industry. Notably, in her 2016 data breach report, then-California Attorney General Kamala Harris explained that "[a]uthoritative security standards describe the measures that organizations should take to achieve an appropriate standard of care for personal information" and specifically concluded: "The 20 controls in the Center for Internet Security's Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization's environment constitutes a lack of reasonable security." Accordingly, at a minimum, businesses should map their data security program onto an authoritative security standard such as the Center for Internet Security's Critical Security Controls. However, a business should also consider working with a reputable data security firm to ensure that its security procedures and practices meet or exceed the best practices and authoritative frameworks for the relevant industry.
Section 1798.81.5 also specifies that a business that discloses personal information under a contract with an unaffiliated third party must in the contract require the third party to adhere to the same duty of reasonable security. Thus, businesses should conduct an audit of relevant third-party contracts to ensure they properly address data security.
Tip #12: Service Providers and the CCPA
Published April 10
For the most part, the CCPA's requirements only apply directly to the business "that collects consumers' personal information or on behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information." But very often businesses engage other parties to help them process consumers' personal information, such as a payment processor, a hosting services provider, or a provider of cloud-based software to help with customer relationship management or managing support services requests. Businesses covered by the CCPA must get these service providers to sign written contracts featuring specific contractual provisions. Businesses that fail to do so risk having any transfers of personal information to such parties be deemed a "sale" of that information (triggering additional compliance obligations) or being held directly liable for such parties' misconduct. This Practice Tip explores businesses' obligations with respect to the service providers they engage to process personal information on their behalf, as well as service providers' own, limited set of direct obligations under the CCPA.
"Service Provider" Defined
Under the CCPA, a "service provider" is a for-profit entity that processes consumers' personal information on behalf of a business while performing services specified in a written contract with the business. The written contract must, at a minimum:
- Prohibit the service provider from selling the personal information (within the meaning of the CCPA);
- Prohibit the service provider from collecting, retaining, using or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including collecting, retaining, using or disclosing the personal information for a commercial purpose other than providing the services specified in the contract;
- Prohibit the service provider from retaining, using or disclosing the personal information outside of the direct business relationship between the service provider and the business; and
- Include a certification by the service provider that the service provider understands these restrictions and will comply with them.
In addition, if the service provider will be handling information that constitutes "personal information" as more narrowly defined by California Civil Code Section 1798.81.5 (see Practice Tip #11), then the written contract must also include a requirement for the service provider to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, exfiltration, theft or disclosure.
Often the above-described contractual provisions will appear in an appendix or exhibit to the written services contract between the business and service provider, commonly called a CCPA Addendum.
As clarified in the proposed CCPA implementing regulations, service providers do not themselves have to qualify as a business as defined by the CCPA in order to be a "service provider" under the CCPA.
Negotiating a CCPA Addendum
Although not specifically required like the above four provisions, businesses should also consider adding the following additional provisions to a CCPA Addendum:
- An obligation for the service provider to cooperate with the business in handling consumers' requests under the CCPA, and procedures for how the business and service provider will handle such requests.
- An obligation for the service provider to require each of its own service providers to agree in writing to similar requirements (to ensure that any sub-level service providers will be deemed "service providers" as defined by the CCPA, too).
- A requirement for the service provider to implement and maintain reasonable security procedures and practices, as described above (regardless of whether the personal information to be handled by the service provider constitutes "personal information" as more narrowly defined by California Civil Code Section 1798.81.5).
- Indemnification by the service provider for failure to comply with the CCPA Addendum.
In turn, service providers often will want to clarify in the CCPA Addendum (as the proposed regulations permit) that the service provider may also use the personal information:
- To engage another service provider as a subcontractor, provided that the subcontractor in turn meets the requirements of a "service provider" under the CCPA;
- For internal use to build and improve the quality of its services (subject to certain restrictions spelled out in the proposed regulations);
- To detect data security incidents and protect against fraudulent or illegal activity;
- To comply with applicable law or a subpoena, summons, investigation or inquiry by a governmental authority;
- To cooperate with law enforcement agencies concerning conduct or activity that may violate the law; or
- To exercise or defend legal claims.
Why Businesses Should Want to Confirm the "Service Provider" Status of Third-Party Providers
As described in further detail in Practice Tip #3, a business's transfer of a consumer's personal information to a "service provider" is not a sale of the information under the CCPA. Businesses that sell consumers' personal information are subject to additional compliance obligations under the CCPA. These additional requirements do not apply to transfers made to "service providers."
Additionally, under the CCPA a business is insulated from liability in the case where its "service provider" uses personal information in violation of the CCPA's restrictions. The service provider will be directly liable for such violations. By contrast, a business that transfers a consumer's personal information to some other third party that is not a "service provider" could be found to be secondarily liable for the misconduct of that third party.
Service Providers' Direct Obligations Under the CCPA
Service providers have few direct obligations under the CCPA and the corresponding proposed regulations. The obligations are limited to the following:
- When a business receives a verifiable request to delete from a consumer, and the business directs the service provider to delete the consumer's personal information from its records as required by the CCPA, service providers must comply, subject to the exceptions set forth in Cal. Civil Code Section 1798.105(d) (and discussed in further detail in Practice Tip #8).
- According to the proposed regulations, the service provider has a direct CCPA-mandated duty (i.e., separate and apart from the service provider's contractual obligations under a CCPA Addendum) not to retain, use or disclose personal information obtained in the course of providing services except in compliance with the written services contract with the business or for the purposes enumerated above.
- A service provider must not sell data on behalf of a business after a consumer has opted-out of the sale of the consumer's personal information with the business.
- If a service provider receives a request to know or request to delete directly from a consumer, the service provider must either (1) act on behalf of the business in responding to the request, or (2) inform the consumer that the request cannot be acted upon because the request has been sent to a service provider and not to the business that is in charge of the consumers' personal information.
Service providers can be held directly liable under the CCPA for violating the requirements that are directly applicable to service providers. However, service providers are not liable under the CCPA for violations of the CCPA by the business for which it provides services.
Tip #13: Treating Consumers Differently
Published April 30
To encourage the free exercise of CCPA rights, the CCPA prohibits a business from treating a consumer differently based on the consumer's exercise of CCPA rights – called "discriminating" in the statute. As explained in the CCPA, this would include treating the consumer differently by (1) denying goods or services to the consumer, (2) charging different prices or rates for goods or services, (3) providing a different level of quality of goods or services, or (4) suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services. However, somewhat paradoxically, the CCPA further provides that a business may offer financial incentives (e.g., paying a consumer) for the collection, sale or deletion of personal information, and may offer different prices, rates, levels or quality of goods or services to the consumer if that price or difference is directly related to the value of the customer's data to the business. This Practice Tip will focus on how businesses navigate these challenging CCPA provisions, such as with membership or rewards programs.
The text of the CCPA provides no further guidance on how to implement this requirement that treating a consumer differently based on the consumer's exercise of CCPA rights must be "directly related to the value provided to the business by the consumer's data." However, the California attorney general provided some guidance with the release of the proposed implementing regulations and the subsequent modifications. The proposed regulations require that a business offering a financial incentive or difference in price or quality based on the consumer's exercise of CCPA rights may do so only if "it is reasonably related to the value of the consumer's data," and the business must "use and document a reasonable and good faith method for calculating the value of the consumer's data." Furthermore, the proposed regulations provide that this method of calculation must consider one or more of the following factors:
- The marginal value to the business of the sale, collection or deletion of a consumer's data;
- The average value to the business of the sale, collection or deletion of a consumer's data or a typical consumer's data;
- The aggregate value to the business of the sale, collection or deletion of consumers' data divided by the total number of consumers;
- Revenue generated by the business from the sale, collection or retention of consumers' personal information;
- Expenses related to the sale, collection or retention of consumers' personal information;
- Expenses related to the offer, provision or imposition of any financial incentive or price or service difference;
- Profit generated by the business from sale, collection or retention of consumers' personal information; and
- Any other practical and reasonably reliable method of calculation used in good-faith.
In addition to spelling out this framework, the proposed regulations provide four "illustrative examples" that suggest how the California attorney general will approach enforcement of the anti-discrimination provision of the CCPA:
- Example 1: A music streaming business offers a free service as well as a premium service that costs $5 per month. If only the consumers who pay for the music streaming service are allowed to opt-out of the sale of their personal information, then the practice is discriminatory (and thus prohibited by the CCPA), unless the $5-per-month payment is reasonably related to the value of the consumer's data to the business.
- Example 2: A clothing business offers a loyalty program whereby customers receive a $5-off coupon to their email address after spending $100 with the business. A consumer submits a request to delete all personal information the business has collected about them but also informs the business they want to continue to participate in the loyalty program. The business may deny their request to delete as their email address and the amount the consumer has spent with the business because that information is necessary for the business to provide the loyalty program requested by the consumer and is reasonably anticipated within the context of the business's ongoing relationship with them.
- Example 3: A grocery store offers a loyalty program whereby consumers receive coupons and special discounts when they provide their phone numbers. A consumer submits a request to opt-out of the sale of their personal information. The retailer complies with their request but no longer allows the consumer to participate in the loyalty program. This practice is discriminatory (and thus prohibited by the CCPA) unless the grocery store chain can demonstrate that the value of the coupons and special discounts are reasonably related to the value of the consumer's data to the business.
- Example 4: An online bookseller collects information about consumers, including their email addresses. It offers discounts to consumers through browser pop-up windows while the consumer uses the bookseller's website. A consumer submits a request to delete all personal information that the bookseller has collected about them, including their email address and their browsing and purchasing history. The bookseller complies with the request but stops providing the periodic coupons to the consumer. The bookseller's failure to provide coupons is discriminatory (and thus prohibited by the CCPA) unless the value of the coupons are reasonably related to the value provided to the business by the consumer's data.
Notably, the California attorney general's examples fail to illustrate how the business in each scenario reasonably calculated the value of the consumer's data. However, the second example illustrates an important exception, clarified in the proposed regulations, that a business's denial of a consumer's request to know, request to delete or request to opt-out for reasons permitted by the CCPA or the proposed regulations would not be considered discriminatory. Similarly, the proposed regulations clarify that a price or service difference that is the direct result of compliance with a state or federal law also will not be considered discriminatory. The underlying logic here seems to be that such price or service differences are not retaliation against the consumer for exercising CCPA rights.
Tip #14: Government Enforcement
Published June 4
The California attorney general may begin enforcing the CCPA on July 1, 2020. This may include making investigative demands and initiating enforcement actions against businesses for violating the CCPA. Furthermore, consumers have already begun filing lawsuits under the CCPA's limited private right of action for a data breach resulting from a business's violation of the duty of reasonable security discussed in Practice Tip #11. This Practice Tip will focus on the enforcement of the CCPA by the California attorney general, whereas a later Practice Tip will discuss private litigation under the CCPA.
The CCPA grants enforcement authority to the California attorney general. Although it went into effect on Jan. 1, 2020, the CCPA provides that the attorney general may not commence enforcement until the earlier of July 1, 2020, or six months after the publication of final regulations. As no final regulations were published by the spring of 2020, the California attorney general will be able to commence enforcement on July 1. A coalition of businesses sent an open letter in March calling for the start of enforcement to be postponed in light of the COVID-19 public health emergency, but the California attorney general responded that he had no plans to delay enforcement.
Notably, the investigation of the business would likely begin well before the California attorney general files a civil action or even provides notice of alleged noncompliance. As detailed in Cal. Gov. Code § 11181, the attorney general has a number of "pre-litigation" investigative powers at his disposal, including the authority to inspect and copy business records and other materials; to issue subpoenas requiring the production of such materials; to promulgate interrogatories; and to issue subpoenas for witness testimony. A business that receives such demands would be obligated to comply and could face penalties for refusing to cooperate. For example, the California attorney general sued Facebook last year to enforce a subpoena and interrogatories which the attorney general had served on the social media giant to investigate its privacy practices.
In regard to penalties for violating the CCPA, the law provides that any business, service provider or other person that violates the statute will be liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation. In addition, for its requirement that data brokers register as such with the California attorney general, the CCPA provides that a data broker failing to register as required will be subject to injunction and liable for (i) a civil penalty of $100 per day of non-registration along with (ii) any unpaid fees and (iii) the expenses incurred by the California attorney general to investigate and prosecute the enforcement action.
In considering one's potential liability, a great deal may depend on how "intentional" and "for each violation" are interpreted in this context. Neither the CCPA nor the California attorney general's proposed regulations provide any explanation – though the statutory penalty of $100 per day for unregistered data brokers suggests the possibility of penalizing separate days of noncompliance as separate violations. A violation of the CCPA impacting multiple consumers might also be argued to warrant penalties for separate violations. However it unfolds, this will be another important issue to watch closely as the California attorney general begins bringing enforcement actions and courts begin imposing penalties.
Tip #15: Consumer Litigation
Published July 16. This tip was prepared with the assistance of Lauren Jones, a rising 3L student at Vanderbilt University Law School.
In addition to the general enforcement by the California attorney general, the CCPA provides a limited private right of action to enforce the CCPA through private civil litigation concerning data breaches. Broadly speaking, the CCPA sometimes allows a consumer to bring a civil lawsuit where a business's violation of the duty of reasonable data security described above in Practice Tip #11 leads to a breach of the consumer's non-encrypted and non-redacted personal information. This final Practice Tip in our series will explore the contours and implications of this limited private right of action for data breaches.
In contrast to other parts of the CCPA, the limited private right of action for data breaches concerns a narrower definition of personal information taken from California's breach notification statute. In this context, the term "personal information" includes an individual's first name or initial and last name in combination with any of the following data elements (when either the name or the data elements are not encrypted or redacted):
- Social security number;
- Driver's license number, California identification card number, tax identification number, passport number, military identification number or other unique identification number issued on a government document commonly used to verify the identity of a specific individual;
- Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account;
- Medical information;
- Health insurance information; or
- Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina or iris image, used to authenticate a specific individual.
The CCPA provides that, when such personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of a business's violation of the duty of reasonable data security described in Practice Tip #11, then the consumer may bring a civil action for any of the following:
- To recover damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater;
- Injunctive or declaratory relief; and
- Any other relief the court deems proper.
Regarding the amount of statutory damages to award, the CCPA requires the court to consider one or more relevant circumstances presented by any of the parties, including the following:
- Nature and seriousness of the misconduct;
- Number of violations;
- Persistence of the misconduct;
- Length of time over which the misconduct occurred;
- Willfulness of the defendant's misconduct; and
- Defendant's assets, liabilities and net worth.
The availability of statutory damages is significant, as data breach lawsuits are often stymied by the challenge of proving actual damages from a breach of personal information when that information has not yet been exploited for identity theft. In particular, the availability of statutory damages makes it far easier to bring a class action lawsuit on behalf of the set of consumers whose personal information was compromised during a data breach.
Perhaps with this in mind, the CCPA created an extra hurdle for lawsuits to recover statutory damages. The statute provides that, prior to being able to sue for individual or class-wide statutory damages, a consumer must provide the business 30 days' written notice identifying the specific provisions of the CCPA that the consumer alleges have been or are being violated. Then, in the event a cure is possible, the business can avoid facing a lawsuit for individual or class-wide statutory damages if, within the 30 days, the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur. However, if the business later violates the express written statement, then the consumer may bring an action for individual or class-wide statutory damages to enforce that express written statement and any subsequent CCPA violation covered by the limited private right of action. Of course, it remains to be seen what types of CCPA violations may be "cured" so as to foreclose class action litigation following a data breach, as well as how plaintiffs and defendants will navigate these pre-litigation requirements of written notice of an alleged violation and of an express written statement of the cure and compliance. In the first class action lawsuit under the CCPA's limited private right of action, Fuentes v. Sunshine Behavioral Health, No. 8:20-cv-00487-JLS-JDE (C.D. Cal.) filed on Mar. 10, 2020, the court has not yet addressed these issues at the time of writing.
Finally, the CCPA emphasizes the limited nature of this limited private right of action for data breaches, stating that "[t]he cause of action established by this section … shall not be based on violations of any other section of this title" and "[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law." Notwithstanding, numerous lawsuits filed after the CCPA went into effect on Jan. 1, 2020, have looked for ways to broaden the scope of CCPA enforcement through private litigation. For example, in Burke v. Clearview AI, Inc., No. 3:20-cv-00370 (S.D. Cal.), a putative class action filed on Feb. 27, 2020, alleges violations of the CCPA's requirement for consumer notice in order to seek relief under California's Unfair Competition Law – which allows class actions to enjoin unfair, fraudulent or unlawful business practices, and recover restitution and attorney's fees.
Added to the uncertainty from early CCPA litigation, there are ongoing efforts to expand the scope of the limited private right of action. In particular, the same group whose ballot initiative led to the CCPA's enactment in 2018 announced on May 4, 2020, that they have been able to collect enough signatures to add their proposed California Privacy Rights Act (CPRA) to the November 2020 ballot in California. Among many other legal changes, this initiative would expand the scope of "personal information" under the CCPA's limited private right of action to include a consumer's username or email address in combination with a password or security question and answer that would permit access to an online account.
Attorneys at Robinson Bradshaw will continue to monitor developments related to the CCPA and other state, federal and foreign privacy and data protection laws affecting our clients. Click here to subscribe to our Cybersecurity & Privacy list and receive future updates via email, including our ongoing series of quarterly legal updates that highlight noteworthy developments of cybersecurity and privacy law from the previous quarter.