Where should businesses focus their compliance efforts?
On Oct. 10, 2019, the California attorney general released the proposed regulations for the California Consumer Privacy Act (CCPA). The proposed regulations dictate the spirit of what the final CCPA will likely entail. The regulations provide guidelines on five primary areas: 1. Notice to the Consumer; 2. Business Practices for Handling Consumer Requests; 3. Verifications of Requests; 4. Minors; and 5. Non-Discrimination.
1. Notice to the Consumer: The proposed regulations document four types of notice requirements. The notice requirements are very similar to the European Union’s General Data Protection Regulation. The notice needs to be presented to the consumer in a way that is easily understandable and accessible or visible. The proposed regulations also include the content requirements for each type of notice.
2. Business Practices for Handling Consumer Requests: The proposed CCPA regulations confirm various rights for consumers, including the right to know about the collection, sale, and disclosure of their personal information, the right to opt out of the sale of their personal information, and a limited right to request that their personal information be deleted. A brief description of the consumer requests that the business needs to respond to as part of the CCPA compliance requirements are provided below.
3. Verification of Requests: The proposed regulations state that the business needs to leverage existing consumer information that the business holds about the consumer to verify the identity of the consumers. This means the business needs to avoid collecting additional personal information for identity verification where possible. The regulations provide flexibility for the business to design their identity-verification process. While designing the identity-verification process, the business needs to be cognizant of the type, sensitivity, and value of the personal information. The process needs to be rigorous where sensitive and/or valuable personal information is involved.
4. Minors: The proposed regulations prescribe guidelines around handling a minor’s data. Specifically, where the minor is under the age of 13 years, affirmative confirmation is required from parents or the guardian for the sale of personal information. The regulations prescribe methods for confirming that the person providing consent is the child’s parent or guardian.
5. Non-Discrimination: The proposed regulations provide a methodology for businesses to calculate the value associated with the personal information of the consumer. A business can calculate the value of consumer information using marginal value, average value, revenue generated, profit generated, or expense incurred.
While the regulations are open to public comment through Dec. 6, 2019, and we may expect few additional clarifications, the broader contour of the requirements are likely not going to change. Organizations should continue to focus on CCPA compliance activities without waiting for the public comment period to end. Businesses that have not initiated their CCPA compliance effort should start as soon as possible. These businesses should consider starting by performing a current-state assessment to evaluate the preparedness of the institution to comply with the CCPA requirements. Businesses that are further along the journey should focus on implementing consumer rights and complying with transparency obligations outlined within the regulations. These businesses should develop a personal data inventory if they have not already done so and define the requirements for their consumer rights solution.