Analysis of Modified Attorney General Regulations to CCPA – Part 2: Business Practices for Handling Consumer Requests
Overview:
We previously provided insights into this important portion of the regulations here. In this installment we address important revisions provided by the AG’s office to Article 3 of these regulations, several of which will have far reaching implications.
Below please find an overview of particularly relevant changes:
- Businesses that only operate exclusively online and collect personal information form consumers with whom they have a direct relationship, will only be required to be provide an email address for requests to know, as opposed to two or more methods, one of had to be a toll-free phone number.
- Business are no longer required to use a two-step process for online requests to delete, consisting of the submission of the request and a confirmation. Instead, the two-step is optional.
- Businesses that cannot verify the consumer within 45 days of a request to know or delete may deny the request.
- Businesses no longer have the same responsibilities to search for personal information when responding to a request to know. Businesses do not need to search for personal information that is not maintained in a searchable or reasonably accessible format, is only maintained for legal or compliance purposes and is not sold or used for a commercial purpose. If each of these conditions are met, the business may instead describe to the consumer the categories of records that it did not search because these conditions were applied.
- Businesses shall not disclose in response to a request to know unique biometric data generated from human characteristics.
- When responding to a request to know categories of personal information, businesses must now include additional information regarding the categories.
- When responding to requests to delete, businesses must now ask the consumer if they would like to opt out of the sale of their personal information, and provide the opt-out link or notice. Businesses no longer have to treat all unverifiable requests to delete automatically as requests to opt-out.
- Service providers are restricted from processing personal information received from a business except to: (1) perform services in the contract with the business that provided the personal information, (2) engage a different service provider as a subcontractor, (3) use the data internally to build or improve the quality of its services; (4) protect against fraudulent or illegal activity and detect data security incidents or; (5) process in accordance with certain exemptions to the CCPA. Additionally, the requirement that service providers that receive requests to exercise rights directly from consumers instruct those consumers to submit their requests to the business has been eliminated. Instead service providers are permitted but not required to respond directly.
Key Elements
§ 999.312 “Methods for Submitting Requests to Know and Requests to Delete”
Businesses that only operate online, and have a direct relationship with the consumers from which they collect personal information now only have to provide an email address for requests to know. However, interestingly, businesses will still need to provide two or more methods for submitted requests to delete, one of which may be the email address.
Businesses that interact with consumers in person “shall consider” but are not required to provide an in-person method such as a printed form to be submitted directly, or by mail, or a tablet or computer portal, or a phone that the consumer can use to call the business’s toll free number. This changes the earlier requirement that at least one method would reflect the manner in which the business primarily interacts with the consumer.
§ 999.313. Responding to Requests to Know and Requests to Delete
Confirmation: Confirmations of a request to know or delete may be provided in the same manner in which the request was received.
Verification: Businesses that cannot verify a consumer within the 45 day period given to respond to a request to know or delete may deny the request.
Searching for personal information when responding: Businesses no longer have the same responsibilities to search for personal information when responding to a request to know. Businesses do not need to search for personal information that is not maintained in a searchable or reasonably accessible format, is only maintained for legal or compliance purposes and is not sold or used for a commercial purpose. If these conditions are met, the business may instead describe to the consumer the categories of records that it did not search because these conditions were applied.
Responding to requests to know and delete generally:
Businesses shall not disclose in response to a request to know unique biometric data generated from human characteristics.
Additional guidance has been provided regarding requests to know categories of personal information. The business must now explicitly provide categories of information collected in the past 12 months, which of these categories it has sold to others, and for each of these sold categories, the categories of third parties the category was sold to, along with any categories it disclosed for a business purpose, and to which categories of third parties these disclosures were made.
When responding to at least unverifiable requests to delete, businesses must now ask the consumer if they would like to opt out of the sale of their personal information, and provide the opt-out link or notice. Businesses no longer have to treat all unverifiable requests to delete automatically as requests to opt-out.
§ 999.314. Service Providers
New, narrower scope of processing for service providers: Service providers are restricted from processing personal information received from a business except to: (1) perform services in the contract with the business that provided the personal information, (2) engage a different service provider as a subcontractor, (3) use the data internally to build or improve the quality of its services; (4) protect against fraudulent or illegal activity and detect data security incidents or; (5) process in accordance with certain exemptions to the CCPA.
Service providers can choose to respond to a consumer rights request or refer the consumer to the business: The requirement that service providers that receive requests to exercise rights directly from consumers instruct those consumers to submit their requests to the business has been eliminated. Instead service providers are permitted but not required to respond directly.
Service providers are bound by opt-outs: Further, service providers cannot sell data on behalf of a business if the consumer has already opted out of the sale of the personal information.
§ 999.315. Requests to Opt-Out
Opt-out method must be easy: Businesses must use an opt-out method that is easy for consumers and requires minimal steps. Businesses are specifically prohibited from using a method designed to subvert or impair a consumer’s decision to opt-out.
Privacy control requirements and conflicts: The regulations previously provided for privacy controls that a consumer could use to signal to the business their request to opt-out of the sale of their personal information. Now the regulations have provided the mechanism must clearly communicate this consumer intent, and that the control require that the consumer affirmatively select the opt-out choice, and not use pre-selected settings. If the control conflicts with a narrower existing business specific setting or participation in a financial incentive program, the business must still respect the control, but is afforded the option to notify the consumer of the conflict and provide an option to confirm the business specific control or participation in the financial incentive program.
Opt-Out Granularity: Businesses are now allowed to present the consumer a choice to opt-out of the sale of certain uses instead of categories of personal information, as long as the global option is still more prominent.
Business responsibilities after consumer submits opt-out but before the business complies with it: The regulations now clarify that opt-outs are to be complied within 15 business days. A significant additional change: businesses will not need to notify third parties to whom they sold the consumer’s data within 90 days. Instead, if the business sells the personal information of a consumer that has opted out within the 15 day period before it has complied with the request it shall direct any third parties that it has sold the personal information not to further sell the consumer’s information. The requirement that the consumer be notified of this has been removed.
Authorized Agents: The written permission provided to the authorized agent must now be signed by the consumer. The method of signature is not provided.
§ 999.316. Requests to Opt-In After Opting Out of the Sale of Personal Information
Consumers who opt-out of the sale of their personal information when the sale is required for a transaction or to use a product or service: If a consumer opts-out of the sale of their personal information when this sale is required for a transaction initiated by the consumer or for the use of a product or service, the businesses may inform the consumer of this and provide instructions to opt-in.
§ 999.317. Training; Record-Keeping
Reasonable security measures required for records: The business must maintain reasonable security procedures and practices for maintained records.
Use of records: The regulations clarify that maintained records may be used as reasonably necessary for compliance with the CCPA and these regulations, but may not be shared with any third party.
Additional record keeping requests: The additional metrics required to be kept are now imposed on those businesses who buy, receive, sell or share the personal information of 10,000,000 consumers in a calendar year. Previously, this number had been set at 4,000,000.
§ 999.318. Requests to Access or Delete Household Information
Household does not have a password protected account: Where the household is using an account with the business that is not password protected, the business is prohibited from complying with a request to know specific pieces of personal information or a request to delete household information, unless (1) each consumer in the household jointly makes the request, each household member is verified, and the business is able to verify that each member making the request is currently a member of the household.
Individual consumer has a password protected account that collects household information: Where the consumer has a password protected account that collects personal information about the household, the business is permitted to process requests to know and delete in compliance with the regulations and its practices.
Member of a household under the age of 13: If a household member is under the age of 13, then the businesses must obtain verified parental consent before complying with a request to know or delete specific information as provided by the parental consent provisions of the regulations.
Note that the revisions also clarify that a “household” means those who reside at the same address, share a common device or the same service provided by a business and are identified by the business as sharing the same group account or unique identifier.
Recommendations:
Businesses will need to retool certain aspects of their currently deployed right to know and delete process flows based on these changes. Other process flows, such as their opt-outs and training and record keeping will need to be reviewed as well.
Additionally, affected entities will want to review their existing service provider addendums to ensure that best practices in light of the new guidance regarding the scope of service provider processing of personal information are met.
Further, businesses and other interested parties should pay close attention to the changes described above regarding opt-outs, training and record keeping, and fulfilling requests involving households.