To the surprise of some, the proposed CCPA Regulations issued last Thursday don’t address many of the well-discussed ambiguities under the law (such as what “valuable consideration” means in the context of a sale of personal information). Rather, the proposed Regulations address a number of technical, nut-and-bolt type compliance issues concerning how businesses must make required privacy disclosures, provide opt-outs notices, verify and respond to consumer requests.
We’ll discuss the issues the proposed Regulations don’t address in a future post. But for now, we turn our attention to specific sections of the proposed Regulations, highlighting any new legal compliance issues the proposed Regulations raise.
We’ll start with Article 2, which covers “Notices to Consumers”. The CCPA requires that businesses disclose to consumers at or before the time of collection the categories of personal information to be collected from consumers and the purposes for which the personal information will be used. Businesses are prohibited from collecting or using personal information that is not disclosed prior to collection, and must obtain explicit consent from the consumers for any new use that was not previously disclosed.
Online v. Offline Disclosures
The first point to note about the Notice provisions of the proposed Regulations is that they explicitly differentiate between online and offline privacy notices. This clarifies an ambiguity in the CCPA itself, which requires notice at or before collection but doesn’t explain how businesses can provide notices online and offline.
Here’s what the proposed Regulations say about the mechanics of providing Notice:
Notice of information collected from consumers and business or commercial use of such personal information
|Must be provided prior to collection of any personal data. Different, and non-exclusive, options include providing Notice in paper disclosures or provide an in-store poster with URL for Notice.
|If business sells personal information, it must furnish a “Do Not Sell My Personal Information” or “Do Not Sell My Info” link in the Notice.
|Business must provide URL for webpage to which the “Do Not Sell My Personal Information” or “Do Not Sell My Info” links direct users.
It is likely that many businesses had not considered online accessibility issues before the proposed Regulations came out. Many businesses have gone through an ADA website accessibility analysis in the past. Those who have not should consider doing so now.
New Attestation Requirements
The fourth and final provision of Article 2 that’s noteworthy appears in section (d), which makes clear that a business that does not collect information directly from consumers does not need to provide a Notice of collection. Before selling any such personal information, however, the business must either:
- Contact the consumer directly to provide the required Notice, and Notice of Opt-Out; or
- Contact the source of the personal information and confirm the source provided the required Notice and obtain a signed attestation describing how the source gave the Notice at collection along with an example of the Notice.
The upshot of this new requirement is that businesses that either sell or share data with third party data brokers or lead generators, or others in the business of selling data, can assume that they will see requests from these third-parties for attestations. For such businesses, it may make sense to consider the content and format of the attestations as well as how they might automate the process of providing the attestations, if the volume is likely to be significant.
In our next post, we will address the new verification procedures outlined in the proposed Regulations.