To the surprise of some, the proposed CCPA Regulations issued last Thursday don’t address many of the well-discussed ambiguities under the law (such as what “valuable consideration” means in the context of a sale of personal information). Rather, the proposed Regulations address a number of technical, nut-and-bolt type compliance issues concerning how businesses must make required privacy disclosures, provide opt-outs notices, verify and respond to consumer requests.

We’ll discuss the issues the proposed Regulations don’t address in a future post. But for now, we turn our attention to specific sections of the proposed Regulations, highlighting any new legal compliance issues the proposed Regulations raise.

We’ll start with Article 2, which covers “Notices to Consumers”. The CCPA requires that businesses disclose to consumers at or before the time of collection the categories of personal information to be collected from consumers and the purposes for which the personal information will be used. Businesses are prohibited from collecting or using personal information that is not disclosed prior to collection, and must obtain explicit consent from the consumers for any new use that was not previously disclosed.

Online v. Offline Disclosures

The first point to note about the Notice provisions of the proposed Regulations is that they explicitly differentiate between online and offline privacy notices. This clarifies an ambiguity in the CCPA itself, which requires notice at or before collection but doesn’t explain how businesses can provide notices online and offline.

Here’s what the proposed Regulations say about the mechanics of providing Notice:

 

Online Offline

Notice of information collected from consumers and business or commercial use of such personal information

Must be provided prior to collection of any personal data.   Businesses can fulfill this obligation by providing link to section of privacy policy that contains Notice information. Must be provided prior to collection of any personal data. Different, and non-exclusive, options include providing Notice in paper disclosures or provide an in-store poster with URL for Notice.
Opt Out If business sells personal information, it must furnish a “Do Not Sell My Personal Information” or “Do Not Sell My Info” link in the Notice. Business must provide URL for webpage to which the “Do Not Sell My Personal Information” or “Do Not Sell My Info” links direct users.

The proposed Regulations identify a non-exclusive list of mechanisms for providing offline Notices. One option that is not mentioned, but would certainly seem appropriate, is for businesses to provide a clearly labeled URL directing consumers to the online privacy policy in the text of any paper disclosures a business makes to consumers. If posted signage identifying the URL is a permissible way to provide an offline Notice, it would seem to follow that providing the same information in a paper disclosure would also be permissible.

Linking to Online Privacy Policy In Lieu of Providing Separate Notice

The second thing to note about the Notice provisions of the proposed Regulations is that the content of the Notice is a subset of the information that businesses must provide in the privacy policy. (The privacy policy must contain the categories of personal information the business has collected about consumers in the prior 12 months.)

The proposed Regulations appear to acknowledge the partial redundancy by creating a process by which businesses that operate a website can provide a link to the California specific portions of their privacy policy containing the same information as required by the Notice –in lieu of providing a separate Notice. Businesses that wish to take advantage of this provision will need to include the uses of personal information collected from consumers in their privacy policy (which the CCPA doesn’t currently require).

Accessibility Requirements

Third, the Notice provisions of the proposed Regulations now include an accessibility requirement. More specifically, the required Notice (as well as the opt-out notice and privacy policy) must be accessible to consumers with disabilities. At a minimum, businesses must provide “information on how a consumer with a disability may access the notice in an alternative format.”

It is likely that many businesses had not considered online accessibility issues before the proposed Regulations came out. Many businesses have gone through an ADA website accessibility analysis in the past. Those who have not should consider doing so now.

New Attestation Requirements

The fourth and final provision of Article 2 that’s noteworthy appears in section (d), which makes clear that a business that does not collect information directly from consumers does not need to provide a Notice of collection. Before selling any such personal information, however, the business must either:

  • Contact the consumer directly to provide the required Notice, and Notice of Opt-Out; or
  • Contact the source of the personal information and confirm the source provided the required Notice and obtain a signed attestation describing how the source gave the Notice at collection along with an example of the Notice.

The upshot of this new requirement is that businesses that either sell or share data with third party data brokers or lead generators, or others in the business of selling data, can assume that they will see requests from these third-parties for attestations. For such businesses, it may make sense to consider the content and format of the attestations as well as how they might automate the process of providing the attestations, if the volume is likely to be significant.

In our next post, we will address the new verification procedures outlined in the proposed Regulations.