Just when you thought your CCPA prep was nearing the end…

Yesterday, the California Attorney General and team held a press conference announcing the release of the long-awaited draft regulations implementing the California Consumer Privacy Act or the CCPA. Today kicks off the official comment period for the proposed rules, and based on initial reactions to the draft regs and the Initial Statement of Reasons underlying the proposal, there will be a great many submitting constructive criticism through the December 6 deadline.

While arguably ‘simply implementing’ the statute, it is clear that the AG’s team aims to bring the CCPA closer to the EU GDPR in some ways. In others, such as the new concern about businesses with higher volumes of personal information, the proposed rules are genuinely moving the goal posts for companies to comply. Given the fact that January 1, 2020 is coming (let’s just call it “Winter”) soon and the statute has a 12 month look back period, companies must scramble to understand how these draft rules will impact their business, assuming that the submitted comments do not result in material changes to the proposed regulations.

Here are just some of the key brain benders – to be followed by our more detailed analysis in the coming days.

  • Verifiable Requests – Authenticate Requestors (but don’t collect more data, put any data at risk, allow fraud…): There are a number of provisions related to how businesses authenticate consumers to confirm verifiable requests. It’s clear that businesses should avoid requiring collection of additional personal data to verify the request; however, the rules suggest a risk-based approach is required as to the rigorousness of the verification process (depending on sensitivity of the data and risk if the data lands in the wrong hands). But don’t worry- you can also engage a service provider to complete the verification for you.

 

  • Using Data from Another Data Source? Diligence is On You: Before selling data, a business that doesn’t collect data directly from consumers must either: 1) contact consumers to provide notice and the choice to opt-out; or 2) confirm that the data source provided appropriate notice to consumers and obtain an attestation from the data source describing how notice was given at the point of collection and a copy of the notice.

 

  • Adhere to Deletion Requests… Mostly: The rules set forth a two-step deletion process and businesses must acknowledge receipt of the request within 10 days. Alternatives to deletion include de-identifying or aggregating the personal information. For back-ups and archives, businesses can postpone deletion on those repositories until “next accessed or used” (which could be never?).

 

  • Evidence Your Good Work: Training (specific to the CCPA and final regs) and good record keeping will be essential. Logs of consumer requests and responses to the request must be maintained for 2 years and the content of the logs/records is also prescribed.

 

  • Attention Service Providers – Particularly Payment Vendors and the Like: For service providers thinking they would forever be fighting off limitations on data use across customers, the rules allow service providers to combine personal data collected from one or more businesses to which it provides services, when necessary to detect fraud, security incidents, or illegal activity. In other words, services where a vendor needs to combine data from each of its business customers in order to provide fraud prevention services to those customers will be allowed (e.g., credit card fraud at the point of sale).

 

  • Businesses with High-Volumes of Data, Here’s Your Call to the Carpet: Businesses that handle the personal data of > 4MM consumers must compile specific stats on consumer requests, responses, response times, and other details for the various categories of individual rights and post the previous year’s stats in the business’s privacy policy or on its website.

 

  • Equal and Fair Service and Fees to All… Unless You Properly Valuate Consumer Data: Charging a different price or providing disparate levels of service depending on whether a consumer exercised rights under the CCPA is discriminatory and prohibited unless the differences are reasonably related to the value of the consumer’s data. You may wonder, how do you determine the value of a consumer’s data to the business? Simply apply a reasonable, good faith method of calculation (balancing a number of factors set forth in the rules that would seem difficult to numerically quantify).

 

Stay tuned to the heydatadata.com blog over the coming week for our initial take on what these might mean for those subject to the CCPA.

Nevada: Hey, Don’t Forget About Me!

All eyes are on the California Consumer Privacy Act (“CCPA”) as the January 1, 2020 doomsday for this first-of-its-kind comprehensive privacy law (on this side of the pond) quickly approaches. However, amid the chaos and freaky Friday the 13th wrap-up of the California legislative session that leaves us waiting for the Governor to determine the fate of pending CCPA amendments, don’t lose sight of Nevada’s October 1, 2019 compliance deadline.

In May, Nevada passed a bill giving consumers the right to opt out of the sale of their personal information to data brokers. The bill (“SB 220”) amends Nevada’s existing online privacy law and is often compared to the CCPA’s requirements to allow consumers to opt out of the sale of their personal information. Although SB 220 is significantly narrower businesses should evaluate obligations now given the effective date is 8 days away.

As mentioned, SB 220 garners less attention than the CCPA (and with good reason). The CCPA gives consumers the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. The CCPA provides a specific right that applies to a business selling personal information relating to Californians.

The CCPA defines “sale” to include any transfer of personal information to another business or third party. Nevada’s definition of “sale” is “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” In other words, SB 220 limits the definition of “sale” to transfers of data for money where the receiving third party will proceed to transfer or sell the data again. These third parties are defined similarly to “data brokers” in a Vermont law (“a  business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship”). Taken together, Nevada residents only have the ability to opt-out of the sale of their personal information to data broker-type entities.

SB 220 also statutorily exempts particular transfers from the definition of sale, such as disclosure of covered information (by an operator) to:

  1.  a person who processes the information on behalf of the operator;
  2.  a person with whom the consumer has a direct relationship for the purposes of       providing a product or service requested by the consumer;
  3. a person for purposes which are consistent with the reasonable expectations of a consumer, considering the context in which the consumer provided the information to the operator;
  4. a person who is an affiliate; and
  5. a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator.

SB220 also exempts financial institutions subject to Gramm-Leach-Bliley, entities subject to HIPAA and certain motor vehicle manufacturers and services from scope.

No, we are not suggesting that the Nevada opt-out is as far-reaching as the CCPA. But ignore the law at your own risk. Keep in mind that SB 220 requires all “operators” provide an online mechanism or toll-free phone number to collect consumers’ opt-out requests. Simply not selling data to data brokers will not excuse an entity of this obligation.

Operator is defined broadly to include people or entities that own or operate an Internet website or online service for commercial purposes, and collect and maintain covered information from consumers who reside in Nevada and use or visit the website or online service.  Therefore, in order to be compliant with the plain language of the statute, entities may have to both establish an opt-out procedure and identity verification method for hypothetical (future) data transfers, without ever being in a position to have to honor the opt-out request because the business does not sell data to data brokers. Businesses have 8 days to get this ready!