Final CCPA Proposed Regulations: The Ultimate Guide


With CCPA enforcement scheduled for July 1, 2020, California’s AG submitted the final proposed regulations for review. 

The submission of the regulations that define how businesses need to comply with CCPA, and how California residents exercise their rights in relation to the use of their personal data is the final step before the enforcement of this data privacy law starts. 

The final regulations clarify specific provisions under the CCPA, which include;

  1. Definitions
  2. Notice obligations
  3. Managing consumer rights and requests
  4. Verification requirements for consumer requests
  5. Special rules concerning minors
  6. The use cases where the non-discrimination requirement is applicable

Additionally, the final regulations also provide direction on; 

  1. The definition of service providers
  2. Training and record-keeping obligations
  3. How businesses deal with requests from agents acting on behalf of consumers

The final CCPA regulations, if approved, are expected to take effect on either October 1st, 2020, or January 1st, 2021.

However, the AG has requested an expedited review from the Office of Administrative Law (OAL), which means the regulations could take effect much sooner than expected. 

Let us take a detailed look at the key items that you should be thinking about to ensure that your business is compliant with the CCPA once enforcement begins. 

You can find the full text of the final CCPA proposed regulations here

Definitions

The final CCPA proposed regulations narrow down the definition of a ‘household’ to incorporate residence in the same address and;

  1. Sharing a common gadget or service 
  2. Sharing the same group account or unique identifier 

This means that information simply connected to a specific address only will not qualify as the personal information of a given household.

Key Consequences of the New Definition for Businesses

  • Responding to Requests for the Personal Information of a Household

You can address a request to know or deletion of specific pieces of information from a given household only if;

  1. The household has a password-protected account with your company 
  2. The household members jointly make the request
  3. The requesters are individually verified and proven to be current members of that household
  • Handling Personal Information of Children under Household Data

 If a member of a given household is a child under the age of 13 years old, you must seek verifiable parental consent in line with COPPA obligations.

Restrictions to Right to Know and Right to Delete

If you receive a request from a holder of a password-protected account, you can respond to the request in line with existing procedures and CCPA regulations although this is not compulsory. 

However, if the requests affect the rights of privacy of the data of other members of the household who do not qualify as a household, there is still a basis to restrict access to safeguard the rights of these persons.

Notice Requirements 

Your business will be required to provide three types of privacy notices for consumers under the CCPA according to the final proposed regulations. 

  1. For companies that gather personal information from users directly, the CCPA requires you to provide a notice at or before the point of collection informing users about the collection of their data
  2. For companies that sell personal data, you need to provide a notice concerning the right to opt-out, as well as a notice about the details of the sale.
  3. For businesses that extend financial incentives, as well as price or service differences, you must provide a notice about the financial inducement. 

An online privacy policy and a notice at collection do not necessarily mean the same thing according to the final CCPA proposed regulations. 

Providing a link to the company’s privacy policy is a key component of the notice at collection. However, the notice at collection contains a different set of disclosure requirements.

Therefore, providing a link to the online privacy policy may not comply with notice-at-collection obligations.

Key Consequences of the Notice Requirements for Businesses

  • Notice at Collection Obligation

Firstly, you are required to determine whether the user data they gather falls under the scope of the expanded definition of personal information under the CCPA. 

Additionally, you should come up with new or updated processes to provide the necessary privacy notices before collecting any kind of user information. 

  • Privacy Policy Obligations

Your company’s privacy policy should offer users clear information about your online and offline practices concerning the collection, use, disclosure, and sale of personal data. 

Furthermore, you should give users a description of the rights they are entitled to over their personal information according to the degree of granularity and categorization required by the final proposed regulations. 

Lastly, the privacy policy must also outline the sources from which personal information is collected. Some of the sources include

  1. Advertising networks, 
  2. Internet service providers, 
  3. Data analytics providers, 
  4. Government agencies, 
  5. Operating systems, 
  6. Data brokers, 
  7.  Social networks
  • Opt-in Consent Requirement for New Uses of Personal Information

You must make sure that the information you collect from consumers is not used for any other purpose apart from the one provided in the notice. 

In case you use the information for a secondary or new purpose, your business will need to seek explicit consent from the consumer. 

Managing Consumer Rights Requests

The focus of the final proposed regulations for the CCPA in relation to handling consumer requests is to ensure that businesses verify the requester in line with who they say they are.

This approach is different from the initial focus, which was on determining whether the user is a resident of California or not. 

Key Consequences for Businesses in the Management of Consumer Rights Requirements 

  • The Verification Requirement

In cases where authentication cannot be determined using a password-protected account, the final regulations require you to verify to a higher degree of certainty before addressing a request to access particular types of personal information or deletion of sensitive data. 

On the other hand, if you receive a right-to-know request for categories of information collected or deletion of less-sensitive data, you need to verify the requestor to a reasonable degree of certainty. 

In case you fail to authenticate the request for specific pieces of information, you need to determine if you have met the lower standard of verification, which is the ‘reasonable degree of certainty.’

If the requester satisfies this requirement, you can respond by only disclosing the categories of information collected and not the specific pieces of information requested. 

Nonetheless, the regulations outline the examples of the kinds of information that you should subject to higher verification standards before you address a request to delete. 

  • 10-day Response Requirement

According to the final CCPA proposed regulations, you will be required to provide particular disclosures in the first acknowledgment that confirms the receipt of a consumer’s request to access or delete. 

You must provide these disclosures within 10 days of receiving these kinds of requests. 

  •  Standardized Opt-Out Button Design

The final regulations do not propose a new design for the opt-out button. If you sell consumer data, you need to have a link labeled ‘Do Not Sell My Info’ on your homepage that sends users to a webpage that allows them to opt-out. 

  • Inability to Verify

In case you deny a deletion request from a consumer due to the inability to verify their identity, your business is required to give the user the choice to exercise his/her right to opt-out. 

On the other hand, if you cannot verify a user who submitted a right-to-know request for categories of information gathered, you should, at least, provide a link that leads him/her to your privacy policy. 

The privacy policy should contain a list of the categories of personal data your business collects. 

  • 15-Day Opt-Out Requirement

You must address a request to opt-out as soon as possible, but not exceeding 15 business days from the date your company receives a request. 

In some cases, a user can opt-out, but before the opt-out request has been addressed. In such a case, if you sell personal information to third parties, you must alert the third parties that the user has exercised their right to opt-out. 

Once you notify the third parties, you must also direct them not to sell the specific user’s personal data. 

Special Requirements Concerning Minors

The final proposed CCPA  regulations specify parental consent authentication guidelines for children under the age of 13 years old. 

These requirements are applicable based on your company’s existing knowledge of selling the personal information of children, and not as a result of collecting or storing such data. 

Lastly, the proposed regulations also outline how your business should oversee the opt-in and opt-out of minors regarding the sales of their data. 

Key Consequences of the Special Regulations for Minors on Businesses

  • Opt-in Requirement 

You must provide a two-step procedure to obtain affirmative opt-in for the sale of personal information belonging to children between the ages of 13 and 16 years old. 

  • Notice of Sale of Children’s Personal Information

A CCPA-compliant privacy policy should have an affirmative statement declaring whether your company is actually aware that it sells the personal data of children under the age of 16 years old. 

Non-Discrimination Requirements

The proposed regulations make it clear that your business can be viewed as having discriminated against a consumer only if a user receives a different financial incentive, price, or service because they exercised any of their rights under the CCPA. 

The final regulations outline four examples that demonstrate the kinds of business practices that will be considered as discriminatory instead of the previous five scenarios. 

Key Consequence of the Non-Discrimination Requirements for Businesses

  • Review of Business Practices

You need to assess whether and which of your business activities are subject to the nondiscrimination requirements

  • Calculating the Value of a Customer’s Personal Information

According to the proposed regulations for the enforcement of the CCPA, you can use 8 different ways to determine the value of a user’s personal data. 

For this purpose, you are allowed to take into account the value of the information from all natural persons in the US instead of limiting the scope to California residents only. 

Service Provider Requirements

If you are an entity that offers services to an individual or company that is not business such as the government or an NGO, you qualify to be considered as a service provider. 

The final proposed CCPA regulations also define the extent to which you, as a service provider, can use consumer information provided by your client.  The five specific purposes for which you can store, use, or disclose personal information are;

  1. Processing or storing consumer data on behalf of your client  in line with the service provider agreement
  2. Keeping another service provider as a subcontractor
  3. Strict internal use in creating or improving the quality of service so long as you do not use the data or combine it with information from another source to build or change the profiles of the users for another company. 
  4. Information safety and preventing fraudulent activities
  5. Meeting legal requirements of the state of California

Key Consequence of the Service Providers Requirements for Businesses

  • Handling Consumer Requests

If you are a service provider, and you receive a right-to-know or deletion request for data gathered, held, or sold on behalf of a client, you must either;

  1. Address the request on behalf of your client, or
  2. Inform the user that the request cannot be addressed because it was submitted to a service provider.
  • Business, Service Provider, or Third Party Ambiguity

The California AG acknowledges this ambiguity by stating, “An entity may in some instances be the business that collects personal information from consumers and in other instances [be] a third party that receives personal information collected by another business.”

You need to independently determine if the requirements for collection, sale, or resale apply. 

Training and Records Requirements 

The proposed regulations for CCPA enforcement expand the obligations for businesses that process large volumes of personal information from California residents. 

Initially, the threshold for companies required to meet this requirement was those that process personal data of 4 million California consumers annually. The threshold now stands at 10 million. 

Additionally, you will be required to keep a database of consumer requests for two years. 

Key Consequences of the Training and Records Requirements for Businesses

  • Record Keeping

You need to maintain records of consumer requests for the full period applicable to the enforcement actions of the AG. 

  • Privacy Policy Disclosure

If you know that you will purchase, receive, sell, or share personal data for business reasons, you need to maintain detailed records of the consumer requests and publish them in your online privacy policy one year after the enforcement of the CCPA commences. 

How Secure Privacy Helps Businesses Comply with the CCPA

Secure Privacy offers a complete solution for CCPA (California Consumer Privacy Act) that supports ‘do not sell my personal data’, which can easily be integrated into any website.

Find out more about the features of our CCPA compliance solution here.

Alternatively, get a personalized demo of our CCPA compliance solution from a data privacy expert by scheduling a call with us. 

Additional Resources;

Learn more about the CCPA and how to make your company compliant with our comprehensive guide