15 Question Marks - The Proposed CCPA Regulations – Part I

The California Attorney General (AG) has released new regulations, as part of a proposed rulemaking process to create procedures for facilitating consumers’ CCPA rights. While aimed at clarifying the CCPA requirements and providing compliance guidance, the proposed regulations raise question marks and concerns.

The AG will take public comments on the draft regulations through 6 December 2019 and hold several public hearings.

This is Part I of our review of the AG proposed CCPA regulations. It discusses uncertainties related to the multiple required notices. Our review will continue in Part II which will address the financial and social impact of the proposed regulations. Part III, the last part of our review will focus on CCPA bureaucracy.

Part I – Notices

  1. Does the CCPA mandate a ‘Cookie Wall’?

The CCPA requires that a business that collects a consumer’s personal information shall, “at or before the point of collection, inform consumers as to the categories of collected personal information and the purposes of use.”

Under the proposed regulations, the notice should be “visible or accessible where consumers will see it before any personal information is collected”. Presumably, it means that website owners will need to present the notice to consumers before they start collecting users’ data with cookies and other online trackers.

Would that mean that a link to the privacy policy on the website’s homepage will not be sufficient and that websites will need to present a pop-up notice before the user enters the website? It may be an AG intention to align the CCPA requirement for collection notices with the mandated cookie consent under EU laws, though the proposed regulations deviate from the original CCPA wording.

  1. Businesses will Need Multiple Privacy Notices

The CCPA requires four types of notices: A collection notice; a notice of the right to opt-out of the sale of personal information; a notice of financial incentives and a privacy policy.

Under the proposed regulations, businesses will likely need several versions of the four required CCPA notices, for the following reasons:

  • Businesses will need to offer a small screen version of each notice;
  • Businesses will need to offer the notices in all languages that the business interacts with the consumers. For example, if a business offers a chatbot in multiple languages, the business will likely need to provide the notices in all languages offered through the chatbot.
  • Businesses will need to offer all notices in a format accessible to consumers with disabilities. Unlike modern accessibility legislation in various countries, the proposed regulations do not indicate the accessibility standard that businesses will need to comply with.
  • Businesses will need to offer a printable format of the notices. It is unclear whether businesses with physical stores will need to hand out hard copies of the notices and whether printing to a digital format (such as PDF) will be acceptable.
  1. An Incentive for Long and Detailed Privacy Policies

Consumers may submit requests to know the categories of personal information, of data sources and of third parties with whom a business shares the information. According to the proposed regulations, if the privacy policy provides sufficient details about such categories, businesses may refer the requesting consumers to the privacy policy, instead of providing an individualized response.

This is an incentive for businesses to create detailed privacy policies, to avoid extra costs in responding to requests to know. This incentive joins other requirements to provide detailed privacy policy disclosures under the CCPA and the proposed regulations. These include:

  • Consumers’ rights (deletion, know, opt-out of sale, non-discrimination), including an explanation of the right, instructions on how to submit a request and the consumer verification process;
  • Categories of information;
  • Categories of sources of information;
  • Categories of third parties with whom the data is shared;
  • Statement of disclosure or sale of information;
  • Notice of right to opt out of the sale, or a statement of not selling personal information;
  • Disclosures related to minors;
  • Designation of an authorized agent;
  • Metrics of consumers’ requests, if the business buys, sells, receives or share for commercial purposes information on more than 4 million consumers;
  • If there is no reasonable method by which a business can verify the identity of the consumer to the required degree of certainty.
  • Date of the policy’s update;
  • Contact Details.

Most likely, these requirements will result in long, detailed privacy policies. This outcome seems to be not aligned with the proposed regulations’ requirement to create notices which are “easy to read and understandable to an average consumer”.

Would lengthy and detailed policies enhance consumers’ control over their personal information, or would they be ignored (as they are today by most consumers) due to the already existing data deluge that consumers face?

  1. Explicit Consent Introduced and Interpretation Challenges

The CCPA indicates three scenarios of data use which require consent (use of data related to minors, financial incentives programs and in the context of one exception to the deletion right). The proposed regulations introduce a fourth scenario. Under the proposed regulations, a business will need to receive the consumers’ explicit consent before adding new purposes to the privacy policy.

Typically, websites and application owners send users a notice about forthcoming updates to their privacy policies. The regulations, however, require explicit consent for an update that introduces a new purpose for using the data. Conversely, if a website owner updates the privacy notice by only adding new categories of data, then an update notice seems sufficient.

The CCPA does not require consumers to provide their consent (let alone their explicit consent) to the original purposes of processing. Rather, businesses need to provide consumers only with a notice describing these purposes.

Yet original purposes may be more privacy-invasive than newly introduced purposes. Additionally, a new category of third parties with whom the business shares personal information may have an adverse impact on consumers’ privacy, just as much as a new purpose. The same goes for the collection of sensitive data as a new category. The reasoning for requiring explicit consent for (and only for) new purposes seems questionable.

Moreover, the proposed regulations introduce the term ‘explicit consent’. Neither the CCPA nor the proposed regulations define this term. What would constitute ‘explicit’? This is a matter for future interpretation (for reference, EU regulators have addressed the meaning of explicit consent under the GPDR in guidelines published on April 2018).

It would also likely require extra legal work to understand the difference between the multiple consent terminology under the CCPA (‘prior opt-in consent’, ‘informed consent’ and a simple ‘consent), versus the regulations’ ‘explicit consent’.

  1. Data Scraping Becomes Practically Impossible

Businesses who sell data, such as lead generation and data enrichment service providers, often do not have direct contact with individuals. Rather, they rely on other data providers and online platforms, as the sources for the information. Until now, these service providers were fairly free from statutory intervention with their contracts with data sources. The proposed regulations considerably limit this freedom of operation.

Under the proposed regulations, a business that sells data without collecting the data directly from consumers does not need to provide a collection notice. However, before selling the data, the business must either –

  • Contact the consumer, to provide a notice of collection and an opt-out choice. When dealing with databases of millions of consumers, this option seems not feasible; or,
  • Contact the data source to:

(i) confirm that the data source has provided the collection notice and an opt-out choice;

(iii) obtain from the data source an attestation about how the data source who provided the collection notice and a sample of the notice; and,

(v) retain the data source’s attestation and sample notice for two years.

Often, the data sources themselves do not have direct relations with consumers. Instead, they too rely on additional sources for that purpose. Additionally, some data sources collect data from multiple online sources, specifically through online data scraping practices.

The proposed regulations do not explicitly discuss these scenarios, yet it seems that scraping personal information may be impossible in practice because it does not involve the collection of data directly from consumers and data scrapers would find it extremely hard to receive the attestations and privacy samples from their multiple online sources.

Conclusion

Notice requirements under the CCPA, as interpreted by the proposed regulations, become complicated and require maintenance. At first look, they seem plausible, as they enhance the businesses’ obligations to disclose their practices and provide consumers with more choice and control. However, this is not the only possible outcome.

For example, consumers receive multiple notices about data breaches, pursuant to breach notification requirements under US state laws. Researches show that consumers have become numb and indifferent to the breach notifications. Some experts warn from consumers’ ‘data breach fatigue’.

Similarly, consumers may eventually become indifferent to the barrage of new links and notices under the CCPA and proposed regulations. Lengthy notices and multiple links may prove counter-productive to the efforts to make it easier for consumers to control information related to them.