CCPA Finalized Regulations (18-July-2020)

• Must be reasonably accessible to consumers with disabilities. For online notices, must follow “generally recognized industry standards” such as web content accessibility guidelines. Cal. Reg. § 999.305(a)(2)(d).
• the notice must contain the business or commercial purpose for which categories of information will be used. Cal. Reg. § 999.305(b)(2).

Consumer Rights

• Right to Access Data
  • View data collected by business about the consumer
  • Right to Be Forgotten
  • Right to Out-Out of Sale of Information
    • Pertains to businesses actively selling consumer information to third party
    • Also applies to using customer information for monetary gain (ie. User-targeted ads)
    • Right to Receive Services on Equal Terms
      • Cannot discriminate again customer for choosing to not sell their data

Handling Data Subject Requests

• Methods for Submitting Requests(CCPA § 1798.130(a)(1); Cal. Reg. § 999.312)
  • Should consider offering a method to submit requests that reflects the manner in which the business primarily interacts with the consumer. For in person interactions, may provide printed form that can be submitted directly or via mail, tablet or computer portal that allows consumer to complete online form, or telephone consumer can call toll-free number. Cal. Reg. § 999.312(c).
  • May use two-step process for handling deletion requests:

1. make the request, and
2. separate confirmation of deletion. Cal. Reg. § 999.312(d).

• Must provide at least two methods for submitting deletion requests (no online-only exception). Cal. Reg. § 999.312(b).
• Must respond to DSRs that are either submitted outside of designated method, or deficient unrelated to verification process, by either:

1. providing the consumer with information on how to submit request or remedy the request; or
2. treating it as a correct submission. Cal. Reg. § 999.312(e).

• Must provide at least one method to opt-out that reflects the manner in which the business primarily interacts with the consumer. Cal. Reg. § 999.315(b).
• Verification
  • Must establish, document, and comply with reasonable method for verifying access and deletion requests. Cal. Reg. § 999.323(a). (Considerations for determining method for verification set out in Cal. Reg. § 999.323(b))
  • Must not require consumer to pay a fee for the verification, such as requiring notarized affidavit to verify identity unless business compensates consumer for cost of notarization. Cal. Reg. § 999.323(d).
  • Must implement measures to detect fraudulent authentication. Cal. Reg. § 999.323(e).
  • If business maintains password-protected account w/consumer, business may verify identity through existing authentication practices. Cal. Reg. § 999.324(a).
  • For requests to know specific pieces of personal information, verification must be to a “reasonably high degree of certainty” which may include matching at least 3 pieces of information AND a signed declaration under penalty of perjury (which must be maintained). Cal. Reg. § 999.325(c).
  • For requests to delete, verification must be to a “reasonably high degree of certainty” if the level of sensitive/risk of harm is greater. Cal. Reg. § 999.325(d).
  • For requests to know categories of information, verification must be to a “reasonable degree of certainty,” which may include matching at least 2 pieces of information. Cal. Reg. § 999.325(b).
  • If there is no reasonable way to verify consumers, business must explain this in the privacy notice and do an annual evaluation of whether that remains accurate. Cal. Reg. § 999.325(g).
  • If business cannot verify consumer within 45-day time period, business may deny the request. Cal. Reg. § 999.313(b).
  • Authorized Agents may make request on behalf of consumer
    • A business may require consumer to:

1. provide authorized agent with written and signed permission;
2. verify their own identity directly with the business; and
3. directly confirm with the business that they provided authorized agent permission UNLESS the authorized agent has power of attorney pursuant to probate code. Cal. Reg. § 999.326(a).

• Business may deny request from agent that does not submit proof they are authorized by consumer. Cal. Reg. § 999.326(c).
• Responding to requests
  • Must confirm receipt of request to know and request to delete within 10 business days and provide general information on how business will process, including verification process and when consumer should expect a response. Cal. Reg. § 999.313(a).
  • Must respond to request to know and delete within 45 calendar days from the day business receives the request (may get a 45 calendar-day extension if needed). Cal. Reg. § 999.313(b).
  • Requests to Know (aka Access Requests)
    • Must convert an unverifiable specific-information access request into a category-level access request. Cal. Reg. § 999.313(c)(1).
    • Must respond to unverifiable category-level access requests by directing the consumer to the privacy notice. Cal. Reg. § 999.313(c)(2).
    • In responding to a request to know, a business is not required to search for personal information if all of the following requirements are met:

1. the business does not maintain the information in a searchable or readily accessible format,
2. the business maintains the information solely for legal or compliance purposes,
3. the business does not sell the information or use it for any commercial purpose, and
4. the business responds to the consumer with a description of the categories of records that may contain information that the business did not search. Cal. Reg. § 999.313(c)(3).

• When responding to a category-level access request, must provide

1. categories collected,
2. categories of sources from which it is collected,
3. business or commercial purpose for collection or sale,
4. categories of third parties with whom information is shared,
5. categories of information sold and for each category the category of third parties to which it sold that particular category of information; and
6. categories of information disclosed for a business purpose and for each category the category of third parties to whom it disclosed that particular category of information. Cal. Reg. § 999.313(c)(10).

• Must provide an individualized response to requests to know categories of information (cannot be generic). Cal. Reg. § 999.313(c)(9).
• Cannot disclose SSN, DL number or other government-issued ID number, financial account number, health insurance or medical ID, account password, security questions and answers, or unique biometric data. However, business must tell the consumer that it has collected sensitive category information (if applicable). Cal. Reg. § 999.313(c)(4).
• If request to know specific pieces of personal information is denied because of a conflict with federal or state law or other exception to CCPA, business must explain basis of denial unless prohibited from doing so by law. Cal. Reg. § 999.313(c)(5).
• Requests to Delete (aka Deletion Requests)
  • If business wants to give option for partial deletion, it must have global option that is more prominent. Cal. Reg. § 999.313(d)(8).
  • Must inform consumers who request the deletion of their information whether or not the request has been complied with and if complied with, that the business will maintain a record of the request. Cal. Reg. § 999.313(d)(4)-(5).
  • Must delete information from archived or backup systems the next time data is restored or next accessed or used for sale, disclosure, or commercial purpose. Cal. Reg. § 999.313(d)(3).
  • If business sells personal information and denies a consumer’s deletion request, and consumer has not already opted out of sale, business shall ask consumer if they would like to opt out of sale and include notice of right to opt out. Cal. Reg. § 999.313(d)(7).
  • Requests to Opt-Out Must treat user-enabled global privacy controls (e.g., browser plugin, privacy/device setting, etc.) as a valid request to opt-out of the sale of information. Cal. Reg. § 999.315(d).
  • If business wants to give option for partial opt-out, it must have global option that is more prominent. § 999.315(e).
  • Opt-out requests must be honored in 15 business days. Cal. Reg. § 999.315(f). If a business sells consumer’s information after the consumer submits the request but before business has complied with request, business must notify third parties to whom it sold information to not sell the consumer’s information. Cal. Reg. § 999.315(f).
  • Request to opt-out does not need to be a verifiable consumer request. Cal. Reg. § 999.315(h)
• Training/Record Keeping (Cal. Reg. § 999.317)
  • Must keep a record of DSR requests received in the previous 24 months, including date of request, nature of request, manner request was made, date of response, nature of response, basis for denial if applicable. Cal. Reg. §§ 999.317(b)-(c).
  • Must maintain reasonable security procedures and practices in maintaining DSR request records. Cal. Reg. §§ 999.317(b).
  • Businesses that collect information from more than 10 million Californians in a calendar year must compile annual DSR statistics, including number of requests received, complied with (in whole or in part), and denied, and median or mean number of days within which business “substantively responded.” Cal. Reg. § 999.317(g)(1).
  • Must establish, document, and comply with training policy to ensure individuals handling requests are informed of requirements of CCPA. Cal. Reg. § 999.317(g)(5).

Privacy Policy

• For online notices, must follow “generally recognized industry standards” such as web content accessibility guidelines. In other contexts, must provide information on how consumer may access notice in alternative format. Cal. Reg. § 999.308(a)(2)(d).
• Identify categories of sources from which personal information is collected. Cal. Reg. § 999.308(c)(1)(e).The categories must be described "with enough particularly to provide consumer with a meaningful understanding of the type of third party." Cal. Reg. § 999.301(d).
• For each enumerated category of personal information disclosed for business purpose, identify categories of third parties to whom it was disclosed. Cal. Reg. § 999.308(c)(1)(g)(2). The categories must be described "with enough particularly to provide consumer with a meaningful understanding of the type of third party." Cal. Reg. § 999.301(e).
• For each enumerated category of personal information sold, identify categories of third parties to whom it was sold. Cal. Reg. § 999.308(c)(1)(g)(2). The categories must be described "with enough particularly to provide consumer with a meaningful understanding of the type of third party." Cal. Reg. § 999.301(e).
• If the business sells information, state whether business has actual knowledge that it sells information of minors under 16. Cal. Reg. § 999.308(c)(1)(g)(3).
• If the business has actual knowledge that it sells personal information of minors under 16, describe process for opting in to sale. Cal. Reg. § 999.308(c)(9).
• Describe in general the process the business will use to verify access and deletion requests, including any information the consumer must provide. Cal. Reg. §§ 999.308(c)(1)-(2).
• Provide instructions on how an authorized agent can make a request on consumer’s behalf. Cal. Reg. § 999.308(c)(5).
• Provide contact for questions/concerns regarding privacy practices in a manner reflecting the way the business primarily interacts with the consumer (including in-store options). Cal. Reg. § 999.308(c)(6)(a).
• Must disclose date Privacy Policy was last updated. Cal. Reg. § 999.308(c)(7).
• Businesses that collect information from more than 10 million Californians in a calendar year must publish its annual DSR statistics either in Privacy Policy or from a link in the Privacy Policy by July 1 of every calendar year. Cal. Reg. §§ 999.308(c)(8); 999.317(g)(2).

Service Providers (this includes TownNews once the Master Service Agreement Addendum is signed)

• Service providers are permitted to retain, use, or disclose personal information obtained in the course of providing services in the following situations:

1. 1. to process/maintain personal information on behalf of business that provided the personal information/directed service provider to collect personal information, in compliance with written contract for the services
   2. to retain and employ another service provider as a subcontractor (where subcontractor meets service provider requirements);
   3. for internal use by service provider (provided use does not include building/modifying profiles to use in providing services to another business, correcting or augmenting data acquired for another source;
   4. to detect security incidents;
   5. to comply with law, legal process, or to exercise/defend legal claims. Cal. Reg. §§ 999.314(c)(1)-(5).

• If a service provider receives a consumer request, it shall either act on behalf of the business in responding to the request or inform consumer that it cannot act on request. Cal. Reg. § 999.314(e).