Proposed Modifications to CCPA Regulations – Consumer Requests and Verification Requirements

Note: This blog post is the second of three expanding on the information contained in an Alert on the Duane Morris LLP website.

On February 10, 2020, California’s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations were summarized in our previous Alert. The deadline for providing comments on the modified proposed regulations is February 25, 2020.

The proposed changes to the requirements for consumer requests and verification in the modified regulations are summarized below.

Sections 999.312 and 999.313 – Requests to Know and Requests to Delete

  • Clarifies that exclusively online businesses need only provide an email address for submitting requests to know.
  • Clarifies that a business shall consider the methods by which it “primarily” interacts with consumers when determining which methods to provide for submitting requests to know and delete. A business that operates a website but primarily interacts with customers at a retail location is only required to have two (not three) methods to submit requests.
    • CCPA Example: If the business interacts with consumers in person, the business shall consider providing an in-person method such as a printed form the consumer can directly submit or send by mail, a tablet or computer portal that allows the consumer to complete and submit an online form, or a telephone by which the consumer can call the business’ toll-free number.
  • Clarifies the following deadlines:
    • Confirmation of receipt of a request to know or delete must be provided within 10 business days (as opposed to calendar days). The confirmation may be given in the same manner the request was received.
    • Responses to a request to know or delete must be provided within 45 calendar days, beginning on the day the business receives the request, regardless of the time to verify the request. A business may deny the request if it cannot be verified within the 45 day time period. An additional 45 calendar days is permitted so long as, within the first 45 days, the business provides the consumer with notice and an explanation of the reason the business will take more than 45 days to respond.
  • Clarifies that in responding to a request to know, a business is not required to search for personal information if: (1) the business does not maintain information in a searchable or reasonably accessible format; (2) the business maintains the personal information solely for legal or compliance purposes; (3) the business does not sell the personal information and does not use it for any commercial purpose; and (4) the business describes to the consumer the categories of records that may contain personal information that it did not search due to meeting these requirements.
  • Adds unique biometric data generated from measurements or technical analysis of human characteristics to the list of sensitive personal information that may not be disclosed in response to a request to know.
  • Clarifies that the categories of third parties to whom personal information is sold or disclosed must be provided for each particular category of personal information identified in response to a request to know categories of personal information.
  • An unverified request to delete is no longer required to be treated as an automatic request to opt out. Instead, a business that sells personal information is required to respond to an unverified consumer request to delete by (1) asking the consumer if they would like to opt out of the sale of their personal information and (2) including either the contents of, or a link to, the notice of the right to opt out.
  • With regard to data stored in backup systems, explains that such data is only required to be deleted if and when it is restored to an active system or accessed or used for a sale, disclosure or commercial purpose.
  • Clarifies that a business must inform the consumer whether it has complied with the request to delete and that it will maintain a record of the request for purposes of ensuring the personal information remains deleted from the business’ records.

Section 999.315 – Requests to Opt Out

  • Mandates that methods for submitting opt-out requests be designed to require minimal steps and be easy to execute.
  • Clarifies that an acceptable method for submitting a request to opt out of the sale of personal information is through a user-enabled “global” privacy setting, including but not limited to a device setting. The use of a global privacy control by a consumer must be treated by the business as a valid request to opt out. Any privacy control must clearly signal that the consumer intends to opt out of the sale of personal information and must require that the consumer affirmatively select their choice to opt out and must not be designed with any preselected settings. If a global privacy setting conflicts with a consumer’s existing business-specific privacy setting or their participation in a business’ financial incentive program, the business must respect the privacy control but may give the consumer notice of the conflict and give the consumer the choice to confirm the business-specific purpose or participation in the financial incentive program.
  • Businesses must comply with a request to opt out as soon as feasibly possible but no later than 15 business days (as opposed to calendar days) from the date the business received the request. The business must direct all third parties to whom it sells personal information to stop selling that information while the business complies with the opt-out request.

Section 999.316 – Requests to Opt In

  • Clarifies that a business may provide a consumer with instructions on how to opt in to the sale of their personal information, if the consumer initiates a post-opt-out transaction or attempts to use a product or service that requires the sale of their personal information to a third party.

Section 999.318 – Requests to Access or Delete Household Information

  • Clarifies that where a household does not have a password-protected account with a business, the business is prohibited from providing specific pieces of personal information about the household in response to a request to know or from deleting personal information in response to a request to delete unless all consumers of the household make the request jointly and the business individually verifies the members of the household, including that each member making the request is a current member of the household. The business is no longer required to provide aggregate information in response to such requests.
  • Clarifies that a business may process requests through existing and compliant business practices when the consumer has a password-protected account with the business.
  • When members of a household are under 13 years of age, requires verified parental consent for disclosure of household information.

Section 999.323 – Verification

  • Prohibits a business from requiring consumers to pay a fee in connection with verification of a request to know or to delete.
    • CCPA Example: A business may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of the notarization.

Section 999.325 – Verification for Non-Accountholders

  • Updates the illustrative examples for verification of individuals without an account and clarifies that a business shall deny a request to know specific pieces of information if it cannot verify the identity of the requestor.