Tag: Sandra Jeskie

Note: This blog post is the last of three expanding on the information contained in an Alert on the Duane Morris LLP website.

On February 10, 2020, California’s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations were summarized in our previous Alert. The deadline for providing comments on the modified proposed regulations is February 25, 2020.

The proposed changes to the requirements for service providers, authorized agents, minors, nondiscrimination and calculating the value of consumer data as set forth in the modified regulations are summarized below.

Section 999.314 – Service Providers

• Removes language from the prior version that would have prohibited a service provider from using personal information received from a person or entity it services or from a consumer’s direct interaction with the service provider for the purpose of providing services to another person or entity. Clarifies the permitted service provider uses of personal information obtained in the course of providing services to include only the following:
  • Performing the services specified in the written contract;
  • Retaining and employing another servicer provider as a subcontractor;
  • For its own internal purposes to build or improve the quality of its services, so long as that use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source;
  • Detecting security incidents or protecting against fraudulent or illegal activities; or
  • Any other purpose enumerated in the CCPA.

• Clarifies that a service provider is prohibited from selling data on behalf of a business when the consumer has opted out of the sale of their personal information with the business.
• Clarifies that if a service provider receives a request to know or delete, the service provider must either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because it was sent to a service provider.

Section 999.317 – Training and Record Keeping Requirements

• Increases the threshold for triggering certain data analytics and reporting requirements regarding consumer requests received by the business to those businesses that alone or in combination buy, receive for a commercial purpose, sell or share for a commercial purposes the personal information of over 10 million (as opposed to 4 million) consumers in a calendar year (as opposed to annually).

Section 999.326 – Authorized Agent

• When a consumer uses an authorized agent to submit requests to delete and/or know on the consumer’s behalf, clarifies that the business may require the consumer to (1) provide the agent with written and signed permission to do so, (2) verify their own identify directly with the business and (3) directly confirm with the business that the provided the authorized agent permission to submit the request.
• Requires authorized agents to implement reasonable security procedures and practices and restrict use of any personal information except to fulfill the consumer’s request, for verification or for fraud prevention.

Section 999.330 – Minors Under 13 Years of Age

• Requires a business to establish, document and comply with a reasonable method for determining whether the person submitting a request regarding the personal information of a child under the age of 13 is the parent or guardian of that child. The regulations provide several examples of “reasonable methods,” but add language so that the list is not exclusive.

Section 999.336 – Nondiscrimination

• Clarifies that a business is prohibited from offering a financial incentive or price or service difference if the business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show the financial incentive or price or service difference is reasonably related to that value.
• Confirms that a denial of a consumer’s request to know, delete or opt out for reasons permitted under the CCPA is not discriminatory. Also confirms that a price or service difference that is the direct result of compliance with federal law is not discriminatory.
• Updates the illustrative examples of discriminatory and nondiscriminatory practices under the CCPA.

Section 999.337 – Calculating the Value of Consumer Data

• Revenue or profit generated by the business from separate tiers, categories or classes of consumers or typical consumers whose data provides differing value is no longer an explicitly recognized consideration for determining the value of consumer data. However, there is still a catchall for determining the value of consumer data, which includes any practical and reasonably reliable method of calculation used in good faith.
• For the purposes of calculating the value of consumer data, the business can consider the value of the data of “all natural persons” and not just consumers.

Note: This blog post is the second of three expanding on the information contained in an Alert on the Duane Morris LLP website.

On February 10, 2020, California’s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations were summarized in our previous Alert. The deadline for providing comments on the modified proposed regulations is February 25, 2020.

The proposed changes to the requirements for consumer requests and verification in the modified regulations are summarized below.

Sections 999.312 and 999.313 – Requests to Know and Requests to Delete

• Clarifies that exclusively online businesses need only provide an email address for submitting requests to know.
• Clarifies that a business shall consider the methods by which it “primarily” interacts with consumers when determining which methods to provide for submitting requests to know and delete. A business that operates a website but primarily interacts with customers at a retail location is only required to have two (not three) methods to submit requests.
  • CCPA Example: If the business interacts with consumers in person, the business shall consider providing an in-person method such as a printed form the consumer can directly submit or send by mail, a tablet or computer portal that allows the consumer to complete and submit an online form, or a telephone by which the consumer can call the business’ toll-free number.

• Clarifies the following deadlines:
  • Confirmation of receipt of a request to know or delete must be provided within 10 business days (as opposed to calendar days). The confirmation may be given in the same manner the request was received.
  • Responses to a request to know or delete must be provided within 45 calendar days, beginning on the day the business receives the request, regardless of the time to verify the request. A business may deny the request if it cannot be verified within the 45 day time period. An additional 45 calendar days is permitted so long as, within the first 45 days, the business provides the consumer with notice and an explanation of the reason the business will take more than 45 days to respond.

• Clarifies that in responding to a request to know, a business is not required to search for personal information if: (1) the business does not maintain information in a searchable or reasonably accessible format; (2) the business maintains the personal information solely for legal or compliance purposes; (3) the business does not sell the personal information and does not use it for any commercial purpose; and (4) the business describes to the consumer the categories of records that may contain personal information that it did not search due to meeting these requirements.
• Adds unique biometric data generated from measurements or technical analysis of human characteristics to the list of sensitive personal information that may not be disclosed in response to a request to know.
• Clarifies that the categories of third parties to whom personal information is sold or disclosed must be provided for each particular category of personal information identified in response to a request to know categories of personal information.

• An unverified request to delete is no longer required to be treated as an automatic request to opt out. Instead, a business that sells personal information is required to respond to an unverified consumer request to delete by (1) asking the consumer if they would like to opt out of the sale of their personal information and (2) including either the contents of, or a link to, the notice of the right to opt out.
• With regard to data stored in backup systems, explains that such data is only required to be deleted if and when it is restored to an active system or accessed or used for a sale, disclosure or commercial purpose.
• Clarifies that a business must inform the consumer whether it has complied with the request to delete and that it will maintain a record of the request for purposes of ensuring the personal information remains deleted from the business’ records.

Section 999.315 – Requests to Opt Out

• Mandates that methods for submitting opt-out requests be designed to require minimal steps and be easy to execute.
• Clarifies that an acceptable method for submitting a request to opt out of the sale of personal information is through a user-enabled “global” privacy setting, including but not limited to a device setting. The use of a global privacy control by a consumer must be treated by the business as a valid request to opt out. Any privacy control must clearly signal that the consumer intends to opt out of the sale of personal information and must require that the consumer affirmatively select their choice to opt out and must not be designed with any preselected settings. If a global privacy setting conflicts with a consumer’s existing business-specific privacy setting or their participation in a business’ financial incentive program, the business must respect the privacy control but may give the consumer notice of the conflict and give the consumer the choice to confirm the business-specific purpose or participation in the financial incentive program.
• Businesses must comply with a request to opt out as soon as feasibly possible but no later than 15 business days (as opposed to calendar days) from the date the business received the request. The business must direct all third parties to whom it sells personal information to stop selling that information while the business complies with the opt-out request.

Section 999.316 – Requests to Opt In

• Clarifies that a business may provide a consumer with instructions on how to opt in to the sale of their personal information, if the consumer initiates a post-opt-out transaction or attempts to use a product or service that requires the sale of their personal information to a third party.

Section 999.318 – Requests to Access or Delete Household Information

• Clarifies that where a household does not have a password-protected account with a business, the business is prohibited from providing specific pieces of personal information about the household in response to a request to know or from deleting personal information in response to a request to delete unless all consumers of the household make the request jointly and the business individually verifies the members of the household, including that each member making the request is a current member of the household. The business is no longer required to provide aggregate information in response to such requests.
• Clarifies that a business may process requests through existing and compliant business practices when the consumer has a password-protected account with the business.
• When members of a household are under 13 years of age, requires verified parental consent for disclosure of household information.

Section 999.323 – Verification

• Prohibits a business from requiring consumers to pay a fee in connection with verification of a request to know or to delete.
  • CCPA Example: A business may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of the notarization.

Section 999.325 – Verification for Non-Accountholders

• Updates the illustrative examples for verification of individuals without an account and clarifies that a business shall deny a request to know specific pieces of information if it cannot verify the identity of the requestor.