Proposed Regulations Under the California Consumer Privacy Act: Delivery and Content of Initial Notices and Disclosures
On October 10, 2019, the California attorney general issued proposed regulations under the California Consumer Privacy Act (“CCPA”). Written comments to the proposed regulations must be submitted by no later than 5:00 p.m. on December 6, 2019.
The proposed regulations focus on the form and content of required notices and disclosures, practices for handling of consumer requests, practices for verifying the identity of the consumer making those requests, practices regarding the personal information of minors, and the offering of financial incentives or price or service differences in exchange for the sale or retention of consumers’ personal information.
This article discusses the notices and disclosures that must be made available to consumers without any specific request by consumers and, in particular, the possible or required delivery methods for this information. While we discuss certain of the content of the various notices, we do that primarily for the purpose of addressing delivery options and requirements under the proposed regulations. In addition, while the methods for delivery of the notices would sometimes depend on whether a business collects information online or operates a website, in this article we focus on those businesses that collect personal information online and operate a website because we expect that most businesses that are large enough to be subject to the CCPA also will collect information online and operate a website.
Before we delve into the delivery and content of the various notices, it might help for background purposes if we first note that a business would be required to offer two or more designated methods for consumers to submit requests for information, requests for the deletion of their personal information, and requests to opt out of the sales of personal information. For requests to opt out, one of those designated methods must include an interactive webform that is accessible via a clear and conspicuous link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” on the business’s website or mobile application (the “DNS Link”).
The Notice at Collection
The notice at collection would need to be visible or accessible where consumers will see it before any personal information is collected. If the business collects personal information online, the business may provide this notice through a conspicuous link on the business’s website homepage, on the mobile application download page, or on all pages where personal information is collected.
It should be noted, however, that the CCPA defines “sell” and “sale” very broadly. A business that makes personal information available to a third party or otherwise communicates it to a third party through any means could be considered to be “selling” the information if that is done for any “valuable consideration.” “Valuable consideration” is not limited to actual payments for the personal information but might include the receipt of any benefit, however slight, arising from such sharing of information, including a benefit as basic as future business opportunities arising from the sharing of the information. One key exception is that a business would not be considered to be selling personal information if it only uses or shares the personal information with a processor or other service provider, so long as, among other things, the business and service provider enter into a written contract under which the service provider may retain, use, or disclose the personal information only for the processing, operational, or similar business purposes for which it is shared. While this is a valuable exception to the definition of “sale,” it is limited in scope, and it otherwise might be difficult for many businesses to avoid the rules applicable to sellers of personal information.
The Incentive Notice Only to Retain Information
Notice of Opt-Out Rights and the Incentive Notice if Offering Incentives for the Sale of Personal Information
If a business wants to sell personal information, whether pursuant to an incentive program or otherwise, the disclosure obligations are more complicated. As a practical matter, many businesses might conclude that delivery of the notice of opt-out rights and of the methods for exercising these opt-out rights can be handled only through a dedicated website page or pages.
Under the proposed regulations, the notice of opt-out rights would always be provided on an internet webpage to which the consumer is directed after clicking on the DNS Link. As noted in the introduction to this article, a business would be required to offer two or more designated methods for consumers to submit requests to opt out of the sale of their personal information, and one of those designated methods would need to be an interactive webform that is accessible via this DNS Link. In other words, the DNS Link is supposed to take the consumer to the notice of opt-out rights and at least this one method of opting out.
- Use the DNS Link to deliver the required content of the notice of opt-out rights as well as the interactive webform for submitting opt-out requests.
In subsequent articles, we will address some of the other thorny issues under the CCPA and its proposed regulations. We also will keep you apprised of future developments as they occur, including finalization of the currently proposed regulations and the future regulations that the California attorney general will need to propose and finalize to address the October 2019 amendments to the CCPA.
In the meantime, if you have any questions, please feel free to contact any of the K&L Gates lawyers named below.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.