The California AG’s CCA Regulations: The good, the ugh, and the ugh-ly

By Emily Leach

As mandated in the California Consumer Privacy Act (CCPA), California Attorney General Xavier Becerra has proposed much-anticipated regulations “clarifying” the provisions of the CCPA. These provisions aim to help companies get a better understanding of how to operationalize the often confusing and ambiguous provisions of the CCPA. Together with privacy professionals around the world, I laughed, I cringed and, most frequently, I furrowed my brow and re-read things two and three times to figure out exactly what they were trying to say.

Here are a few things that rose to the top for me.

The good.

For those struggling with verification: There are some pretty clear guidelines on how businesses should handle verifying rights requestors. The regs include a tiered, risk-based approach, and even use real-life examples to help businesses determine how best to authenticate requestors.

Clarity on what to do upon denying requests: While some of the provisions around denying consumer rights requests represent an added lift for companies (for example treating disclosure of specific Personal Information (PI) requests as PI category requests when you can’t appropriately verify the requestor for specific PI) they provide clear guidance for companies working toward compliance.

For those that treat all info the same: Companies that treat all personal information the same can rely on their privacy notice when responding to category disclosure requests, provided they have appropriately listed out all the categories as required under CCPA. So, when a consumer requests what categories of PI you hold on them, you can point them to your privacy notice instead of creating an individualized response.

Double confirmation and re-authentication: The AG regs specify that companies have to use a double confirmation for deletion requests: E.g., A consumer clicks the button that says “I want you to delete my info” and then a pop-up will say “are you sure you want us to delete all your info?” and the consumer will have to confirm the request. Alternatively, in cases where the consumer has an account, they would need re-authenticate in order to submit deletion and disclosure requests. This both cuts down on consumers making unintended requests and, in general, is just a good security practice that would now be codified.

The ugh.

(Soap-box warning) It’s a NOTICE, not a POLICY: Can we pleeeeeeaaase agree on some very basic language that allows people to talk about privacy and know what the heck the other person is saying?!?! A privacy policy is an internal document that tells people in a company how to handle personal information. A privacy notice is a statement that an organization makes to a consumer/data subject/other individual that gives them information about what personal information the organization collects, why, and what it will do with it (in its ultimate state). I beg of you all, stop conflating these things … Starting with you, Becerra.

90 day look-back for DNS requests: In CCPA, the do-not-sell opt-out is a forward-looking thing. I.e., you sold that person’s information, they told you to stop, so now you stop. Under the proposed AG regs, you would need to look back 90 days and inform all the third parties you sold it to that they shouldn’t sell it further. So, under these regs it would go: You sold that person’s information, they told you to stop, so you stop, and now you have to go find all the entities you sold it to in the last 90 days and tell them to stop too. (Gratefully, you’re not on the hook to make sure they comply! … Today …)

New requirements for in-person requests: Contrary to the two methods specifically identified in the CCPA, the AG regs propose an additional requirement for businesses that primarily interact with consumers in-person. “Example 2: If the business operates a website but primarily interacts with customers in person at a retail location, the business shall offer three methods …” So much for being grateful for those real-life examples!

Browser DNT settings are now DNS requests: Some browsers have a feature that allows users to turn off certain tracking of their online behavior. Under the AG regs, businesses will have to acknowledge that browser setting as a do-not-sell request under CCPA. The thing is, today, lots of businesses don’t respond to those DNT signals. So this means, not only will they have to put these consumers on their do-not-sell list, they’ll have to implement a system to recognize the signals. Never mind what that means for operationalizing the 90-day look back provision above … Ugh.

Confirming opt-out prior to reselling third-party PI: One of the things that made sense about CCPA was that everyone was responsible for their own business. The original collector of the data has obligations. If it doesn’t fulfill those obligations, theoretically, it will get in trouble. Under the AG regs, businesses that obtain PI from a third party may not sell that PI unless they go back to the consumer and make sure they were offered an opt-out option (Yeah, right.) or get a signed affidavit saying the same from the third party where they got the PI.

The ugh-ly.

Let’s start with the document itself: Quoting Lothar Determann, this IAPP Privacy this IAPP Privacy Advisor article says it best:

“… the regulations ‘demand that businesses “use plain, straightforward language and avoid technical or legal jargon” — a requirement that neither the CCPA or the regulations are trying to meet in the least, but, hey, “Do as I say, not as I do.”‘”

More confusion around “service providers”: As if the CCPA didn’t leave enough questions about when a company is a service provider, when it’s a business, and when it’s a third party, the AG regs include this provision about not using data collected to provide services to one organization for services provided to another organization. On the face, that makes sense, but (in that same Privacy Advisor article) Tanya Forsheit shines some light on why this creates some big challenges:

“Let’s say I share data with a vendor for security services. A good use-case is if I’m a company and I get an IP address from another company in order to provide a service to them — say, a security-related service, a cybersecurity type company — and I get an IP address from a company in order to help them detect fraud. According to the regs, if I use that data, that IP address for another company to provide a service, then I’m no longer a service provider. If that individual says, ‘Don’t share my data,’ the company has to stop sharing that information to protect against fraud. And that doesn’t make sense, because companies often have to use identical pieces of data in order to provide services.”

The biggest UGH-ly: The ugliest thing about this, however, is definitely that we’re not going to see the final version of these regulations until three weeks before CCPA goes into effect — at the earliest. Hopefully, business that are affected by the CCPA are already well on their way to a compliance program. So, whether you think these regs help or harm implementation, they’re going to necessitate a thorough review and likely revision of processes and systems that have either just been built or are still being built.

In the meantime, I’ll be hoping the AG receives lots of comments offering solid advice that will be implemented to make this a better regulation for both businesses and consumers. If we’re going to have to modify our processes anyway, let’s do our best to get it right.

Get started today

Ensuring digital security and compliance for your future.