Proposed California Consumer Privacy Act Regulations Issued
When the California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, it became the first comprehensive privacy law in the US. The law becomes operative on January 1, 2020. The CCPA has a reputation for being quickly and sloppily drafted. After the CCPA was passed, at least twenty amendments to address ambiguities, technical problems, drafting errors and substantive changes were considered before the California Legislature went into recess for the last time in 2019. Eight of these amendments were passed.
The CCPA requires that the California Attorney General (CAG) adopt implementing regulations on or before July 1, 2020. It also specifies that the CAG will not bring any enforcement actions regarding the CCPA until the sooner of six months after the publication of these final regulations, or July 1, 2020.
On October 11, 2019, the CAG issued proposed implementing regulations for the CCPA. There will be four public hearings in early December, and written comments can be submitted by December 6, 2019.
The CCPA Requirements
Generally speaking, credit unions are likely subject to the CCPA’s requirements, assuming that it meets one or more of the threshold requirements of the definition of a “business:”
“(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.” California Civil Code §1798.140(c)(1)(A)-(C).
Broadly speaking, the CCPA requires credit unions to:
- Inform consumers, at or before the point of collection, of the categories of personal information that will be collected and the purposes for which the information will be used. Cal. Civ. Code §1798.100(b).
- Disclose certain information in an online privacy policy in any California-specific description of consumers’ privacy rights or its website. Cal. Civ. Code §§1798.105(b); 1798.110(c); 1798.115(c); 1798.125(b); 1798.130(a)(5); and 1798.135(a)(2).
- Respond to verified requests from consumers for disclosure of certain information (called a “Request to Know”). Cal. Civ. Code §§1798.100(a),(c)-(e); 1798.110(a); 1798.115(a)-(b); 1798.130(a)(1)-(4),(b)-(c); and 1798.145(g).
- Respond to verified requests from consumers for deletion of certain information (called a “Request to Delete”). Cal. Civ. Code §§1798.100(c)-(d); 1798.105(a); 1798.130(a)(1)-(2),(b)-(c); and 1798.145(g).
- Provide notice of consumer’s right to opt out of the sale of their information, a mechanism for opting-out of that sale, and honor any such opt out. Cal. Civ. Code §§1798.120 and 1798.135(a)(1)-(2),(a)(4)-(5),(c).
- Not discriminate against any consumer because they exercised their rights under the CCPA, though it does allow for providing financial incentives for the collection or sale of information with certain disclosures and an opt-in by the consumer. Cal. Civ. Code §1798.125.
The CCPA also creates a private right of action for California consumers whose unencrypted personal information is breached as a result of a failure to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the information. Cal. Civ. Code §1798.150. This is obviously a very high-level summary. The rule contains specific rules for minors under 13, a prohibition against consumers waiving these rights, and more.
There are also several exceptions in the CCPA which might be relevant to credit unions. In particular, the CCPA exempts information collected pursuant to the Gramm-Leach-Bliley Act (GLBA) from the substantive requirements listed above, with the exception of the private right of action regarding a breach. Cal. Civ. Code §1798.145(e).
The CCPA Proposed Regulations
The proposed regulations do not include specific implementing rules for every piece of the CCPA. The CCPA directed the CAG to issue implementing rules and procedures for several provisions including the notice provisions, how to receive and respond to opt out requests, and specifics regarding the nondiscrimination rules and permissible financial incentives. Cal. Civ. Code §1798.185(a). Other provisions, such as the operation of the GLBA exception, did not receive any further implementing guidance.
Regulations on the Notice Provisions
The proposed regulations contain form, content and delivery requirements regarding the initial notice prior to collection of personal information, the notice regarding consumer’s ability to opt-out of sale of their information, the disclosure of financial incentives for the collection or sale of information and the online privacy policy posted to the credit union’s website. See, Proposed Text of Regulations, Article 2, §§999.305 - 999.307 (pp. 3-10).
Regulations on Responding to Requests
The proposed regulations also require that businesses provide two or more methods for consumers to submit and discuss requests to know, requests to delete or requests to opt-out. The proposed regulations describe methods that are required or acceptable for each type of request, and specify that one of the methods must be the primary method by which the business interacts with consumers, even if this requires offering more than two methods. See, Proposed Text of Regulations, Article 3, §999.312 (pp. 10-11).
Methods of Submission |
Requests to Know |
Requests to Delete |
Requests to Opt-Out |
Toll-free number |
Required |
Acceptable |
Acceptable |
Interactive webform via the website or mobile application |
Required, if a website is maintained |
- |
Required |
Link or form via the website |
- |
Acceptable, if two-step process including confirmation is used. |
- |
Designated email address |
Acceptable |
Acceptable |
Acceptable |
Form submitted in person |
Acceptable |
Acceptable |
Acceptable |
Form submitted in the mail |
Acceptable |
Acceptable |
Acceptable |
User-enabled privacy controls |
- |
- |
Required, if information is collected online |
The proposed regulations provide procedures and requirements for responding to these requests. See, Proposed Text of Regulations, Article 3, §§999.313; 999.315 - 999.316, 999.318 (pp. 11-13, 15-16, 17-18). The CCPA requires a business to disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer. Cal. Civ. Code §§1798.130(a)(2). The law allows for extensions up to 90 days. Cal. Civ. Code §1798.145(g)(1). The regulations further require a business to confirm receipt of the verified request within 10 days and notify the consumer of how the request will be processed. See, Proposed Text of Regulations, Article 3, §999.313(a) (p. 10).
The proposed regulations require training for staff responsible for handling consumer inquiries regarding the CCPA, its requirements and how consumers may exercise their rights. The regulations require that businesses maintain records of requests and responses for at least 24 months. The proposal also requires the compilation and disclosure of certain metrics regarding these requests by businesses that collect the personal information of 4 million or more consumers. See, Proposed Text of Regulations, Article 3, §999.317 (pp. 16-17).
A business is not required to respond to a request to know or request to delete unless it has verified the identity of the individual making the request. The proposed regulations establish some principals and factors which should be used to establish a method of verifying the identity of those making requests. See, Proposed Text of Regulations, Article 4, §§999.323 - 999.326 (p. 18-21).
Because the CCPA also has rules for minors and specifically for those under 13, the proposed regulations address requirements specific to those consumers. See, Proposed Text of Regulations, Article 5, §§999.305 - 999.307 (pp. 21-22).
Regulations Regarding Non-Discrimination
The CCPA does not permit a credit union to discriminate between those that exercise their rights and those that do not, including charging different prices for goods or services. However, the rule does provide for offering a financial incentive for consumers to share or permit sale of their information, assuming that financial incentive is related to the value of the data being shared or sold. In the proposed regulations, the line between discrimination and a financial incentive are illustrated by a few examples. See, Proposed Text of Regulations, Article 6, §§999.336 (p. 23). The proposed regulations also contain rules for calculating the value of consumer data. See, Proposed Text of Regulations, Article 6, §§999.337 (p. 23-24).
As stated, written comments to these proposed regulations can be submitted by December 6, 2019. NAFCU will be commenting on the proposed regulations and if you have thoughts about the proposal, please reach out to Mahlet Makonnen on the NAFCU Regulatory Affairs Team.