Prifina’s Comments on the Proposed CCPA Regulations (Oct. 2020)
On October 12, 2020, the Department of Justice released a third set of proposed modifications to regulations outlined in the California Consumer Privacy Act (CCPA), which originally went into effect on August 14, 2020.
The Department of Justice proposed a number of modifications in three main areas:
(a) how notices about the consumer’s right to opt out from sales of data should be given when businesses interact in brick-and-mortar situations or when consumers are approached by a phone call;
(b) how businesses should process requests to opt-out;
© some improvements to consumer-to-business interaction via authorized agents.
The Prifina team closely assessed the proposed amendments and wrote a concise letter to the office of the OAG with some recommendations. Below, we provide some highlights of the proposed modifications and Prifina’s proposals regarding which issues the OAF should take into consideration when enforcing regulations.
a) Notices about opting-out from sales of data
One of the cornerstone issues of CCPA is the right of consumers to opt-out of sales of personal data. Opting out would mean companies and third parties would no longer be able to sell their personal data. Pursuant to CCPA Regulations, businesses are required to inform consumers about their rights and how those rights can be exercised. The 2020 October modifications touch upon situations where consumers interact with businesses in (i) brick-and-mortar situations, and (ii) in conversations over the phone.
To begin with, it goes without saying that customer data is collected by most brick-and-mortar businesses (unless you are buying a hot-dog in the street and are paying in cash). In most of the brick-and-mortar establishments, customer data is collected whenever a customer makes a payment via a credit card, signs waivers, or is filmed by a security camera. Hence, if offline businesses sell their customer data to third parties, such businesses also are obliged to notify the consumers about the right to opt-out of sales of data.
From an individual consumer perspective, notifications about the right to opt-out could be made either (a) at the time when the consumer is entering the space; (b) when the consumer is signing a waiver, or making a payment; or © when the consumer is leaving the establishment. Opt-out notices could be a simple set of words (e.g., “we do not collect your data”, “we do not sell your data”, “we sell your biometric data, ask our staff how to opt-out”, etc.). Businesses may even consider using certain visual icons to communicate with consumers about data collection practices at a given location.
We suggested that the OAG consider which steps it should take to facilitate the creation of easily legible icons for “data collection” and “data use”. In creating icons that inform consumers about data collection practices, data use practices, and consumer data rights, the OAG may collaborate with businesses and researchers or create a more formal study group consisting of business representatives, academics, researchers, legal experts, and designers t. Such icons for data disclosures play a powerful role in promoting consumer data literacy in both brick-and-mortar and online interactions.
b) Processing requests to opt-out
The proposed S. 999.315(h) of CCPA Regulations provides an illustrative list of situations that the Department of Justice would consider as “impairing” or “subverting” a consumer’s choice to opt-out (e.g., additional steps to verify the identity of the consumer, using complicated language explaining the opt-out process, requiring to indicate reasons for opting out, etc.).
Prifina believes that providing illustrative examples of practices that businesses should avoid is certainly helpful, but while examples provided in Section 999.315(h) are relevant today, it’s not certain that they will still be meaningful in the future. With that in mind, it would be reasonable for the OAG to follow emerging CCPA compliance practices and regularly update their list of prohibited practices that hinder the consumer’s ability to opt-out of sales of personal data.
More specifically, Prifina has noticed that businesses tend to require additional information from consumers, a practice they justify by citing the need to “verify the identity” of the consumer. We’ve noticed that in some instances, the verification process ends-up being quite time-consuming and involves multiple steps. This is quite a cumbersome experience for consumers. In practical terms, businesses need to find more efficient ways to structure their data and establish record-keeping practices. To facilitate this, the Prifina team suggested the OAG provide non-binding guidelines and recommendations to help businesses transition toward more efficient data practices.
(c ) Authorized Agents
The final major area impacted by new modifications relates to the interaction between consumers and businesses via authorized agents (S. 999.326). Authorized agents are expected to play an increasingly important role as consumers become more data-savvy and seek to control how third-party service providers use their personal data. The CCPA framework allows consumers to rely on “authorized agents” to submit requests to know what kind of data has been collected (i.e., requests to know what information a business collects about the consumer and for copies of collected data) or requests to delete data.
The earlier version of the CCPA Regulations was unreasonably restrictive and seemed out of touch with how communications take place in the digital environment (e.g., the authorized agent was required to have signed a permission document from the consumer).
Here is a screenshot of the proposed modifications with regard to authorized agents:
Prifina welcomes the proposed modifications to Section 999.326(a). They should help make consumer interactions with businesses via authorized agents much smoother.
It’s important to remember that one of the main incentives for consumers to employ authorized agents is their desire to reduce the hassle related to dealing with third parties that process consumers’ personal information. In practice, balancing security, fraud prevention, transparency, and efficiency of communication can be quite challenging. Therefore, removing the option for businesses to require authorized agents to provide written permission documentation from the consumer is definitely a positive step forward. Regulators should seek to create an environment in which consumer interactions with businesses via authorized agents are frictionless.
Nevertheless, the proposed modifications still allow businesses to add an additional verification step in the request process, leaving an ample array of options for businesses to delay the fulfillment of requests submitted via an authorized agent. This gives businesses the ability to ask consumers to either verify their identity, confirm that they have authorized the agent to act on their behalf, or do both (double verification). This could have quite an adverse effect on consumers, given that the whole point of using authorized agents is to streamline the opt-out process and avoid multiple verifications that are employed by businesses on a case-by-case basis.
Suggestion #1. The consumer’s “signed permission to submit request”, should be deemed sufficient, unless there are reasonable grounds to believe otherwise. One possible solution to resolve this information asymmetry is to create an industry-wide template of a “signed permission to submit request,” which should be deemed sufficient permission for businesses receiving requests submitted via an authorized agent. This signed permission template could be prepared by the OAG, which could then cooperate with industry and consumer representatives. This would help find balance between different regulatory objectives, save time, cost, and reduce information asymmetries between all parties involved.
Suggestion #2. In situations where consumers interact with businesses via authorized agents, businesses should have a designated point of contact with whom authorized agents can interact . This would facilitate interaction between authorized agents and businesses.
Suggestion #3. In case the AOG decides to keep the proposed structure of Section 999.326(a), we would like to suggest narrowing down the scope of subsections (1) and (2) by adding an additional qualifier that would allow businesses to contact =consumers in cases where an authorized agent has not provided reasonable proof of the existence of a signed mandate.
The full document with Prifina’s comments is available here.
Connect With Us and Stay in Touch
Prifina helps individuals get bespoke value from their personal data and provides tools for developers to build applications on top of user-held data.