By Anne Kimbol, Chief Privacy Officer
On October 11, 2019, the Notice of Proposed Rulemaking Action (NPRA) was released by the California Department of Justice, specifically the Attorney General’s Office (AG). The AG also announced four public hearings and a written comment period for feedback on the NPRA.
If you have read the California Consumer Privacy Act (CCPA) draft regulations, you know that there are moments of much-needed clarity and some “head tilting” language. The CCPA itself has weaknesses in its drafting that complicate compliance even for the most privacy-focused businesses. Greater importance has been placed on the regulations, since they should tell us what the CCPA means, or should suggest, in practice. While these regulations are still in draft, they give us insight into what to anticipate enforcement may be. Overall, the AG has done a decent job helping comply with the CCPA’s language on notices, verifying consumer requests, and responding to consumer requests. What is less clear is precisely where the line between financial incentives and discriminatory practices lives and how best to calculate the value a business receives from selling a consumer’s personal information.
Let’s start with the weaknesses, so we end on a good note. The language appears to say that businesses must comply with “Do Not Track” settings on a browser. While this makes a lot of sense, it leaves businesses trying to figure out when the setting was first used – something people much more technically inclined say will be almost impossible – to appropriately respond. HITRUST intends to suggest to the AG in our comments on the NPRA that this be clarified.
I have repeatedly read the proposed regulations on financial incentive program notices and on which practices would be considered discriminatory by the AG. While it is nice to know what should be in a notice of a financial incentive, please do not ask me about whether any examples other than those used in the NPRA would be considered appropriate versus discriminatory since that remains unclear.
In the “both helpful and really not” category is the regulation in the NPRA relating to calculating the value of consumer personal information. It helps by fixing the typo in the CCPA as it clarifies it is the value to the business, not the consumer, of the consumer’s personal information that can relate to pricing differences. However, it lists eight possible ways, including “any other practical or reliable method” to calculate that value, which provides little clarity. Providing nothing would be less helpful, but particularly for smaller or less sophisticated businesses, I still see challenges arising in this area.
In terms of strengths, the NPRA itself is a thoughtful document. The AG has provided a plain-language summary of the CCPA, one of the more comprehensive privacy laws in the United States, if not the most comprehensive to date, and, if that wasn’t enough, it includes headings as part of the summary. (Side note – Adding section headings is a piece of the proposed California Privacy Rights and Enforcement Act of 2020 released by Californians for Consumer Privacy, which prompted me to applaud in my office. That document is also a fascinating read, but outside the scope of this particular blog post).
In several sections, including in some definitions, the AG has provided examples, which are very helpful for interpretation of the law. Yes, they come with the usual “including but not limited to,” but knowing what the AG considers a category of service providers or third parties is a significant help in drafting CCPA-compliant notices and consumer responses. Note the comments above, though, about where the examples are not particularly helpful.
Notices must be provided in the languages in which the business customarily interacts with its consumers. In a state with such a diverse population, this guidance is beneficial.
The AG has clarified that a two-step process is required to opt-in for the use of minors’ information and has provided some clarity on how to verify a consumer request is from the consumer. Businesses can use existing accounts with proper authentication requirements so long as it is not aware of a breach of that information.
Requests to access or delete household information can be responded to in the aggregate if a consumer does not have a password-protected account with the business. While this doesn’t help with the privacy concerns raised by defining personal information in a way that links with a household, it is at least a step in the right direction.
The NPRA would require a risk-based analysis for the level of verification needed relating to consumer requests. This analysis balances the need for protecting privacy when disclosing information to a consumer with the idea that consumers should be able to get their information relatively easily if the data itself has a low risk attached. For better and for worse, the NPRA does not define reasonable security measures, although it requires them in some sections. HITRUST supports this approach as security threats, and therefore appropriate controls, are continually evolving. We are suggesting to the AG, as we did in response to the initial comment period, that a safe harbor is provided to businesses certified under programs like the HITRUST CSF Assurance Program™. In the CCPA, having appropriate security can provide mitigation or even safe harbor against some enforcement mechanisms. Having assurances that the AG will recognize HITRUST CSF Certification or something similar to meeting the standard would give clarity on how appropriate security is interpreted.
In the HITRUST CSF version 9.3, HITRUST added mappings to the CCPA based on the language as amended before November 1, 2019. HITRUST continues to monitor the draft regulations and other potential changes to CCPA compliance to ensure it remains up to date with the legal requirements. Performing a privacy and security assessment using HITRUST CSF v9.3 and including the CCPA as a regulatory factor will provide the information you need to assess your compliance and improve it as needed. We will comment on the AG’s draft rules as appropriate and will keep you posted as changes are made to aid you in complying with this admittedly complicated law.
In summary, the AG has taken a poorly drafted law and explained how to comply with it, for the most part. Some of the critical areas in the original legislation that raised concerns, however, are not addressed, and some of the proposed regulations create difficulties. That said, hats off to the AG for his work.
I look forward to seeing the final product and ensuring the HITRUST Approach® incorporates any changes needed to relevant requirement statements.