1. Treating a rebuffed deletion request as a "do not sell" request
Many companies have been struggling with how to verify the identity of people who have not previously established accounts with them and who present themselves with a CCPA request. The new rules just complicated their plans: “For requests to delete, if a business cannot verify the identity of the requestor pursuant to the regulations set forth in Article 4, the business may deny the request to delete. The business shall inform the requestor that their identity cannot be verified and shall instead treat the request as a request to opt-out of sale. (§ 999.313(d)(1)” Businesses affected by this requirement will need to figure out how to convert a potentially wide array of digital identities not meeting minimum authentication standards into identities robust enough to prevent their data from being ‘sold’. This requirement could require for large corporations, for example, a central control of third-party cookies on various brand websites to be integrated with a consumer identity-management platform.
2. Calculating the value of personal data
This rule, if finalized as written, will bring together marketing and privacy leaders like never before. It says businesses “shall use and document a reasonable and good faith method for calculating the value of the consumer’s data” (§ 999.337) and provides a number of examples that could meet their criteria. Businesses will need to formalize their consumer-data strategies and a corresponding financial model for which there are few industry standards.
3. Giving a notice of financial incentive for data retention or sale
Businesses will now need to “explain to the consumer each financial incentive or price or service difference a business may offer in exchange for the retention or sale of a consumer’s personal information” (§ 999.307). Businesses operating loyalty programs or other incentives for data collection will need to adopt a new level of transparency that may affect both consumer perceptions as well as their competitive positioning.
4. Record-keeping requirements for businesses that receive or buy personal information
“A business that alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers…” (§ 999.317(g), shall be required to maintain statistics on the number of requests received, responded to, and number of days the response was provided in, and include these statistics in its privacy policy or its website. Tracking and reporting these metrics could require a new level of ongoing oversight of a company’s supply chain and create a new level of transparency affecting competitive positioning.
5. Attestations for the sale of personal information
Businesses that intend to sell personal information that was not obtained directly from a consumer must “obtain signed attestations from the source describing how the source gave the notice at collection and including an example of the notice. Attestations shall be retained by the business for at least two years and made available to the consumer upon request.” (§ 999.305(d)(2)(b) Business that extract value from client or partner data and do not collect information directly from consumers—such as data brokers, credit-reporting agencies, and re-insurers—may be required to revisit their data collection and consent processes.
6. Opt-out notification to third parties
Upon receiving an opt-out request from a consumer, businesses are required to notify all third parties to whom they have “sold the consumer’s personal information within the prior 90 days” (§ 999.315(f) that the consumer has exercised their right to opt-out. This notification must instruct third parties to stop the sale of the consumer’s information and businesses must also inform the consumer when this notification has been provided. Businesses involved in ‘data selling’ will need to maintain meticulous personal information inventories using time thresholds not typically tracked in order to meet this 90-day timeline.
7. Training individuals responsible for handling consumer inquiries
“All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA shall be informed of all the requirements in the CCPA and these regulations and how to direct consumers to exercise their rights under the CCPA and these regulations.” (§ 999.317(a) Businesses preparing for large volumes of requests will be most impacted, as they will now have to train their workforce on CCPA requirements.