In early June, the California Attorney General filed final CCPA regulations with the California Office of Administrative Law. The final regulations were accompanied by a 59-page Final Statement of Reasons along with six appendices containing over 500 pages of comments on the regulations and the Attorney General’s responses to those comments. One of the many topics that the Attorney General’s office discussed was the final regulation’s requirements for drafting privacy policies. Given that the drafting of a privacy policy is a necessary part of CCPA compliance, it is worth analyzing those comments.
By way of background, section 999.308 of the final regulations prescribes the information businesses must provide in their privacy policies. Among other things, section 999.308 requires businesses to:
- Explain that a consumer has the right to (1) request that the business disclose what personal information it collects, uses, discloses, and sells; (2) delete that information; (3) opt-out of the sale of personal information; and (4) not be discriminated against for exercising those rights;
- Provide instructions for submitting verifiable requests to know and delete;
- Describe in general the process the business will use to verify consumer requests;
- Identify the categories of personal information the business has collected about consumers in the preceding 12 months, the categories of sources from which the personal information was collected, and the business or commercial purposes for collecting or selling personal information; and
- Identify the categories of personal information, if any, that the business has disclosed for a business purpose or sold to third parties in the preceding 12 months and, for each category, identify the categories of third parties to whom the information was disclosed or sold.
The office was presented with a host of comments, criticisms, and suggestions regarding that regulation.
To facilitate the drafting process, many commentators requested that the Attorney General’s office provide model notices. The office rejected that request, stating that “[f]urther analysis is required to determine whether to provide models, sample language, and/or templates in the future.” See Appendix A, Response ##917 & 269.
The office further explained that it had considered and rejected a “more prescriptive approach in the format and method” for privacy policies and instead the “regulations provide . . . business[es] with discretion in determining the best way to communicate the required information and provides them with the flexibility to craft the notices and privacy policy in a way that the consumer understands them, so long as it meets baseline requirements set forth in the CCPA and these regulations.” See, e.g., Appendix A, Response #110.
The Attorney General also refused to state whether businesses could use existing notices, such as those required by the Gramm-Leach-Bliley Act (GLBA), to comply with the CCPA’s requirements. The office stated that “[g]iven the wide variety of different industries subject to both the CCPA’s notice requirements and additional notice requirements under other laws, there are many different ways in which businesses may comply with the laws.” However, “[n]either the CCPA nor the regulations proscribe that [the] CCPA notice must be separate, as long as the CCPA notice complies with the CCPA and its regulations.” See Appendix A, Response #269; see also Appendix A, Response #268 (stating, in response to comment that “[b]usinesses should be permitted to use and appropriately modify existing formats, such as under GLBA,” that the “comment’s proposed change is not more effective in carrying out the purpose and intent of the CCPA because it is not necessary for the OAG to state whether a business may use and appropriately modify existing formats.”).
The office also rejected many commentators’ request to “harmonize and align the CCPA’s requirements with existing privacy laws” such as the California Online Privacy Protection Act (CalOPPA), the European Union’s General Data Protection Regulation (GDPR), and the Children’s Online Privacy Protection Act (COPPA). The office observed that the CCPA and GDPR “differ in several important respects” and that it had “made every effort to utilize existing privacy frameworks in the regulations, where appropriate.” See Appendix A, Response #856.
Ultimately, the office’s unwillingness to provide further guidance means that business have greater flexibility in drafting their privacy policies, but also are without clear direction for how to comply the CCPA’s disclosure requirements. The task of drafting a privacy policy is even more challenging for businesses subject to other privacy laws, such as GDPR, California’s Shine the Light Law, CalOPPA, or online privacy policy disclosure laws in Delaware and Nevada. Businesses will need to ensure that their disclosures meet the requirements of all laws to which they are subject in a policy that is transparent and easy for consumers to understand.