NOTICE OF THIRD SET OF PROPOSED MODIFICATIONS TO TEXT OF CCPA REGULATIONS

Pursuant to the requirements of Government Code section 11346.8, subdivision (c), and section 44 of Title 1 of the California Code of Regulations, the California Department of Justice (Department) is providing notice of a third set of proposed modifications made to the regulations regarding the California Consumer Privacy Act.    

The Department first published and noticed the proposed regulations for public comment on October 11, 2019.  On February 10, 2020 and March 11, 2020, the Department gave notice of modifications to the proposed regulations, based on comments received during the relevant comment periods.  The Department withdrew the following sections from the review of the Office Administrative Law (OAL) pursuant to Government Code section 11349.3, subd. (c):  999.305(a)(5), 999.306(b)(2), 999.315(c), and 999.326(c).  OAL approved the other sections submitted by the Department, effective August 14, 2020, and these provisions became final.

The modifications are indicated by bold blue underline for proposed additions and red strike out for proposed deletions to the regulations that became effective on August 14, 2020.  This third set of modifications include the following changes:

  • Proposed section 999.306, subd. (b)(3), provides examples of how businesses that collect personal information in the course of interacting with consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method.
  • Proposed section 999.315, subd. (h), provides guidance on how a business’s methods for submitting requests to opt-out should be easy and require minimal steps.  It provides illustrative examples of methods designed with the purpose or substantial effect of subverting or impairing a consumer’s choice to opt-out.
  • Proposed section 999.326, subd. (a), clarifies the proof that a business may require an authorized agent to provide, as well as what the business may require a consumer to do to verify their request.
  • Proposed section 999.332, subd. (a), clarifies that businesses subject to either section 999.330, section 999.331, or both of these sections are required to include a description of the processes set forth in those sections in their privacy policies.

This Notice, the text of the third set of proposed modifications to the regulations, and a comparison of the text as approved by the Office of Administrative Law with the currently proposed modifications are available at www.oag.ca.gov/privacy/ccpa/current.  The originally proposed regulations and all documents relating to the rulemaking package, including previous modifications to the proposed regulations, are also available at this website.

The Department will accept written comments regarding the proposed changes between Tuesday, October 13, 2020 and Wednesday, October 28, 2020. Please limit comments to the additions indicated in bold blue underline and the deletions indicated in red strike out.  All written comments on the underlined changes must be submitted to the Department no later than 5:00 p.m. on October 28, 2020 by email to PrivacyRegulations@doj.ca.gov, or by mail to the address listed below.

CCPA Proposed Regulations Submitted to the Office of Administrative Law

California Attorney General Xavier Becerra submitted final proposed regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). The regulations will provide guidance to businesses on how to comply with the CCPA and will enable consumers to exercise new rights over their personal information. Under Executive Order N-40-20 related to the COVID-19 pandemic, OAL has 30 working days and an additional 60 calendar days to determine whether the regulations satisfy the procedural requirements of the Administrative Procedure Act. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law.

A copy of the complete rulemaking package submitted to OAL, including a text of the regulations, can be found at www.oag.ca.gov/ccpa.

The final proposed regulations were drafted after a broad and inclusive preliminary rulemaking process, which included seven public forums, during which the office received over 300 letters. During the formal rulemaking process, Attorney General Becerra held four public hearings throughout the state, along with a 45-day comment period and two subsequent 15-day comment periods. These comment periods resulted in the submission of over 1,000 public comments, each of which were taken into consideration when drafting the final regulations.

FTC Finalizes Settlement with Company that Misled Consumers about how it Accesses and Uses their Email

The Federal Trade Commission finalized a settlement with an email management company that allegedly deceived some consumers about how it accesses and uses their email.

The FTC alleged that Unrollme Inc., which helps users unsubscribe from unwanted emails or consolidate their email subscriptions, falsely told consumers that it would not “touch” their personal emails in order to persuade consumers to provide access to their email accounts.

In fact, Unrollme shared users’ email receipts from completed transactions with Unrollme’s parent company, Slice Technologies, Inc. E-receipts can include, among other things, the user’s name, billing and shipping addresses, and information about products or services purchased by the consumer. Slice uses anonymous purchase information from Unrollme users’ e-receipts in the market research analytics products it sells.

As part of the settlement with the Commission, Unrollme is prohibited from misrepresenting the extent to which it collects, uses, stores, or shares information from consumers. It must also notify those consumers who signed up for Unrollme after viewing one of the allegedly deceptive statements about how it collects and shares information from e-receipts. The order also requires Unrollme to delete, from both its own systems and Slice’s systems, stored e-receipts previously collected from those consumers, unless it obtains their affirmative, express consent to maintain the e-receipts.

After receiving two comments, the Commission voted 4-0-1 to approve the settlement with Unrollme as well as responses to the commenters. Commissioner Rohit Chopra abstained from the vote.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

5 Ideas To Kickstart Your Governance, Risk and Compliance Program in the New Year!

We’ve all been there. Sitting around the conference room with our compliance teams, droning on about scheduling conflicts, procedural details and strategy about strategy. Here are some actual substantive ideas, initiatives and approaches to privacy, data governance and cyber-security that can get the ball rolling next year.

1. Policies aren’t just documents you keep around in case you might have to show them to a judge one day. Start putting them to work and leveraging their authority to cut costs and reduce operational risks!

For example:

  • Privacy policies, now required to be updated annually by the State of California, can actually help drive data mapping exercises, leading to new insights into structured and unstructured data systems. Use those insights to help patch gaps in your IT infrastructure and even retire costly, redundant systems, classify shadow IT and discard unused shelfware.
  • Retention policies can be used as virtual blueprints to justify and destroy, costly, over-retained paper records and electronic data lingering around the office and waiting to be discovered… by your adversaries!
  • Cyber-security policies like those required by the New York DFS can be used to help IT decision makers prioritize strategic investments in your cyber-defense software.
2. Chief executives realize audits are necessary to continually optimize business processes, but even the sharpest leaders sometimes forget the most sobering, useful assessments are conducted by outside parties who don’t have an inherently biased interest in determining the findings.

Executives need to make sure they are told what they need to hear, not what they want to hear.

3. One of the reasons assurance departments like compliance, risk and internal audit struggle with their annual reviews is because of a lack of policy organization within their OWN departments.

Lack of procedural consistency, ownership of policy and overlap and confusion over a directives authority in can create even more conflict, risk and uncertainty for an organization. But relying on institutional knowledge and spreadsheets just doesn’t cut it anymore. That’s why every regulated company needs a strong technology backbone in the form of a GRC or governance risk and compliance software.

4. These days the risk is not just internal. With so much of our data in the cloud and managed by other parties, some of the greatest risks have moved outside of the firewall.

Organizations need strategies and tools to help them prioritize and manage those vendor risks effectively. Sophisticated and affordable tools that address consumer data privacy requests can also be used to map and streamline an organizations external data, whether it’s private in nature or otherwise.

5. Finally, risk is not a one size fits all problem. Investment needs to be proportional to the exposure. That’s why it’s important to spend enough time planning your long-term strategy rather diving headfirst into solutions that promise the moon and end up creating more infrastructure dependency than you bargained for.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers Insurance. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Extends Deadline for Comments on COPPA Rule until December 11

The Federal Trade Commission is extending the deadline to submit comments on the agency’s review of the Children’s Online Privacy Protection Act Rule (COPPA Rule) until December 11, 2019.

The federal government’s Regulations.gov portal is temporarily inaccessible. The FTC is giving commenters additional time to submit comments, as well as an alternative mechanism to file them. Those unable to submit comments via Regulations.gov can submit them via email with the subject line “COPPA comment” to secretary@ftc.gov. All comments, whether filed through Regulations.gov or sent by email, must be submitted by11:59 p.m. ET on December 11, 2019.

The Commission voted 5-0 to extend the comment deadline until December 11, 2019.

Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.