Proposed CCPA Regulations are Published Creating a Litigation Mine-Field
The California Attorney General’s Office finally released proposed regulations to govern how the California Consumer Privacy Act (“CCPA”) will be implemented. These proposed regulations will guide how the Attorney General’s Office regulates businesses under the CCPA and will be cited extensively by California and federal courts when confronted with legal challenges related to the CCPA. As expected, the proposed regulations offer a lot of extra details, but provide little concrete guidance for businesses that are attempting to comply. As a result, the regulations create an enormous potential for litigation over every aspect of the CCPA and these regulations. The effective date for compliance with the CCPA is January 1, 2020. Every business trying to comply with the CCPA will need to retain an experienced San Diego corporate attorney.
As an example, the proposed regulations address the question of what notices must be provided on your company’s website. The proposed regulations — see full regulations here — require that all notices must be “in plain language and avoid technical or legal jargon.” That may sound like helpful guidance, but in practice, this one regulation is several lawsuits waiting to happen. What is “plain language” and what is considered “jargon?” Further, notices on your website must be in a format that “… draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens.” This is probably the idea of “conspicuousness” but there is little practical guidance here. Litigation is sure to follow testing what it means to “draw the consumer’s attention…” Litigation is also likely if the notices are even slightly less legible on “small screens.”
Notices must also be available in all languages “… in which the business communicates to consumers in the ordinary course of business.” One can see many litigation risks in this provision. Likely, businesses will err on the side of caution and have their notices provided in several languages. Constant vigilance may be needed here if your website begins to draw traffic from new places on the globe. Finally, more potential litigation is created by the next regulation that requires notices be “accessible” to those with disabilities. There is already significant litigation with respect to web accessibility; this will add fuel to that fire.
Another example of litigation-risk enhancement is seen in the proposed regulations for consent. In general, if your website or business collects information, the consumer must consent and must also consent to the use to which you will put the information. “To complete your transaction” is one example of a use to which information can be put, but there are many others. The proposed regulations specify that a business cannot use any collected personal information for any purpose or purposes other than those disclosed in the notice at the time of collection. Later, if the business wants to use the information for some other/new purpose, the business must go about collecting a new consent from the consumer. That sounds cumbersome.
Likely, many businesses will choose to obtain consent-to-use for the broadest possible set of uses. But litigation will surely follow and challenge that strategy. It seems likely that the courts will not allow consumers to consent to have their information used “for any and all possible purposes.”
A similar litigation minefield is created by the regulations related to requests from consumers for information and/or for deletion. Under the CCPA, consumers have the right to know what information has been collected and also a separate right to have information deleted. The regulations require that a business acknowledge receipt of such a request within 10 days and that a response be made within 45 days. However, a request can be ignored if it “creates a substantial, articulable, and unreasonable risk to the security of that personal information.” A list of information that should never be disclosed includes social security numbers, driver’s license numbers, other government-issued identification numbers, financial account numbers, any health insurance or medical identification numbers, account passwords, security questions and answers, and more. There is an exception where the consumer maintains a “password-protected” account with the business. Then, the high-risk information can be disclosed. The litigation risks here are obvious; failure to provide the information might get you sued; turning over the wrong information might also get you sued.
There is a similar set of vagueness with the regulations concerning consumer identification. A business has an obligation to keep information secure and not disclose it to those who might be impersonating that consumer. So, how does a business verify the identity of the consumer? The regulations suggest a sliding-scale by which the degree and strength of the security protocols must advance to match the degree of the sensitivity of the information. Further, the regulations suggest this will be a moving target since one factor to be considered is the “technology available for verification.” Again, these regulations are not helpful and simply expand the likelihood of litigation over every issue, large and small.
The proposed regulations are open for comment until early December 2019.
Contact San Diego Corporate Law Today
For more information, contact attorney Michael Leonard, Esq., of San Diego Corporate Law. Mr. Leonard can be reached at (858) 483-9200 or via email. Mr. Leonard provides a full panoply of legal services for businesses including formation of corporate entities of all types. Like us on Facebook.