CCPA Regulation Recommendations by EFF to CA Attorney General
The Electronic Frontier Foundation has published the comments it submitted to the California Attorney General as part of the California Consumer Privacy Act rulemaking process. The request for regulations centered around verifying consumer requests and the methods for opt-out requests under the Do Not Sell My Personal Information requirement.
The EFF has previously sent commentary on two separate occasions to the California legislature arguing for changes or additional protections in the CCPA provisions for privacy. However, those requests were not included in the letter to the California Attorney General, which is tasked only with issuing final regulations clarifying the law. We wrote about the substantive changes letter in December and the technical corrections for SB 1121 previously suggested in August.
We have previously published a summary of the comments from the Interactive Advertising Bureau (IAB) and the Association of National Advertisers (ANA) (link here). We believe that these comments will all be made public by the California Attorney General eventually but if you are aware of others that are public in the interim, please send us a link to add to the compilation.
Here is a summary of the EFF recommendations:
Verification of Consumer Requests
The EFF discusses the methods for businesses to verify consumer requests for both the right to access and the right to delete. For the right to access, it breaks down the methodology suggested for both password protected accounts and other scenarios (consumers without password protected accounts).
– Verification of Password Protected Accounts
The EFF recommends re-authentication of a user by a business during the receipt of a request for access through a password-protected account as well as at the time of access of the information. The scenarios mentioned by the EFF to guard against include the theft of a laptop or the use of a shared public computer where sign out is neglected. The EFF would also like two-factor authentication encouraged, particularly where 2FA has been enabled on an account or the information has been already provided. However, it does not want the AG to require 2FA because of situations where a reasonable user might not choose to associate their identity with an account. It identified whistleblowers, social media activists, and survivors of spousal abuse or sex trafficking as part of the list that should be able to exercise their rights without linking their identity to their account.
– Verification for the Right to Access in Other Scenarios
The EFF has identified a few different scenarios where a consumer would have no account with a business but may request access to their information. These include a credit card purchase offline (bricks-and-mortar store) or as a guest of a website, a business that collects data from consumers without accounts (such as website visitors via third-party tracking tools), or data brokers that purchase or collect information on consumers from other parties. The EFF has requested different approaches for different contexts, indentifying the cases of data associated with a real identity, a communication address, a device, a unique device identifier, or online tracking tools. For these different scenarios, the EFF makes different suggestions on how to verify the request:
Data Associated with a Real Identity – Proof that the individual is the consumer such as a credit card number, license plate number or biometric identifier.
Data Associated with a Communication Address – Verification that the consumer has control of the address by, for example, sending a confirmation link.
Data Associated with a Device – Proof the consumer owns and controls the device, as well as in control of the device at the time. The EFF suggests a device with more than one consumer should involve consent from all consumers.
Data Associated with Online Tracking Tools – Reasonable proof that the consumer was the sole person identified by the tracking tool for the duration of the data collection. If the company knows the user’s identity, then identity verification.
Third-Party Requests for Right to Access
The CCPA provides for valid third-parties to make requests on behalf of consumers. The EFF recommends that in this context the AG should specify that businesses require proof the consumer actually instructed the agent to make the request. It characterizes the issues as a data security concern whereby it could be used as “a new attack vector that data thieves might attempt to exploit.”
– Deletion Requests
The EFF recommends that deletion requests receive the same level of verification even though they pose fewer privacy concerns. It addresses the matter as one of “significant information security concerns.”
Right to Opt Out
The EFF has recommended that the AG require businesses interacting with consumers over the internet to honor a browser request using an appropriate Do Not Track system as an opt-out from the sale of the consumer’s data unless the consumer otherwise decides to opt-in. If the user is logged-in or can otherwise be verified as an account owner, the EFF requests it apply as an opt-out for all data sales for that individual. Otherwise, for individuals that can not be tied to an account, the DNT header would be an opt-out solely for data during that particular session.
The EFF concluded that verification of the consumer’s opt-out was not required because it presents “little or no privacy or security risk” and the user can easily opt back in when wrongdoing is uncovered. It also noted that the CCPA verification requirement was not expressly included as part of the right to opt-out.
Other Relevant Posts:
Next Stop for CCPA Amendments AB-25 and AB-874 is an Assembly Floor Vote
Highlights of the CA Privacy Committee Hearing Yesterday on CCPA Amendments
How to Prepare for CCPA Compliance Given the Uncertain Amendments and Regulations
CCPA Amendments to be Heard in April 23rd California Assembly Privacy Committee Hearing
Senate Judiciary Committee Recommends SB 561, the Expanded CCPA Private Right of Action
Latest on the Proposed CCPA Amendments
AB-25 Proposes CCPA Amendment to Exclude Employees from New Privacy Law
Highlights of CCPA Rulemaking Comments by IAB and ANA
CCPA Amendment & Consumer Privacy Bills in California legislature in Feb. 2019
California AG Supports Proposed CCPA Amendments in SB 561
CA Dems Defend CCPA Against Preemption; California Holds CCPA Hearing on Changes
California GOP Defend CCPA Against Federal Preemption
More Technical Amendments Suggested for CCPA; CA GOP Introduce Another Privacy Bill
Advertising & Marketing Groups Send AG Letter Seeking Flexibility on CCPA