California Attorney General (AG) Xavier Becerra released revised draft regulations for the California Consumer Privacy Act (CCPA) late last week. The AG will accept comments on the revisions until February 25, 2020. The regulations are not yet final, and because the AG has added an additional notice and comment period, it is likely that additional revisions will occur before the regulations are finalized and become effective.
While enforcement of the CCPA cannot begin until July 1, 2020, the AG has stated that he will “look back” to the CCPA’s effective date of January 1, 2020 in assessing a covered business’s compliance — but will also take into account the fact that the regulations were still in flux during that time.
Below is a summary of the revisions made to the original version of the regulations issued last October, with key additions or deletions highlighted. Note that the summary is not an exhaustive list of every change.
Changes to Definitions
- Key Change: Scope of “Personal Information” (PI) Narrowed. The Attorney General added an interpretive section stating that if a business does not and could not reasonably link a piece of information to a particular consumer or household, that information is not considered “Personal Information.” The example given in the regulations involves an IP address, and states that if a business collects the IP address of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, the IP address would not be considered PI.
- Definition of “Household” Changed. The definition of “household” has been revised to mean a group of people who reside at the same address, share a common device or the same service, and are identified by the business as a single account.
- Key Addition (applicable to all Required Notices and Privacy Policies): Accessibility Guidance. To comply with the requirement that all notices be reasonably accessible to consumers with disabilities, the regulations now require that a business follow generally recognized industry standards, such as the Web Content Accessibility Guidelines (WCAG), version 2.1 of June 5, 2018, from the World Wide Web Consortium.
- Key Addition (for Mobile Device Collection): Pop-Up Notices. For data collection on mobile devices, when a business collects PI for a purpose that the consumer would not reasonably expect, the draft regulations would require a “just-in-time” (i.e., immediate/“pop-up”) notice containing a summary of the categories of PI being collected and a link to the full collection notice (which should be available on the app’s download page and settings menu).
- Oral Notice When Collecting PI Over the Phone. When PI is collected in person or over the phone, the draft Regulations now specifically permit providing the Notice at Collection orally.
- Notice Required for Indirect Collectors Who Are Not Data Brokers. The draft regulations have removed an exemption that previously permitted companies that did not collect data directly from consumers to delay notice until the data was sold. The revised exemption applies only to registered data brokers, and only if they provide separate opt-out instructions.
- Opt-Out Button Revealed. The revised regulations provide a sample “button” that may be used in conjunction with, but not in lieu of, the mandatory “Do Not Sell My Personal Information” or “Do Not Sell My Info” link:
Please note that, although the button appears to be a switch, the regulations require that the button actually act as a link to the Notice of Right to Opt-Out, not as a “switch” to actually effect an opt-out.
- Notice of Financial Incentive. The Notice must explain how the incentive or price/service difference is reasonably related to the value of the consumer’s data, instead of why it is permitted under the CCPA. The value of the financial incentive must be calculated in good faith, and businesses that are unable to calculate the value of a financial incentive would be barred from offering one.
- Denial of “Requests to Know” on Security Grounds Removed. The revised regulations removed language that previously permitted a business to refuse to grant a “request to know” if it would present a security risk to the customer or the business. The replacement language permits a business to omit certain categories of PI from an access request, including: PI that is not searchable or reasonably accessible, PI maintained for legal or compliance purposes, and PI that is not sold or used for a commercial purpose. A business must disclose to the consumer what categories of PI it did not search.
- Denial of Request to Delete Must Be Paired With Right to Opt-Out. If a business sells consumer data and denies a consumer deletion request based on a failed verification, the business must then offer the consumer the option to opt-out of the sale of data.
- Deadlines Clarified. The proposed regulations specify: 1) a business must confirm receipt of a request to know or delete within 10 business days, rather than 10 calendar days; 2) a business must comply with a request to opt out within 15 business days; 3) a business must respond to requests to know and requests to delete within 45 calendar days, or upon providing an explanation, within a maximum of 90 calendar days; and 4) a business may now deny a request to know or delete if it cannot verify the request within 45 days.
- Backup Deletions Clarified. When acting on requests to delete, a business can delay its deletion of PI on archived/backup systems until the systems are restored or the PI is actually used for a sale, disclosure or commercial purpose.
- Loyalty Program Examples. The revised regulations provide illustrations of CCPA-compliant and non-CCPA-compliant “loyalty” programs. The examples indicate that a company could maintain a loyalty program and nonetheless deny certain aspects of requests to delete, provided that the information it is refusing to delete is essential to the operation of the loyalty program (such as the consumer’s email address, because that is where loyalty discount coupons are sent).
- Key Clarification: Service Provider Data Use. The revised regulations add several situations in which a service provider (as defined by the CCPA) may use PI without it being treated as a “sale” under the CCPA, most notably:
- For internal use to build or improve the quality of its services (but not building consumer profiles); and
- To retain another CCPA-qualified service provider as a subcontractor.
- Service Provider Responses. The service provider does not need to provide as much information as it did under the original regulations in response to a consumer request; it simply must either act on behalf of the business in responding to the request, or tell the consumer that it cannot act on the request because it is a service provider.
- Threshold Increased. The original regulations contained additional reporting requirements for a business that, alone or in combination, bought, received or shared for commercial purposes, or sold the PI of more than 4,000,000 consumers. The revised regulations raise that threshold to the PI of 10,000,000 consumers.