CCPA Regulations Modified
On March 11, 2020, California Attorney General Xavier Barrera released a second set of modifications to the draft California Consumer Privacy Act (CCPA) regulations. The modifications respond to issues raised during the public comment period that took place following the release of the initial set of modifications on February 10. The deadline to submit written comments is March 27, 2020.
The revisions in this draft include:
Changes to Definitions
- Key Change – Removal of Guidance Relating to the Definition of “Personal Information”: Guidance issued in the previous draft stated that information is not “personal information” (PI) if a business is unable to link that information to a particular consumer or household. To illustrate a situation in which personal information would not be collected, the Attorney General provided an example of a business that collects the IP addresses of visitors to its website, but is unable to link the IP addresses to particular consumers or households. This interpretation, which had the potential to significantly reduce the scope of the CCPA, has been removed.
Notice Requirements
- Key Change – Who Must Provide Notice: The draft regulations state that businesses that do not collect personal information directly from a consumer and do not sell personal information are not required to provide notice at or before the collection of personal information.
- Change to Employee Notices: Until the expiration of the provision on January 1, 2021, notices made by a business about the collection of employment-related information are no longer required to contain a link to the company’s privacy policy.
Changes to Requirements for Privacy Policies
- Reintroduction of Categories of Sources and Business/Commercial Purposes: The modified regulations require that businesses identify in their privacy policies the categories of sources from which personal information has been collected as well as the business or commercial purposes for the collection and/or sale of PI. The latter requirement must provide the consumer with “a meaningful understanding of why the information is collected or sold.” Unlike previous versions of the regulations, however, businesses will not have to match this information with the categories of personal information collected.
- Clarification for Businesses That Sell the PI of Minors: The revised regulations clarify that a business with actual knowledge that it sells the personal information of minors under 16 must include a description in its privacy policy of the processes it maintains with respect to minors and the sale of their personal information.
Responses to Requests to Know
- New Requirement Regarding Responses to Know: Under the CCPA, businesses are prohibited from disclosing high-risk forms of personal information (such as, among others, a consumer’s Social Security number, bank account info or biometric data) in response to verified requests to know personal information. However, the revised regulations now stipulate that businesses must respond to such requests with “sufficient particularity” that it collects that type of information. In other words, a business that receives a verified request for bank account information may not provide a bank account number, but instead must inform the consumer if it does collect that information.
Other Important Changes
- Slightly More Leeway Granted to Service Providers: The revised regulations state that service providers, when acting as such, may “process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA.” This modification offers slightly more freedom for the ways in which service providers can interact with personal information.
- Pre-Selected Settings: The modified draft eliminates a recently introduced requirement that would have barred use of pre-selected settings in consumer opt-out mechanisms.
- Record-Keeping Requirement: The scope of the requirement pertaining to record-keeping metrics was modified slightly to read, “a business that knows or reasonably should know” that it buys or receives for commercial purposes or sells or shares for commercial purposes the personal information of 10 million or more consumers rather than 4 million consumers.
- Responses to Requests to Opt In: Upon receiving a verified authorization to opt in to the sale of a minor’s personal information by that minor’s parent or guardian, a business must inform the parent or guardian of their right to opt out and the process for doing so. Previously, the regulations allowed for businesses to inform the parent or guardian “at a later date.”
- Removal of Opt-Out Button: The proposed standard button for use in consumer opt-out requests has been removed.
This article was written by Faegre Drinker’s privacy, cybersecurity and data strategy team.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.