The California Attorney General’s office released a notice of modifications to the proposed regulations for the California Consumer Privacy Act (“CCPA”) on February 7, 2020, and additional updates on February 10, 2020. The release included the text of the modified proposed regulations (“modified regulations”) in a redline version, and a clean version, along with a list of documents and other information relied upon in the rulemaking process.
The notice states that the modifications were made in response to public comments received during the initial comment period and to conform the proposed regulations with recent changes in the law. The California Attorney General accepted written comments regarding the modified regulations until February 25, 2020. Final regulations are expected to be issued after the comment period, and prior to July 1, 2020, which is the earliest possible day the Attorney General can enforce the law. A final statement of reasons is expected to be issued with the final rulemaking to provide further context and clarification of the regulations.
The modifications do not change the overall structure of the proposed regulations. There is no change to the requirements that companies provide notice at the “point of collection” when personal information is collected from a consumer, and provide a broader privacy policy, which may be posted on a website or mobile application. The modifications do expand on notice requirements by providing that when a business collects personal information over the telephone or in person, it may provide the notice orally.[1]
Some of the other modifications to the proposed regulations included:
- Guidance on Definition of “Personal Information.” A new section in Article 1, “Guidance Regarding the Interpretation of CCPA Definitions,”[2] provides that whether information should be classified as “personal information” depends on whether the information is kept in a manner that “identifies, relates to, describes, is reasonably capable of being associated with or could be reasonable linked, directly or indirectly, with a particular consumer or household.” For instance, if a business collects an IP address but does not link it with other identifying information particular to a consumer, it would not be considered “personal information.”
- Just-In-Time Notification. A “just-in-time notice” must be provided “when a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect.”[3] The modified regulation provides an example of a flashlight application which collects geolocation information. Because a consumer would not “reasonably expect” this type of personal information to be collected by the application, a “just-in-time notice” should be provided when the application is opened, such as a pop-up window including the required information.
- Guidance on Accessibility of Notices. The initial proposed regulations included a requirement for notices and privacy polices to be “accessible to consumers with disabilities.” The modified regulations add that notice must be “reasonably accessible” based on recognized industry standards, such as the Web Content Accessibility Guidelines, v2.1, the standard widely used for compliance with the Americans with Disability Act.
- Reduction in Detail Needed in Privacy Policy. The initial proposed regulations required the notice of collection to include a list of the categories of personal information to be collected and for each category, the business or commercial purpose for which it would be used. The update removed the requirement to list the purpose for each category, thereby simplifying the notice at collection and the privacy policy.
- Requests to Know and Requests to Delete: After receiving a request to know or delete, a business has 10 business days to confirm receipt and provide information about how the business will process the request. The confirmation can be provided in the same manner in which the request was received.[4] So if a request was received over the phone, confirmation may be by phone. Businesses have up to 45 calendar days to respond to know or delete requests. The modified regulations keep the ID verification requirement, but provided that a business cannot “require the consumer to pay a fee for the verification of their request.”[5] Additionally, the modified regulations allow a business to deny a request to know specific pieces of personal information from a non- accountholder if it cannot verify the identity of the requestor.[6] The search obligations for businesses have also been narrowed for right to know requests. A business is not required to search for personal information if the business: does not maintain the personal information in a searchable or reasonably accessible format; maintains the personal information solely for legal or compliance purposes; does not sell the personal information or use it for commercial purposes; and describes to the consumer the categories of records that may contain personal information that were not searched.[7]
- Request to Opt-Out. The modified regulations add that methods for submitting opt-out requests should be “easy for consumers to execute and shall require minimal steps” which do not have the “purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.”[8] Although a business must still provide two or more options for submitting requests, the requirement for an interactive webform has been removed.
- Service Providers. The modified regulations clarify some ambiguities regarding the obligations of service providers and how personal information transferred from a business can be used. Specifically, the modified regulations provide that a service provider cannot sell data on behalf of a business when a consumer has opted-out of the sale of their personal information with the business.[9] Also, service providers that receive requests to know or to delete information can respond on behalf of a business or inform the consumer that it cannot act on the request because it is a service provider.
The modified regulations further provide that a service provider cannot retain, use, or disclose personal information obtained in the course of providing services with limited exceptions such as performing services provided in a written contract with the business that provides the personal information or to “detect data security incidents or protect against fraudulent or illegal activity.”[10] Also, service providers may use personal information provided by a business for its internal use to “build or improve the quality of its services” as long as the use does not “include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.”[11]
While the modifications address many key issues, additional updates may be made by the Attorney General at the conclusion of the current comment period. DocMagic will continue to monitor the development of CCPA regulations. To view previous DocMagic articles regarding the proposed regulations, click here (October 2019) and here (January 1).
[1] Modified Proposed Regulations, February 10, 2020, § 999.305(a)(3)(d).
[2] Modified Proposed Regulations, February 10, 2020, , § 999.302(a).
[3] Modified Proposed Regulations, February 10, 2020, § 999.305(a)(4).
[4] Modified Proposed Regulations, February 10, 2020, § 999.313(a).
[5] Modified Proposed Regulations, February 10, 2020, § 999.323(d).
[6] Modified Proposed Regulations, February 10, 2020, § 999.325(f).
[7] Modified Proposed Regulations, February 10, 2020, § 999.313(c)(3).
[8] Modified Proposed Regulations, February 10, 2020, § 999.315(c).
[9] Modified Proposed Regulations, February 10, 2020, § 999.314(d).
[10] Modified Proposed Regulations, February 10, 2020, § 999.314(c).
[11] Modified Proposed Regulations, February 10, 2020, § 999.314(c)(3).
