On February 7, California’s Attorney General released modified proposed regulations implementing the California Consumer Privacy Act (CCPA). The Attorney General also released an updated version on Monday, February 10, which included an additional revision that had been omitted from the first release.
Many of the revisions—which follow hundreds of comment letters to the Attorney General and a series of public hearings that the Attorney General also held—can be reasonably interpreted to lessen the burden on businesses attempting to comply with the CCPA.
Some of the notable revisions include:
- A new section 999.302, titled “Guidance Regarding the Interpretation of CCPA Definitions,” provides that whether information is “personal information” for CCPA purposes depends on how the business actually maintains it. If a business does not maintain collected information in a way that identifies, relates to, describes, or can be linked to a particular consumer, it would not be “personal information” that would trigger that business’s CCPA obligations. The example offered is an IP address; if a business collects IP addresses, but does not and cannot reasonably link these addresses to a specific consumer, then the address would not be “personal information” even if it hypothetically could be linked to a consumer.
- A new section 999.313(c)(3) allows businesses to decline to search certain records in response to right-to-know requests. Specifically, a business would not be required to search for personal information in response to an access request if the business: (i) does not maintain personal information in a searchable or reasonable accessible format, (ii) maintains the personal information only for legal or compliance purposes, (iii) does not sell the information or use it for a commercial purpose, and (iv) describes to the consumer the categories of records not searched because it satisfied the three conditions above. The same revision deletes a prior clause that specifically prohibited a business from providing specific pieces of personal information if the disclosure would create a substantial, articulable, and unreasonable risk to the security of the personal information, the consumer’s account with the business or the security of the business’s systems or networks.
- The modified regulations clarify that service providers are permitted to use personal information to retain and employ other service providers, as well as to build or improve the quality of their own services to businesses as long as the use “does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.” The modified regulations also explicitly prohibit service providers from selling data on behalf of a business if the consumer has opted out.
- Modifications to provisions specifying the required content for privacy policies appear to relieve some of the complexity of having to link specific categories of collected personal information with specific sources, purposes, and recipients. The following paragraph was stricken:
For each category of personal information collected, provide the categories of sources from which that information was collected, the business or commercial purpose(s) for which the information was collected, and the categories of third parties with whom the business shares personal information. The notice shall be written in a manner that provides consumers a meaningful understanding of the categories listed.
And it was replaced by the following provision relating only to consumer information that a business discloses or sells:
For each category of personal information identified, provide the categories of third parties to whom the information was disclosed or sold.
A similar revision applies to notices at collection.
- Registered data brokers who purchase consumer information from businesses will no longer be required to provide notices at collection, or to ensure the businesses from whom the information is purchased provided proper notices by obtaining attestations in support, as long as their online privacy policies include instructions to consumers on how to submit opt-out requests.
- Separate revisions remove businesses’ obligations to (i) notify parties to whom a business has sold information within the last 90 days of an opt-out request, (ii) always treat a deletion request as an opt-out request if the consumer’s identity cannot be verified, and (ii) always provide at least two methods for consumers to submit access requests. Now, businesses will be required to notify only parties to whom the business has sold the information between the time the consumer’s opt-out request was received but before the business complied. Businesses will also be permitted to ask consumers whether they really want to opt out before processing an unverified deletion request as an opt-out request. And, businesses that operate exclusively online and have direct relationships with consumers will be permitted to accept access requests only by e-mail.
- The modified regulations include a form “opt-out” button that businesses may implement.
- Provisions requiring notices to be accessible now refer businesses to the Web Content Accessibility Guidelines, version 2.1, and incorporate the Guidelines by reference.
- Only entities that collect personal information from more than 10 million consumers annually will be required to compile and publish their CCPA-compliance metrics in their privacy policies. The original proposed regulations set the threshold at 4 million, not 10.
- The modified regulations clarify that declining access, deletion, or opt-out requests for reasons specifically permitted by the CCPA is not discriminatory. The modified regulations also clarify that businesses may deny access and deletion requests to consumers whose identities cannot be verified in 45 days.
- Certain of the response deadlines were clarified to be based on business days (as opposed to calendar days). These include the time within which a business has to acknowledge a right-to-know request (10 business days) and the time to comply with an opt-out request (15 business days). The modified regulations also permit acknowledgement of receipt by phone if the request is made by phone.
Additional notable provisions permit businesses to use collected personal information for purposes other than that disclosed in the notice at collection as long as the undisclosed purpose is not “materially” different, and provide examples of discriminatory and non-discriminatory practices relating to loyalty programs.
The above highlights notable provisions, and is not intended to be exhaustive. For further information, please contact us.
Comments are due February 25, 2020. The Attorney General’s enforcement remains scheduled to begin on July 1, 2020.
Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about the California Consumer Privacy Act (CCPA). Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years.