As we reported here the California Attorney General released proposed regulations pursuant to the California Consumer Privacy Act (CCPA) on October 10, 2019. These proposed regulations were modified on February 7 and again on February 10, 2020. These modifications, which followed additional hearings and comments, would effect several important changes and clarifications.
- Clarification of “Personal Information.” A new section 999.302 provides guidance for interpreting the CCPA definition of “personal information.” A helpful example is provided for IP addresses, indicating that IP addresses are not personal information if collected by a business through its website where the business could not reasonably link the IP address with a particular consumer or household.
- Further Clarification of Notices. The proposed regulations released in October 2019 provided helpful guidance as to the notices to be provided to consumers, particularly by clarifying the distinctions between the notice at collection and the privacy policy. The modifications to the proposed regulations go further to:
- provide more specificity as to delivery, including for use with mobile apps and devices such as a new “just-in-time notice” to address the collection of personal information for a purpose that would not be reasonably expected; and
- limit to registered data brokers the originally proposed relief from the requirement for notice at collection in the context of information collected indirectly (i.e., not directly from consumers).
- Clarification of Accessibility Requirements. The CCPA’s requirement that the notice at collection and privacy policy must be accessible is further defined by reference to generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018 from the World Wide Consortium.
- Streamlining Disclosures in the Notice at Collection and Privacy Policy. The modifications delete the requirement to disclose in the notice at collection “for each category of personal information” the business or commercial purpose(s) for which it will be used, although the business or commercial purpose(s) for which “the categories” will be used must still be disclosed under the modified proposed regulations. Similarly, the requirements for privacy policy disclosures appear to be streamlined by the deletion of the requirement to disclose “for each category of personal information collected . . . the categories of third parties from whom information was collected, the business or commercial purposes for which it was collected, and the categories of third parties with whom the business shares personal information.” The privacy policy must, however, disclose categories of personal information collected, categories disclosed for a business purpose or sold to a third party, and “for each category”, the categories of third parties to whom it was disclosed or sold.
- Exceptions to Right to Know. The modifications also create exceptions from the obligation to search for information in response to the exercise of the right to know where the business:
- does not have the information in a searchable or readily accessible format;
- maintains the information solely for legal or compliance purposes;
- does not sell the information and does not use it for any commercial purpose; and
- describes to the consumer the categories or records that may contain the requested information that it did not search because of one of the foregoing reasons.
Certain biometric data was also excepted from the required response to the exercise of a right to know.
- Relief for Offline Businesses. The modifications include some relief for business that interact with consumers in person, including the change from a requirement to provide at least one method to submit requests in person to a requirement to “consider” providing an in-person method such as a printed form, a tablet or portal to submit online, or a toll-free telephone number.
- Clarifications for Responses to Consumer Requests. Additional guidance is provided for addressing rights to know and rights to delete for businesses that interact with consumers online, by telephone or in person, and back down on the original proposal to require a two-step process for online requests to delete. In addition, the modifications provide that a business can deny a request if it cannot verify the consumer within 45 days. Category by category disclosures must be provided in response to requests to know. In response to a request to delete, the business must ask the consumer if he or she would like to opt out of sales of personal information, if the consumer has not already made the opt-out request.
- Amplification of Restrictions on Service Providers. The modifications further amplify the restrictions on a service provider’s ability to retain and use data. Importantly, internal use by the service provider to build or improve the quality of its services (other than for profiling) or cleaning or augmenting data from another source is permitted.
- Clarifications for the Opt-Out Right. The modifications provide further guidance on the offering and response to opt-out requests, including guidance for resolving conflicts with other consumer settings or a financial incentive program.
- Further Guidance Concerning Household Information. The modifications provide further guidance where a business receives a request to access or delete household information, including for verification.
- Verification Clarification. Guidance is provided for the verification process, including for verifying a consumer using a mobile app.
- Non-Discrimination. The modifications clarify that a financial incentive may not be offered unless the business can show a reasonable relation to the value of the consumer’s data. Additional, helpful illustrations are also offered.
We will continue to track and report on further developments concerning the CCPA and its implications for businesses.