The Bottom Line
- The second draft of the proposed CCPA regulations has some provisions that are helpful to businesses, but still leave many questions unanswered as businesses await a finalized version of the regulations. Businesses may need to reassess and adjust their already implemented CCPA compliance measures and should continue to watch for further developments.
The California Attorney General’s (AG) office has released revisions to the proposed draft California Consumer Privacy Act (CCPA) regulations, some of which signal significant shifts in the AG’s regulatory approach.
According to the AG’s office, the changes were made in response to the public comments it received on the initial draft regulations they released in mid-October. The AG’s office is now accepting public comments to the proposed changes until 5 p.m. (PST) on Tuesday, February 25, 2020. Final regulations are expected to be published sometime thereafter.
Additional Guidance on “Personal Information”
Arguably, the revision with the biggest implication is the added guidance on the definition of “personal information.” Under the revised draft regulations, if information is not maintained by a business in a manner that falls under the CCPA’s definition of “personal information,” then it is outside of CCPA’s scope.
For example, they state that IP addresses collected by a website but not maintained in a way that links or can be “reasonably linked” to a particular consumer or household, are not “personal information” under CCPA. This would greatly relieve a business’s burden of providing necessary disclosures about, or otherwise account for under CCPA, information it has no intention of tying to a specific consumer or household. What “reasonably linked” means remains unclear.
No Attestations
Under the initial draft regulations, businesses that did not collect personal information directly from a consumer could still sell such information, if it either contacted the consumer directly with notice and an opportunity to opt out, or received a signed attestation from the information source that appropriate pre-collection notice was given to the consumer including examples of such notice.
The revised draft regulations do away with these requirements, and do not require pre-collection notice if the business:
- Is registered as a “data broker” with the AG pursuant to the California’s data broker law, and
- Provided a link to its online privacy policy as part of its registration, which contains instructions on how consumers can submit opt-out requests.
Pre-Collection Notice Requirement Updates
The revised draft regulations only require that the business or commercial purposes of all the collected personal information be disclosed, rather than requiring a more granular disclosure of each purpose per category of personal information.
The initial draft regulations also required businesses to provide direct notice to consumers and receive their explicit consent when using personal information for any new purpose beyond what the pre-collection notice disclosed. By contrast, the revised draft regulations only require this direct notice and consent for any materially different uses than as described in the pre-collection notice.
Right to Know and Right to Delete
The methods that businesses must provide for consumers to submit requests to know and requests to delete are more flexible under the revised draft regulations. Businesses that have direct consumer relationships and operate exclusively online now only need to provide an email through which consumers can make a right to know request. A webform is only an option, not a requirement, for submitting a right to know request, although at least two methods are still needed for both a right to know and right to delete request.
They also clarify that businesses must confirm receipt of requests within 10 business days and comply with requests within 45 calendar days. However, if businesses cannot verify requests within that 45-day window, then the business can deny the request. Businesses can even take a stance that they have no reasonable method to verify the identity of their consumers, if they explain why in their privacy policy, and reevaluate and document its reasoning on a yearly basis.
Requests to Know
The revised draft regulations introduce certain limitations on a business’s obligations to comply with requests to know.
Specifically, a business does not have to search for personal information that it:
- Does not maintain in a searchable or reasonably accessible format,
- Maintains only for legal or compliance purposes, and
- Does not sell or use for a commercial purpose.
A business must, however, describe to the consumer the records it did not search in accordance with these exceptions.
Deletion Requests
The revised draft regulations make the two-step request process optional. They also ease the initial draft’s requirement that denied deletion requests be treated as an opt-out request, and instead require businesses to offer the option of requesting an opt-out in such situations.
Right to Opt-Out
The revised draft regulations also introduced the opt-out button. The optional opt-out button was revealed as a red toggle graphic, which, if used, must be placed next to the required “Do Not Sell My Personal Information” or “Do Not Sell My Personal Info” link. They also do away with the 90-day look back for notifying third-party purchasers of opt-out requests, and instead require that businesses notify only those third parties that were sold the personal information during the 15-business day window that businesses have to comply with the opt-out, of the request.
Businesses are not allowed to sell personal information of consumers if it is collected while the business does not have an opt-out notice posted on its privacy policy. However, the revised draft regulations provide an exception if the business gets affirmative authorization from the consumer. Under the draft regulations businesses can also give consumers that have previously opted out the choice to opt back into sales if the consumer initiates a transaction or attempts to use a product or service that requires a sale.
They also provide further detail as to how businesses must recognize and interpret user-enabled privacy controls as opt-out requests, including that such controls must clearly communicate the consumer’s intent to opt out, not be pre-selected and will overrule any conflicting business-specific privacy settings, unless consumers confirm otherwise.
Service Provider Requirements
The revised draft regulations enumerate new exceptions that ease the restrictions on a service provider’s use of personal information and obligation to delete such information, and allow them to:
- Make internal use of personal information to build or improve the quality of its services so long as the use does not involve building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.
- Use personal information to detect security incidents and fraudulent or illegal activity, to comply with its legal obligations or defend its rights, and when employing a subcontractor that meets the service provider requirements.
These exceptions replace the prior draft regulation’s prohibition against service providers using personal information obtained for one client, to provide services to another client. They also cut back on the service provider’s obligation to respond to consumer rights requests.
Mobile Notices
If a business collects personal information from a consumer’s mobile device that the consumer would not reasonably expect, then a ‘just-in-time’ notice containing a summary of the categories of personal information being collected must be provided.
The revised draft regulations also:
- Incorporate the Web Content Accessibility Guidelines version 2.1 of June 5, 2018, from the World Wide Web Consortium,
- Provide further guidance on when financial incentive disclosures are necessary, and
- Modify the privacy policy requirements that were provided in the initial draft regulations.