One Step Closer: California Attorney General Modifies the Proposed CCPA Regulations

On February 7, 2020, the California Attorney General published modified proposed California Consumer Privacy Act (CCPA) Regulations (Modified Regulations).

The Regulations are intended to operationalize the CCPA and provide practical guidance to consumers and businesses subject to the law on a number of issues, including the details on giving notices to consumers, the content of privacy policies, handling of consumer requests to access and delete and to opt out of the sale of personal information, verification of consumer identity, training and record-keeping requirements, and non-discrimination practices.

The Attorney General published the first draft of the Regulations and the Initial Statement of Reasons on October 10, 2019.  The initial publication was followed by a two-month public comment period which included several public hearings across California. The Attorney General’s office received hundreds of written comments on the proposed Regulations from businesses, attorneys, interest and consumer groups.  Some of these comments were apparently considered by the Attorney General in making changes to the proposed Regulations.

Below are some of the highlights of the modifications proposed by the Attorney General.

• The Modified Regulations clarify that if the business collects the IP addresses of its website visitors but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then that address would not be considered “personal information” under the CCPA. See Modified Regs. § 999.302. Previously that was unclear, as the definition of “personal information” under the CCPA expressly includes the IP addresses, among other identifiers.  See Civ. Code § 1798.140(o)(1)(A).
• The Modified Regulations’ requirements for Privacy Policies and Notices deleted all references to “an average consumer,” a term that was never defined in the proposed Regulations and was criticized as vague and confusing from the compliance standpoint.
• The Modified Regulations eliminated a much-criticized requirement for businesses that collect personal information through indirect means to provide the required notices to consumers prior to the sale of their information by contacting consumers directly or obtaining signed attestations that the notices were provided from the original sources of personal information. The Modified Regulations instead provide that if a business is registered as a data broker, it does not need to provide a notice at collection to the consumer if it has included in its registration submission a link to the its online privacy policy that includes instructions on how a consumer can submit a request to opt-out.  See Modified Regs. § 999.305(d).
• The Modified Regulations clarified that notice at collection of employment-related information does not need to include a “Do Not Sell My Personal Information” link. The collection of employment-related information, including for purposes of administering employment benefits, is considered for business purposes.  See Modified Regs. §§ 999.301(i), 999.305(e).
• The Modified Regulations provide that when a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect (for example, a flashlight application collecting geolocation data), it must provide not only a link to a notice at collection but also just-in-time notice containing a summary of categories of personal information being collected. See Modified Regs. § 999.301(a)(4).
• The Modified Regulations clarified the categories of information that must be provided in response to a verified request to know: (a) the categories of personal information the business has collected about the consumer in the preceding 12 months; (b) the categories from which the personal information was collected; (c) the business or commercial purposes for which it collected or sold the personal information; (d) the categories of third parties with which the business shares personal information; (e) the categories of personal information that the business sold in the preceding 12 months, and for each category identified, the categories of third parties to which it sold that particular category of information; and (f) the categories of personal information that the business disclosed for a business purpose in the preceding 12 months, and for each category identified, the categories of third parties to whom it disclosed that particular category of information. See Modified Regs. § 999.313(c)(10).
• The Modified Regulations substantially revised the rules for access and deletion requests by a household. See Modified Regs. § 999.315(f).
• Under the Modified Regulations, businesses are no longer required to use a two-step process for online requests to delete personal information where consumers must first submit the request and then separately confirm that they want their personal information deleted. Rather, the two-step process, which adds operational complexity to handling of the deletion requests, is now optional.  See Modified Regs. § 999.312(d).
• Businesses would not be required to treat an unverified request to delete as a request to opt-out of the sale of the consumer’s personal information. This requirement was criticized as lacking a legal basis and adding an operational complexity.  Under the Modified Regulations, if a consumer has not already made a request to opt out, a business is required to ask the consumer if they would like to opt-out and provide them either the contents of or the link to the notice of the right to opt out.  See Modified Regs. § 999.313(d).
• The Modified Regulation published, for the first time, a form of an “opt-out” button. See Modified Regs. § 999.306(f).
• In the Modified Regulations, the time for businesses to respond to requests to opt-out of the sale of personal information has been extended to 15 business days in response to numerous comments that the originally proposed 15-day period was too short. See Modified Regs. § 999.315(f).
• Businesses would not be required to notify all third parties to whom they sold personal information of the consumer within 90 days prior to the receipt of the opt-out request and instruct them not to sell the consumer’s personal information.  This requirement was criticized as burdensome and lacking any basis in the text of the Act.  The Modified Regulations now provide that if a business sells consumer’s personal information to any third parties after the consumer submitted an opt-out request but before the business processed the request, it shall notify those third parties and direct them not to sell that consumer’s information.  See Modified Regs. § 999.315(f).
• During the original public comment period, a number of commentators criticized a proposed regulatory requirement to treat user-enabled privacy controls (such as a browser plugin or privacy setting) as an automatic opt-out of the sale of personal information because of concerns over its technical feasibility, ambiguity as far as conveying consumer’s preferences, as well as the fact that it adds a significant new obligation beyond what is required in the text of the CCPA.

The Modified Regulations clarified that any privacy control developed in accordance with the regulations, must clearly communicate or signal that a consumer intends to opt-out of the sale of personal information.  Such privacy controls must require that consumers affirmatively select their choice to opt-out and shall not be designed with any pre-selected settings.  See Modified Regs. § 999.315(d).  Currently, such controls do not exist.

• The proposed Regulations require businesses to estimate the value of the consumers’ data for purposes of offering financial incentives and loyalty programs. The Modified Regulations provide that if a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive or price difference is reasonably related to the value of the consumer’s data, the business shall not offer the financial incentive or price or service difference. See Modified Regs. § 999.336(b).

The publication of the Modified Regulations brings the Attorney General one step closer to finalizing the Regulations before the July 1, 2020 statutory deadline.  See Cal. Civ. Code § 1798.185.  A public comment period on the Modified Regulations will continue through February 25, 2020.   At this point, it appears likely that the final Regulations will be published shortly after the conclusion of the public comment period.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653