The California Attorney General Publishes a Second Round of the Modifications to the Proposed CCPA Regulations

On March 11, 2020, the California Attorney General released the second set of modifications to the proposed CCPA Regulations.  The first draft of the Regulations was released on October 11 of last year and the first round of modifications on February 10.   The comment period for the second round of modifications will run through March 27, thus further delaying the publication of the final Regulations ahead of the July 1, 2020 enforcement deadline.

The following is a summary of the notable changes:

Guidance regarding the interpretation of “personal information” definition.  An earlier version of the Regulations clarified that if a business collects the IP addresses of website visitors but does not and could not link them to particular consumers or households, the IP addresses would not be considered “personal information” under the CCPA.  The new version of the Regulations deleted that clarification, thus leaving the qualification of the IP addresses subject to interpretation.

Privacy policy requirements. The requirements of what businesses must disclose within their privacy policies have again been rewritten. The new version of the Regulations clarifies that businesses do need to disclose the categories of sources from which personal information is collected and the business or commercial purpose for collecting and selling personal information.

Notice at collection for businesses that do not collect personal information directly from the consumers.  The new version of the Regulations clarifies that businesses that do not collect personal information directly from the consumers do not need to provide notice at collection to the consumers if they do not sell their personal information. Registered data brokers are also exempt from providing notice at collection if they include in their registration submission a link to the online privacy policy that includes instructions on how consumers can submit a request to opt-out.

Notice at collection of employment-related information.  Such notices are no longer required to provide a link to the business’s privacy policy.

Disclosure of types of sensitive personal information.  The Regulations provide that the certain sensitive data should not be disclosed in response to the request for specific information of the consumer.  This includes a Social Security number; government-issued identification number; financial account number; health insurance or medical identification number; account password; security questions and answers; and unique biometric data.  The new version of the Regulations provides that businesses still have to inform their consumers with sufficient particularity that they have collected the type of sensitive personal information.  For example, a business can say that it collects “unique biometric data including fingerprint scan” without disclosing the actual scan.  Presumably, the disclosure would be personalized for each consumer although the Regulations do not clear state so.

Information provided when request to delete is denied.  The new version of the Regulations provides that if a business that denies the consumer’s request to delete personal information sells personal information, and the consumer has not already opted-out of sale, the business is required to ask the consumer if they would like to opt-out of the sale and include the contents of, or a link to, the notice of the right to opt-out.  An earlier version of the Regulations extended that requirement only to cases when a request to delete was denied because the business could not verify the consumer’s identity.

User-enabled global privacy controls.  The Regulations provide that user-enabled global privacy controls that communicate the consumer’s choice to opt-out of the sale of personal information shall be treated as opt-out requests under the CCPA.   The regulations also provide that privacy controls developed in accordance with these regulations shall clearly communicate that the consumer intends to opt out of the sale.  The new version of the Regulations, however, no longer requires that such privacy controls require that a consumer affirmatively select their choice to opt-out and not be designed with any pre-selected settings.

Opt-Out Button.  The new version of the Regulations deleted a much-criticized mockup of an “opt-out button.”  It is unclear whether a new design will be provided at a later time, if at all.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653