On February 7, 2020, the California Attorney General (AG) published a set of Modified Regulations under the California Consumer Privacy Act (CCPA). The Modified Regulations take into account some of the comments received from the public late last year and make key changes to multiple definitions and provisions, in at least some cases providing more clarity and specificity than the original version. The regulatory process is not yet done—the AG is accepting written public comments on the Modified Regulations until February 24, 2020—but it is unlikely there will be many more substantial revisions from this point forward. It also now seems possible that we will see final Regulations in advance of the July 1, 2020 deadline. The last step in the process is the AG’s submission of the final rulemaking record for approval by the CA Office of Administrative Law (OAL), which has 30 working days to approve the record before filing of the final Regulations with the Secretary of State.
While the changes to the Regulations are wide-ranging, we found the following ten to be the most significant from a compliance standpoint:
1. Exclusion of Un-Linkable IP Addresses
The Modified Regulations include a new rule exempting businesses from providing IP address information in response to consumer requests if the business does not already have a way to link up an IP address with a particular user or household. This is good news for users of website analytics tools, many of whom are not accessing customer IP addresses outside of their use of these services.
2. Further Details for Privacy Policies
The Modified Regulations leave no doubt that businesses subject to the CCPA must have a privacy policy and that online notices should follow the Web Content Accessibility Guidelines, Version 2.1. Ultimately, the goal is for privacy policies to take into account how consumers interact with the business. For example, for businesses that collect personal information in person or by phone, the Modified Regulations include a further description of acceptable means for businesses to provide in-store notices and an allowance to provide oral notice when information is collected by phone.
There is also an image of what the AG would like companies’ “Do Not Sell My Personal Information” buttons to look like (shown at the top of this post). The button cannot substitute for posting notice of the right to opt-out, but suffice it to say that adopting the AG’s preferred look and language for the button at least provides a simple means of complying with one aspect of the CCPA. Finally, the Modified Regulations make clear that if a business does not sell consumers’ personal information, it may state as much in its privacy notice, and need not include an opt-out mechanism.
3. A New Exemption When Responding to Requests to Know
In responding to a request to know, a business does not need to search for personal information (PI) if: (a) it does not maintain PI in a searchable format; (b) it maintains PI only for legal or compliance purposes; (c) it does not sell PI and “does not use it for any commercial purpose;” and (d) it describes to the consumer the categories of records it did not search because the first three requirements were met. Given the CCPA’s definition of “commercial purpose” (“to advance a person’s commercial or economic interests”), this appears to be a pretty narrow exception and one targeted at the “cookie” problem.
4. A New Definition of “Household”
The Modified Regulations include a new, much more specific definition of “household,” as well as further detail on the verification process for requests to know or to delete information made on behalf of a household. As revised, a “household” is a group that resides at the same property, shares a common device or service provided by a business, and is identified by the business using the same account number. Further, when a request is made on behalf of a household, the business must take steps to verify the identity of each member of the household. If their identity cannot be verified, the business must deny the request. This is a helpful clarification which should reduce any fraudulent requests.
5. Multiple Tweaks Related to Processing Requests
The Modified Regulations contain several updated provisions that appear targeted toward fighting fraud. These include more specifics surrounding authorized agents and businesses’ right to decline unverified requests to know or delete information, as well as the detailed requirements for verifying household requests, as discussed above. The Modified Regulations also include provisions allowing for electronic signatures of declarations submitted in the verification process, which should streamline the process and allow it to take place entirely by electronic means.
6. New Rules for Service Providers
Under the Modified Regulations, service providers may only use personal information to: (a) perform the services; (b) retain and employ subcontractors; (c) to build or improve the quality of their services; (d) to detect security issues; and (e) certain other limited purposes set forth in § 1798.145. A service provider shall not sell PI when the consumer has opted out. It will be important to make sure that service providers are (a) prevented from selling; or (b) notified of opt-outs received. A service provider that receives a request to know/delete from a consumer shall either carry out the request or tell the consumer it cannot do so because it is a service provider. If a business has not yet put in place CCPA addenda with its service providers, these Modified Regulations may help guide it in doing so.
7. Opt-Out Rights Following Unverifiable Requests to Delete
There are new rules surrounding requests to delete. These rules provide that if a business that sells personal information receives an unverifiable request to delete, it needs to give the consumer the option to opt-out of the sale of his or her personal information and provide a link to the business’s opt-out page. This is slightly different from the prior version of the Regulations, which seemed to require automatically opting-out the consumer based on the deletion request.
8. Mobile Applications
Under the Modified Regulations, businesses can satisfy the CCPA for purposes of mobile applications by providing a link to their privacy policy in an app’s download page and within the settings menu for an app. For apps that collect personal information “for a purpose that the consumer would not reasonably expect,” the app must provide a “just-in-time” notice to the consumer—not unlike the “bite-sized” notices the UK ICO recommends for services targeted to children.
9. Examples of Discrimination
The Modified Regulations include further detail on what would constitute discrimination under the CCPA against a consumer for exercising his or her CCPA rights, including new examples. The two examples provided appear somewhat difficult to reconcile, but perhaps provide an opportunity to modify a business’s pricing model to look more like what the AG considers non-discriminatory.
10. Clarity on Timing
The AG made revisions throughout the Regulations to clarify which provisions use calendar days and which use business days. This is a welcome bit of clarity for businesses responding to requests—and for their employees who may otherwise have been responding to requests on Saturdays, Sundays, or holidays.
Conclusion
For companies that have already updated their privacy policies and practices for CCPA, we can hear the collective groan at having yet another set of rules to parse through. On the whole, though, this set of Modified Regulations is not going to require major changes in most companies’ handling of personal information or their privacy policies if they have already gone through the process for CCPA compliance. However, it is worth checking those policies and practices against the Modified Regulations, as some of the new details may help with compliance.
