On February 7, 2020, the California Attorney General released modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA), the state’s sweeping privacy law that took effect on January 1. The modifications provide additional clarity about the level of transparency expected by the California Attorney General, but also leave many unanswered questions regarding the scope of a business’s obligations under the law. The modifications:

• clarify the scope of “personal information” to encompass only information that the business can reasonably link with a particular consumer
• make several clarifications and changes to the requirements regarding notices and responses to consumer requests
• clarify that service providers can use personal information provided by a business for their own internal use
• require that the method for consumers submitting an opt-out-of-sale request be easy, with minimal steps
• prohibit businesses from requiring consumers to pay a fee for verifying their identity when submitting a request to know or delete.

The California Attorney General released an updated copy of its modified regulations on February 10. The updated version extends the public comment period by a day and increases to 10 million per year the number of consumers for which a business must sell or share information for commercial purposes in order to be subject to additional recordkeeping and disclosure requirements as a data broker.

Clarification of the “Personal Information” Definition

“Personal information” is defined very broadly under the CCPA as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an individual or household. The ubiquity of big data and analytics techniques that could potentially allow for identification of individuals with relatively little data left businesses to wonder where the line is between personal information and de-identified information. For example, many businesses collect information such as IP addresses from visitors on their websites that could potentially be associated with individuals or households. The modifications to the proposed regulations clarify that IP addresses of visitors to a website are not personal information under the CCPA if the business that collects the IP addresses does not link and could not reasonably link the information to a consumer. This clarifies that businesses must take into account only their own practices and capabilities with respect to associating information with consumers and not state-of-the-art analysis and re-identification techniques that may be available.

Notice Requirements and Handling Consumer Requests

The modifications make a few changes to the proposed regulations’ requirements regarding notices and responses to consumer requests. The modifications:

• state that a business does not need to provide a notice of the right to opt out if the business does not sell personal information and states in its privacy policy that it does not sell personal information. Previously, the proposed regulations required a business to also state that it “will not” sell personal information, creating a potential future commitment that could restrict flexibility in business operations.
• minimize the detail required in the privacy policy, no longer requiring the disclosure of sources and business or commercial purposes for each category of personal information collected.
• require “just in time” notifications when businesses collect personal information from a consumer’s mobile device that a consumer would not reasonably expect, for example collecting geolocation information in a flashlight app.
• require notices on “all webpages where personal information is collected” and on the mobile app download page and “within the app.” Oral notice is allowed if information is collected orally.  
• clarify the standard for when secondary uses of data require consumer opt-in consent. Under the modifications, uses that are “materially different” than those disclosed at the notice of collection require subsequent notification and opt-in consent, not just uses for “any” purpose other than those disclosed at the notice of collection, as previously proposed.
• eliminate the requirement for businesses that operate websites to provide an online web form as one method for submitting requests to know. Businesses are still required to provide a toll-free number and at least one other method for submitting requests to know, such as an email address or online web form.
• allow businesses that operate exclusively online to provide only an email address for submitting requests to know.
• extend the timeframes for responding to consumer requests – 10 business days to confirm receipt of a request to know or delete, 45 calendar days to respond to a request, and 15 business days to respond to a request to opt out of sale.
• eliminate the requirement for businesses to specify how they deleted personal information when responding to requests to delete. The modified regulations instead require businesses to inform the consumer whether they have complied with the consumer’s request to delete.
• exempt businesses from searching for personal information in response to a request to know if all of the following conditions are satisfied: (a) the business does not maintain personal information in a searchable or readily accessible format; (b) the business maintains personal information solely for legal or compliance purposes; (c) the business does not sell the personal information or use it for any commercial purpose; and (d) the business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the foregoing conditions.
• eliminate the notice at collection requirements for data brokers registered with the California Attorney General that do not directly collect personal information from consumers and that provide a link to their privacy policy in their registration submission.
• clarify that compliance with an industry-recognized standard, such as the Web Content Accessibility Guidelines, will meet the requirement under the regulations that the consumer CCPA notice and privacy policy be accessible to persons with disabilities.

Service Provider

The original draft of the proposed regulations left some doubt as to whether service providers could use personal information for their internal service development and enhancement purposes. This meant that businesses needed to be on guard against providing these rights to service providers of hosted solutions and other services, in addition to passing down other CCPA-mandated provisions to service providers. Failure to do so would have risked taking the relationship outside of the “service provider” definition in the CCPA, meaning that the transfer of personal information would potentially qualify as a “sale” under the CCPA. The modifications clarify that a service provider may use personal information that is provided to it by a business for the service provider’s own internal use to build or improve the quality of its services, so long as that use is not building or modifying household or consumer profiles or cleaning or augmenting data acquired from another source. The modifications also clarify that service providers may use personal information in connection with the retention of subcontractors and to detect security incidents and prevent fraud.

Request to Opt Out

The modifications reinforce that any method by which consumers request to opt out of the sale of their information must be easy to use. Moreover, these methods must require minimal steps to allow for the opt-out, and the business may not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt out. 

Verifying Requests

The modifications make clear that a business must not require a consumer to pay a fee for the verification of their request to know or delete. For example, a business cannot require a consumer to provide a notarized affidavit to verify the consumer’s identity unless the business compensates the consumer for the cost of the notarization. Given the need to minimize the collection of additional information outside what is already collected, verification will likely continue to be burdensome, especially with respect to requests from non-California residents trying to invoke rights under the CCPA.

The modifications also add an additional way a business may verify an authorized agent — requiring the consumer to directly confirm with the business that he or she provided the authorized agent permission to submit the request.

Pepper Points

While the regulations are still not final and the modifications are subject to a public comment period until February 25, the California Attorney General will begin enforcement of the CCPA at the earliest by July 1, 2020. Thus, businesses should:

• review their privacy policies and subsequent notice at collection disclosures to ensure the nuanced requirements are met. As a general matter, the focus should be on transparency and making sure consumers can efficiently obtain the information necessary for them to make an informed decision or request as needed.
• review internal procedures and ensure the business can meet the requirements when responding to and verifying requests. The lowest hanging fruit for enforcement starting in July are those businesses whose policies are lacking, and those whom consumers complain have not responded as necessary.
• scrutinize public-facing statements to optimize transparency. The California Attorney General has clearly focused on a heightened level of transparency to the consumer. Not disclosing enough may subject a business to a requirement of obtaining additional express consent. Ultimately, accuracy and exhaustiveness when reviewing and documenting practices are the surest ways to meet the high standards set forth by the CCPA and subsequent regulations.
• monitor all developments relating to the CCPA, including any additional modifications to the regulations and guidance from the California Attorney General.