California AG Issues Modified CCPA Regulations

Ballard Spahr LLP
Contact

Ballard Spahr LLP

On Friday, February 7, 2020, the California Attorney General’s (AG) Office released modified regulations to the California Consumer Privacy Act (CCPA).  The modified regulations incorporate amendments to the CCPA signed into law after the AG’s Office promulgated regulations in October 2019. The modified regulations also reflect public comments made during the initial comment period, which concluded in December 2019.  Overall, the modified regulations provide helpful clarifications that should lessen compliance burdens for a number of industries.  Of note, the modified regulations:

  1. Limit Definition of Personal Information.  The modified regulations clarify that “personal information” does not include information that a business collected but cannot reasonably link to a consumer.  For example, “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household” then the IP address would not be “personal information.”  This is a particularly important limitation for businesses that don’t have a direct relationship with California consumers but rather only collect personal information via the website.
  2. Define Reasonable Accessibility.  The initial proposed regulations included a new requirement that privacy policies and online notices be reasonably accessible, without offering any definition of the standards.  The modified regulations state that reasonable accessibility means compliance with generally recognized industry standards, such as the Web Content Accessibility Guidelines, v2.1 – the prevailing standard used for ensuring compliance with the Americans with Disability Act (ADA) website accessibility requirements.
  3. Requiring JustinTime Notice for Unexpected Data Collection:  The modified regulations state, “When a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection. For example, if the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the application, which contains the information required by this subsection.” This requirement aligns with Federal Trade Commission (FTC) guidelines and the 2020 Network Advertising Initiative (NAI) Code of Conduct.
  4. Removal of Webform Requirement.  The modified regulations remove a requirement set forth in the initial proposed regulations requiring businesses to provide two or more methods for consumers to submit consumer access requests, one of which was an interactive webform. The modified regulations permit businesses to meet this requirement by providing a toll-free number and a designated email address.
  5. Limiting Search Obligations in Response to Right to Know Requests.  The modified regulations clarify that a business is not required to search for personal information in response to a right to know request where the business: does not maintain the personal information in a searchable or reasonably accessible form; the business maintains the personal information for legal or compliance purposes; the business does not sell or use the personal information for a commercial purpose; and the business describes to the consumer the categories of records that may contain personal information that the business did not search. This limitation partly addresses the question of whether (and when) right to know requests include access to data held in hard to search, unstructured systems.
  6. OptOut buttons.  The modified regulations includes examples of compliant opt-out buttons.
  7. Streamlining Requirements for Data Brokers.  The initial proposed regulations required that a company selling information it had collected indirectly ensure that the first-party business had issued a “notice at collection” to the consumer.  The current draft removes this requirement provided these third parties register as data brokers and include a link to their privacy policy, which contains opt-out instructions.

There are other changes to the regulations that have the effect of limiting some of the other   compliance burdens for businesses.  As expected, however, the modified regulations do not provide additional clarity regarding the meaning of “sale/sell/selling” or define what “reasonable data security” means.

The AG’s Office will  accept public comments to the modified regulations until February 24, 2020.  The regulations are expected to be finalized in April or May 2020.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.