The California Office of the Attorney General has published proposed amendments to the California Consumer Privacy Act (CCPA) draft regulations. The amendments are open for public comment until 5 pm PT on Feb. 24, 2020.
Transparency Requirements Added and Revised
Businesses are required to describe the sources of information and third parties with whom information is shared with enough particularity to provide consumers with a meaningful understanding of the type of person or entity. Sources include types or groupings of persons or of entities from which a business collects personal information about consumers. Such types may include the consumer directly (for the sources) and advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks and data brokers.
Notice at time of collection: The notice at collection needs to be made readily available where consumers will see or encounter it at or before the point of collection of any personal information. Examples:
- Collection online — conspicuous link to the notice on the introductory page of the business’ website
- Collection through a mobile application — on the mobile application’s download page and within the application, such as through the application’s settings menu
- Collection offline — on printed forms that collect personal information, provide the consumer with a paper version of the notice or post prominent signage directing consumers to where the notice can be found online
- Over the telephone or in person — orally
Do not sell notice: A business that collects personal information through a mobile application may provide a link to the notice within the application, such as through the application’s settings menu.
Granular disclosure by category: The requirement to list sources and purposes of use by specific category seems to have been removed. However, there is still an obligation to disclose information shared with third parties by specific category.
Notice at collection for employment: The notice at collection of employment-related information
- Does not need to include the link or web address to the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info”
- When a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection. For example, if the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the application, which contains the information required by this subsection.
More Specific Requirements Regarding Accessibility
The proposed regs specify that "reasonably accessible to consumers with disabilities" means, at a minimum, for notices provided online, that the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium, incorporated herein by reference. In other contexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format.
Clarification of Concepts
Household: Means a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier
Price or service difference: In order to be relevant for CCPA obligations, needs to be related to the disclosure, deletion, or sale of personal information
Signed: Means written attestation, declaration or permission has either been physically signed or provided electronically per the Uniform Electronic Transactions Act, Civil Code section 1633.7 et seq
Purpose limitation: The prohibition on using a consumer's information for any purpose other than those specifically listed, which was arguably more onerous than that of GDPR, has been revised to a prohibition on using a consumer’s personal information for any purpose materially different from those disclosed in the notice at collection. This is more in line with the GDPR standard of compatible purpose.
Deletion requests and backup: The requirement for deletion from backup files is clarified. If a business stores any personal information on archived or backup systems, it may delay compliance with the consumer’s request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or next accessed or used for a sale, disclosure or commercial purpose.
Uses permitted by service providers: In addition to the use of the information for the provision of the services, service providers are also allowed to use the information:
- To retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and the regulations
- For internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source
- To detect data security incidents or protect against fraudulent or illegal activity
- To comply with federal, state or local laws
- To comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state or local authorities
- To cooperate with law enforcement agencies concerning conduct or activity that the business, service provider or third party reasonably and in good faith believes may violate federal, state or local law
- To exercise or defend legal claims
Response by service providers to consumer requests: If a service provider receives a request to know or a request to delete from a consumer, the service provider shall either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider.
Definition of Personal Information
Question mark regarding IP addresses: "If a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be” personal information. Given the fact that a website user can be a California resident as well, and the fact that the capabilities provided by analytics and cross-device tracking technologies commonly implemented by websites, it will be interesting to understand what was intended with this provision.
Written attestation from sources: The requirement to receive a written attestation from the source of the information regarding notice and consent before reselling information has been removed.
A business shall not require the consumer to pay a fee for the verification of their request to know or request to delete. For example, a business may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization.
New examples for verification:
- A retailer may require that the consumer identify items that they recently purchased from the store or the dollar amount of their most recent purchase.
- A business with a mobile application may require that the consumer provide information that only the person who used the mobile application may know or require the consumer to respond to a notification sent to their device.
A business shall establish, document and comply with a reasonable method for determining whether a person submitting a request to know or a request to delete the personal information of a child under the age of 13 is the parent or guardian of that child.
Requirements re: opt out button
- Added a visual for the opt out button
- When the opt-out button is used, it is to appear to the left of the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link, as demonstrated above, and it to be approximately the same size as other buttons on the business’s webpage
Methods for submitting requests to opt-out: The methods a business uses need to be easy for consumers to execute and require minimal steps to allow the consumer to opt out. A business may not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.
- Any privacy control to signal an opt out developed in accordance with the regulations needs to clearly communicate or signal that a consumer intends to opt out of the sale of personal information. The privacy control needs to require that the consumer affirmatively select their choice to opt out and shall not be designed with any pre-selected settings.
- If a global privacy control conflicts with a consumer’s existing business-specific privacy setting or their participation in a business’s financial incentive program, the business needs to respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.
- Amendment of the requirement for the business to inform re: the opt out. The requirement now reads: If a business sells a consumer’s personal information to any third parties after the consumer submits their request but before the business complies with that request, the business needs to notify those third parties that the consumer has exercised their right to opt out and direct those third parties not to sell that consumer’s information.
Opt in after opt out: If a consumer who has opted out of the sale of their personal information initiates a transaction or attempts to use a product or service that requires the sale of their personal information, a business may inform the consumer that the transaction, product or service requires the sale of their personal information and provide instructions on how the consumer can opt in.
Consumer Requests Generally
Methods for submitting requests offline: If the business interacts with consumers in person, the business shall consider providing an in-person method such as a printed form the consumer can directly submit or send by mail, a tablet or computer portal that allows the consumer to complete and submit an online form or a telephone by which the consumer can call the business’s toll-free number.
Request to delete: a two-step confirmation process is optional and not required
Timing for response to requests:
- Initial confirmation: The initial confirmation should be given within 10 business days (not 10 calendar days) and may be given in the same manner in which the request was received. For example, if the request is made over the phone, the confirmation may be given on the phone during the phone call.
- Full response to right to know/delete: Responses to the requests should be provided within 45 calendar days (not business days).
- Response to request to opt out: Responses to a request to opt out should be provided within 15 business days (not 15 calendar days).
Exceptions to the response to request to know:
Information held for legal or compliance: In responding to a request to know, a business is not required to search for personal information if all the following conditions are met:
- The business does not maintain the personal information in a searchable or reasonably accessible format.
- The business maintains the personal information solely for legal or compliance purposes.
- The business does not sell the personal information and does not use it for any commercial purpose.
- The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.
Sensitive information: unique biometric data generated from measurements or technical analysis of human characteristics was added to the list of items that should not be included in a response.
Household or Device Information
If a household does not have a password-protected account, a business shall not comply with a request to know specific pieces of personal information about the household or a request to delete household personal information unless all of the following conditions are satisfied:
- All consumers of the household jointly request access to specific pieces of information for the household or the deletion of household personal information.
- The business individually verifies all the members of the household subject to the verification requirements set forth in the regs.
- The business verifies that each member making the request is currently a member of the household.
Where a consumer has a password-protected account with a business that collects personal information about a household, the business may process requests to know and requests to delete relating to household information through the business’s existing business practices and in compliance with these regulations.
Discrimination and Financial Incentive
Discrimination: The proposed regs provide a number of examples of discrimination or non-discrimination. In one example, following a delete request, a retailer may refuse to delete an email that is tied to an incentive because it is necessary for the business to provide the loyalty program requested by the consumer and is reasonably anticipated within the context of the business’s ongoing relationship with them, and can continue to provide the incentive after (partially complying) with a delete request. In another, regarding an incentive provided through a pop up on a browser, the business may not refuse to delete the consumer's email address, and denial of the incentive following a request to delete may be discriminatory.
Financial Incentive: The proposed regs drop the concept of "typical consumer" and state that "for the purpose of calculating the value of consumer data, a business may consider the value of the data of all natural persons to the business and not just consumers."
Full Text of Modified CCPA Regulations (Redline)