This is the fourth post in our series discussing the practical impact of the California Attorney General’s regulations to the California Consumer Privacy Act (CCPA). See our previous CCPA posts here.

The CCPA took effect on January 1, 2020, and already a putative class action has been filed, albeit over a data breach that allegedly occurred before the CCPA’s effective date. In addition, although the statute is now operative, its implementing regulations remain in flux. On February 7, 2020, the California Attorney General (AG) issued a notice of modification to the proposed regulations originally issued in October 2019. And on March 11, 2020, the AG released a second set of modifications. These modifications—published in a clean and redline version—contain important updates clarifying notice requirements, consumer request acceptance and response obligations, service provider responsibilities, and when discrimination related to financial incentives is permissible.

Notices

The modified regulations add detail to the requirements for the four categories of notice under the CCPA: (1) collection; (2) right to opt-out of sale; (3) financial incentive; and (4) privacy policy.

For notices of collection, the modifications address businesses that collect personal information on mobile devices—allowing businesses to provide links to the notice on their application download page and requiring businesses to provide a just-in-time summary notice for collections “that the consumer would not reasonably expect” (such as geolocation information collected from a flashlight app). For notices of the right to opt-out and privacy policies, the modified regulations permit businesses with mobile applications to provide links to those policies in the applications’ settings menu.

In addition, the modifications make explicit that businesses that do not collect personal information from consumers or sell personal information do not need to provide notices at the time of collection. And businesses that do not offer financial incentives need not provide notice of financial incentive. The regulations already provide that businesses that do not sell information—and state that they do not do so in their privacy policy—do not need to provide notices of the right to opt-out.

Consumer Requests

We previously discussed the regulations governing accepting and responding to consumer requests (1) to know what personal information is being collected, (2) to delete any collected information, or (3) to opt-out of the sale of personal information. The modified regulations provide further detail regarding permissible methods of receiving and responding to these requests.

First, the modified regulations contain a carve-out for businesses that interact with consumers “exclusively online” and have “a direct relationship” with consumers whose personal information they collect. For requests to know, these businesses are only required to provide an e-mail address. Other businesses must provide two or more methods for consumers to submit requests, tailored according to the ways that a business typically interacts with its consumers, but one method must include a toll-free telephone number. For requests to delete, all businesses must provide two or more designated methods for submitting requests.

Second, the modifications add that in responding to a request to know the categories of personal information collected, businesses must include information disclosed for a business purpose or sold in the past year, including identifying the categories of third parties to which it disclosed or sold that information.

Third, the AG modified the requirement for businesses that deny a request to delete: instead of automatically treating the request as one for opt-out, the business must ask if the consumer wishes to opt-out of the sale of personal information and provide the consumer with its opt-out notice.

Fourth, the modifications provide detail for responding to requests to know specific pieces of or to delete household information. If the household does not maintain a password-protected account with the business, then the business must receive a joint request from all consumers in the household and individually verify each member of the household. If a consumer in the household has a password-protected account with the business, the business can process a request from that consumer regarding household information as it would process any other request from a consumer. In either circumstance, if the household has members under 13 years old, the business must obtain verifiable parental consent before it releases or deletes specific pieces of information.

Finally, the modified regulations affirmatively warn against businesses designing methods for submitting requests to opt-out “with the purpose or [] the substantial effect of subverting or impairing a consumer’s decision to opt-out.”

Service Providers

The modified regulations set out that service providers may only retain, use, and disclose personal information in the following ways:

• in accordance with the contract required by the CCPA between the business and the service provider;
• to retain another service provider as a subcontractor;
• for internal improvement of the quality of its services, provided that it is not building consumer or household profiles for other businesses or correcting data from other sources;
• to detect or protect against data security incidents and other fraudulent or illegal activities; and
• to comply with laws, cooperate with regulatory or law enforcement inquiries, or to exercise or defend against legal claims.

The modifications also clarify that a service provider that receives a consumer request to know or delete must either act on behalf of the business or respond to the consumer that it cannot act on the request because it is a service provider.

Non-discrimination

As we explained in a prior post, Section 1798.125 of the CCPA contains a general non-discrimination provision barring businesses from retaliating against consumers for exercising their CCPA rights, with a carve out for providing financial incentives or price or service differences if the incentive or difference is directly related to the value of the consumer’s data. The modifications provide that a business may not offer a financial incentive or price or service difference if it cannot calculate a good-faith estimate of the value of consumer data and show that any incentive or price or service difference is reasonably related to that value. The modified regulations also state that price discounts offered to comply with federal or state laws are not discriminatory.

The modified regulations deleted an example about a retail store that we discussed in our prior post and replaced it with several other examples illustrating acceptable and unacceptable financial incentives or price or service differences. One example involves a business offering $5 e-mail coupons once a consumer spends $100 with the business. If a consumer then submits a CCPA request to delete personal information, but wants to continue participating in the discount program, the business can permissibly deny that request as to the consumer’s e-mail address and amount spent with the business because that information is “necessary” for the discount program and “reasonably anticipated within the context of the business’s ongoing relationship” with the consumer.

* * *

The AG’s updated notice of modification set a March 27, 2020 deadline for written comments. We will continue to provide CCPA updates as they become available.