On February 7, 2020, the California Attorney General (AG) published, and updated on February 10, modified proposed regulations (Modified Regulations) implementing the California Consumer Privacy Act (CCPA). The Modified Regulations amend proposed regulations published by the AG in October 2019 (Initial Regulations) (see here for our alert on the Initial Regulations) in response to hundreds of comments submitted to the AG in December. The Modified Regulations were accompanied by a Notice of Modifications and a list of Documents and Other Information Relied Upon. Written comments must be filed with the AG by February 25, 2020.
Among other changes, the Modified Regulations (1) narrow the scope of “personal information” under the CCPA; (2) clarify how service providers may use information processed as a part of their services; and (3) replace some onerous transparency and consumer rights request obligations with more practical requirements. Despite these changes, the Modified Regulations do not address a number of open questions, including, crucially, uncertainty about the scope of “sales” under the CCPA.
With the looming July 1, 2020 date for the start of enforcement by the AG, and a round of public comment on the Modified Regulations, companies hoping for clarity – and finality on the implementing regulations – may be disappointed.
The following is our analysis of the most significant features and changes in the Modified Regulations:
DEFINITION OF "PERSONAL INFORMATION"
The Modified Regulations clarify that determining if data is “personal information” depends on whether the business maintains the information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” For example, according to the Modified Regulations, collection of an IP address that is not linked, and could not reasonably be linked, to a particular consumer or household is not personal information.
SERVICE PROVIDERS' USE OF PERSONAL INFORMATION
The Modified Regulations remove a provision from the Initial Regulations that prohibited service providers from using personal information received from one customer to provide services to another. There had been considerable opposition to this prohibition on grounds that it is not aligned with established market practice of providers seeking to build or improve the quality of their offerings.
Thus, the Modified Regulations provide that a service provider may use personal information obtained in the course of providing services for, among other administrative purposes, building or improving the quality of its services, provided that the use does not include (i) building or modifying profiles on consumers or households; or (ii) cleaning or augmenting data acquired from another source. While this change does not permit service providers to use personal information for any and all internal purposes, it does allow most service providers to use personal information for product development and improvement, preventing significant disruption to current market practices and potentially removing barriers to innovation, for example, for companies training certain AI and machine learning algorithms.
PERSONAL INFORMATION COLLECTED FROM THIRD PARTIES
PRIVACY POLICIES AND OTHER NOTICES
The Modified Regulations provide further guidance about the form and content of privacy policies and other CCPA notices. Businesses must still disclose in their privacy policies the categories of personal information collected, sold, and disclosed for a business purpose in the preceding 12 months, and the categories of third parties to whom that information was disclosed or sold. However, the previous requirement to disclose, for each category of information collected, the source and purposes of that collection has been removed. This change should streamline CCPA privacy disclosures consistent with trends in global privacy frameworks to keep privacy policies concise, and easy to read and understand.
The AG retained the recordkeeping and corresponding transparency requirements in the Initial Regulations for businesses that process a significant amount of personal information, but increased the threshold from 4 million to 10 million California residents (roughly equal to 25 percent of the state’s population). These metrics must be annually disclosed in their privacy policies or on their websites by July 1.
As we have discussed previously, all CCPA-mandated notices must be accessible to consumers with disabilities. The Modified Regulations expand on this by requiring businesses posting notices online to follow generally recognized industry accessibility standards, such as the Web Content Accessibility Guidelines. In addition, just-in-time notices (e.g., pop-up notifications) must be provided for collection of personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect (e.g., collecting location information for a flashlight application).
CONSUMER RIGHTS REQUESTS
Businesses are no longer required to post an interactive webform to receive access or deletion requests, although this method may still be useful for businesses looking to standardize requests. While most businesses must still provide two or more designated methods to submit access and deletion requests, a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting access requests.
Interactive webforms, however, are still required for requests to opt out of sales. The methods for making these opt-out requests must “be easy for consumers to execute” and require minimal steps (although no further detail is provided on what is considered “easy”). This provision also prohibits using methods that would subvert or impair a consumer’s decision to opt out, presumably, for example, by implementing methods that are misleading or deceptive.
Importantly, the AG has retained and expanded on a provision in the Initial Regulations requiring businesses that collect personal information from consumers online to treat user-enabled global privacy controls as valid opt-out requests. These controls (e.g., browser plugins or device settings) must clearly communicate or signal that a consumer intends to opt out of the sale of their personal information, and must require consumers to make an affirmative election rather than rely on pre-selected settings.
While the Modified Regulations dictate that these global privacy controls take precedence over business-specific settings, such as participation in a financial incentive program, they permit a business to notify a consumer of the conflict and give the consumer the choice to confirm the business-specific setting. These revisions may assuage some concerns raised in response to the introduction of this requirement in the Initial Regulations, but questions remain about how global privacy controls will be standardized and effectively implemented across the Internet.
Companies that are subject to the CCPA should review the Modified Regulations and assess the impact on their CCPA compliance strategies, and may want to consider submitting comments to the AG before the February 25 deadline.