Updates to Compliance Likely Required
On February 10, 2020, the California Attorney General issued the proposed text of modified regulations implementing the California Consumer Privacy Act (CCPA). This draft is a correction of a version that the California Attorney General issued on February 7, 2020. While the California Attorney General previously indicated that major changes to the proposed CCPA regulations were not anticipated, these modifications are likely to have a significant impact on CCPA compliance efforts, particularly regarding privacy notices, agreements between businesses and service providers, and policies on handling consumer requests.
The regulations matter because the California Attorney General has been tasked with establishing procedures to facilitate consumers' CCPA rights and with providing guidance regarding compliance. In October 2019, the California Attorney General issued the initial draft of the proposed regulations, which imposed many new obligations on businesses that went beyond the CCPA, and solicited public comments on this draft for a 45-day period.
Nearly 1,700 pages of comments were submitted regarding the initial proposed regulations. It appears that the California Attorney General understood the burdens imposed on businesses by the initial version of the regulations, as many of the changes in the modified regulations scale back those obligations. While the modified regulations are still not final, and another public comment period is underway, some of the notable changes include:
While the changes noted above are largely helpful to businesses, the modified regulations also include changes that are not so helpful. For example, the modified regulations prohibit a business from providing a financial incentive program if the business is unable to calculate a good faith estimate of the value of the personal information. In addition, the modified regulations include a new requirement that businesses provide a just-in-time notice when collecting personal information from consumers' mobile devices for a purpose that a consumer would not reasonably expect, e.g., a flashlight app that collects geolocation information, harkening back to the Federal Trade Commission's 2013 settlement with Goldenshores Technologies. Moreover, the modified regulations still do not provide specific guidance on how the ad tech industry should implement policies and procedures in line with the CCPA or how businesses are supposed to recognize the particular user-enabled global privacy controls that businesses are required to treat as a request to opt out.
There are several other changes that are likely to impact policies and procedures that businesses implemented to comply with the initial version of the regulations. The granularity of the modified regulations also provides some further guidance in operationalizing the CCPA and understanding how the California Attorney General may interpret and enforce it. Accordingly, businesses (and service providers whose clients include businesses subject to the CCPA) would be wise to review and understand the impact of these modified proposed regulations on their operations.
Nevertheless, such a review should be undertaken with an understanding that additional changes will likely be needed, and that the modified proposed regulations are still not the final CCPA regulations from the California Attorney General. The California Attorney General is currently accepting written comments that pertain to the changes to the proposed regulations and new materials that the California Attorney General has added to the rulemaking file until February 25, 2020 at 5:00 p.m. PST.