The Situation: Four months after releasing the initial draft proposed regulations to the California Consumer Privacy Act ("CCPA") of 2018, the California Attorney General ("Attorney General") issued modifications to these regulations in response to public comment.
The Result: The modified regulations propose a number of key changes that impact companies' compliance efforts.
Looking Ahead: The Attorney General will accept public comment on these modified draft regulations until Tuesday, February 25, 2020, at 5:00 p.m. (PST). Businesses subject to the CCPA should consult the newly revised draft regulations and consider adjusting their ongoing compliance efforts.
On February 7, 2020, the Attorney General released modifications to the proposed CCPA regulations for public comment ("modifications"). These modifications stem from feedback the Attorney General received during the comment period last year to the formerly released draft regulations. Below is a summary of some of the significant changes to the regulations:
Clarifying Definition of "Personal Information"
The modifications clarify that information must be reasonably linked to a consumer in order to constitute "personal information" under the CCPA. For example, certain information, such as an IP address, will not be considered "personal information" if a business does not link that information with a particular consumer or household and could not reasonably link it with a particular consumer or household. (§ 999.302).
New Notice Requirements for Businesses that Collect Data Indirectly
Right to Know
Under the modifications, businesses can now provide the categories of sources from which the personal information was collected, the business purpose for collection, and the categories of third parties they share personal information without listing this information for each identified category of personal information collected. However, businesses must still provide the categories of third parties to whom the businesses sold or disclosed that information in the preceding 12 months for each category of personal information identified. (§ 999.305; § 999.313(10)).
Businesses will have to change their privacy policies to make them more accessible for consumers on their mobile devices. Additionally, privacy policies must be available for consumers to download.
Newly Designed Opt-Out Button
The modifications include a newly designed opt-out button. (§ 999.306(f)). The modifications, however, do not provide any further clarifications to the definition of the broadly defined term "sale." Businesses, therefore, will still have to consider whether they are engaged in a sale of personal information under the CCPA.
The modifications make several changes to how businesses respond to consumer requests:
The modifications clarify that an entity qualifying as a "business" can also be a "service provider." Additionally, the modifications contemplate that service providers may use personal information obtained in the course of providing services only for certain reasons, including, inter alia, for internal use to build or improve the quality of its services, without engaging in a "sale." (§ 999.314(c)).
The modified regulations clarify how businesses should process and verify requests to access or delete household information. In order for a business to process a request to know specific pieces of personal information about a household or a request to delete household personal information without a password-protected account, all three of the following requirements must be met:
Authorized Agents Explained
The modifications also change how businesses must process requests submitted by authorized agents. (§ 999.326).
The Attorney General also clarified in a subsequent revision issued on February 10, 2020, that the metrics reporting requirement will apply to businesses that buy, receive, sell, or share the personal information of 10 million or more consumers in a calendar year, an increase from four million in the original, proposed regulations. (§ 999.317(g)).
Two Key Takeaways