Fox Rothschild LLP

California Attorney General Xavier Becerra has submitted a final California Consumer Privacy Act (CCPA) regulations package. The final version is essentially identical to version three of the regulations released in early March 2020. However, many insights into the reasoning and thinking of Attorney General for the revisions made to the regulations to date can be gleaned from the Final Statement of Reasons submitted to the California Office of Administrative Law alongside the final regs. They are set forth below:

Notice at Collection:

  • Needs to be made readily available where consumers will encounter it at or before the point of collection of any personal information. This means both temporal proximity, such as notices delivered online regarding online collection or orally when information is collected by telephone, and physical proximity, such as near a cash register at an in-store location where collection is taking place.
  • The use of the word “encounter” is intended to include both sighted and visually-impaired consumers.
  • Online notice: Can be posted through a conspicuous link on the introductory page of its website and on all web pages where personal information is collected
  • Notice on phone: Can be provided orally
  • Notice on mobile app: Through a link on the mobile application download page and within the application, such as through the application’s settings menu
  • Notice offline: Printed forms that collect personal information, through a paper version of the notice, or through prominent signage directing consumers to where the notice can be found online.
  • Directing consumers to where the notice can be found online: This can be a link/typed out URL but can also be accomplished with a QR code or in other ways.

Just-in-Time Notice

  • Just-in-time disclosure is required in all instances in which a business collects personal information from a consumer’s mobile device for purposes that the consumer would not reasonably expect.
  • Per the Attorney General, this section is consistent with the language, intent and purpose of the CCPA to meaningfully give notice to consumers about what information is collected from and about them and to give them control over how businesses use this information.

Purposes of Collection

  • If a business wishes to collect information for purposes that are "materially different than" the stated purposes, it needs to directly notify the consumer and obtain explicit consent from the consumer to use for this new purpose.
  • This is close to the General Data Protection Regulation's formulation of not "incompatible with" the stated purposes and in line with the longstanding Federal Trade Commission requirement that companies obtain affirmative express consent before using consumer data in a materially different manner than claimed when the data was collected.
  • Per the Attorney General, this benefits businesses because businesses will not be required to inform consumers of immaterial changes. The change also benefits consumers by not overwhelming them with notices for every minor change, which may result in notice fatigue. The regs clarify that this applies when a business seeks to use previously collected personal information for a use that is materially different than what was previously disclosed to the consumer, not for new personal information that it seeks to collect.
  • Per the Attorney General, when businesses change practices midstream, the consumer should have the opportunity to decide whether to agree to the new purpose. For example, a consumer may be comfortable allowing a business to collect their personal information to use in serving them advertisements for relevant products, but not if the business wants to use the information to conduct psychological experiments.
  • Simply updating an online privacy policy or providing notice without explicit consent for material changes to a business’s use of personal information would not serve the purpose of section 1798.100, subdivision (b). Such an approach would allow businesses to engage in passive notice updates without allowing consumers any agency to control how their personal information is used.
  • Simply putting up a new notice on a website after a consumer has already provided personal information, when that consumer may be unlikely to revisit the website (and even more unlikely to revisit the notice), is not meaningful consumer notice.

"Signed" means both physical and electronic signatures.

"Verify" also means to determine that the consumer making a request to know or request to delete “is the parent or legal guardian of that consumer who is less than 13 years of age."

Language of Privacy Notices: Businesses must provide the notice at collection in the languages in which they provide contracts and other information to consumers in California.

Opt Out Link: Including in your offline notice at collection the method by which consumers can exercise their right to opt out of the sale of the data does not preclude the statutory requirement to include this link on the homepage of the website. You need to do both.

Data Brokers and Notice and Collection

  • The Final Statement of Reasons clarifies that businesses that do not collect information directly from a consumer are not required to provide a notice at collection if they do not intend to sell this information. If they intend to sell the information they must
    • be registered as a data broker
    • include in their registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out.
  • The Attorney General considered alternatives raised by comments and determined that using the data broker registry to provide information about how to opt out of the sale of personal information was a better means to accomplish the purpose and intent of the CCPA with less burden to businesses and consumers
  • In addition, a business cannot sell personal information it collected during any time it did not have a notice of right to opt out posted unless it obtains the consumer’s affirmative authorization for the sale.
  • The Attorney General believes that the broker registry encourages the development of consumer tools or services by allowing innovators to pull information about how data brokers process requests to opt-out from a centralized repository
  • Because Civil Code section 1798.120, subdivision (b), requires a business that sells consumers’ personal information to third parties to provide consumers with notice of their right to opt out of the sale of their personal information, the converse is also true: If the consumer has not been provided with notice of their right to opt-out when the business collected their personal information, the business cannot sell that consumer’s personal information.
  • CCPA requires giving consumers notice and control, at the point of collection, over the sale of their personal information. While the alternative of allowing a subsequently posted notice of right to opt out to apply retroactively would be less burdensome to businesses, it would not be as effective in informing the consumer of their right at the point of collection, when the consumer may be most aware of what personal information the business is collecting from them.
  • Simply putting up a new notice on a website after a consumer has already provided personal information, when that consumer may be unlikely to revisit the website (and even more unlikely to revisit the notice), is not meaningful consumer notice.

Notice of Opt Out

  • A business has discretion to provide a link directing consumers to the notice in lieu of including the actual language of the notice in the application’s settings menu.
  • A business is required to provide the required information on both the download page and within the application itself, such as through the application’s setting page.
  • In the context of an online service such as a mobile application, the CCPA defines “homepage” as “the application’s platform page or download page, a link within the application, such as from the application configuration, ‘About,’ ‘Information,’ or settings page, and any other location that allows consumers to review the notice . . . including, but not limited to, before downloading the application.”
  • A business that substantially interacts with consumers offline may satisfy the requirement that it use an offline method to provide notice to consumers by posting signage directing consumers to “where the notice can be found online.”
  • Interactive form: Includes non-web-based methods like mobile applications or local network forms, which could also serve as a means for consumers to opt-out of sale.

Financial Incentive

  • A business need only provide a notice of financial incentive if it currently offers a financial incentive or price or service difference, not if it may make such an offering at some point in the future.
  • A business may offer a 10% discount to all customers in connection with the opening of a new store location, but if this is unrelated to the collection, retention or sale of personal information, this discount is not considered a “financial incentive" or a “price or service difference” for purposes of the CCPA and these regulations.
  • Businesses may not operate financial incentive programs without performing a valuation of consumer data. CCPA requires any business offering a financial incentive program to provide a notice that “clearly describes the material terms” of the program.

Methods for Submission of Consumer Rights Requests

A few examples of in-person methods are:

  • a printed form the consumer can directly submit or send by mail
  • a tablet or computer portal that allows the consumer to complete and submit and online form
  • a telephone by which the consumer can call the business’s toll free number

Service Providers

  • CCPA does not allow consumers to know or delete personal information collected by a non-business merely because the non-business outsources tasks to a service provider.
  • Service providers do not lose their status as service providers merely because they collect consumers’ personal information if that collection is performed at the business’s direction and on behalf of that business.
  • A service provider is prohibited from retaining, using or disclosing personal information obtained in the course of providing services except to provide those services in compliance with the written contract for services and in four other limited circumstances. This prohibition is consistent with how the CCPA defines and regulates the disclosure of consumer personal information to service providers and service providers’ use of that information.
  • For the purpose of processing personal information, the CCPA contemplates a service provider to be an extension of the business for which it provides services.
  • Nothing in the CCPA allows a service provider to retain or use personal information for its own business purpose.
  • CCPA requires that service providers act on behalf of a business by processing information to further the business’s specific business purpose and not for the service provider’s own business purposes.
  • A service provider may not retain, use or disclose personal information to provide services to a third party because such services would not be “on behalf of the business that provided the personal information".
  • Service providers are subject to direct enforcement by the Attorney General if processing information "for any purpose other than the specific purpose of performing the services specified in the contract for the business."
  • A subcontractor must meet all the requirements for a “service provider” for protecting consumer personal information.
  • A service provider is allowed to use personal information internally to build or improve the quality of their services provided that they do not use the information to build or modify household or consumer profiles to use in providing services to another business, or to correct or augment data acquired from another source.
  • The term "correcting or augmenting data acquired from another source" includes deidentified information.
  • This means that a vendor offering customer relationship management software may analyze how one client used its software to access customers’ personal information and then make improvements using that analysis.
  • These prohibitions make clear that personal information acquired from or on behalf of one business cannot be used to provide services to another business — i.e., for a commercial purpose.
  • A service provider’s use of personal information collected from one business to provide services to another business would be outside the bounds of a “necessary and proportionate” use of personal information. Doing so would be advancing the “commercial purposes” of the service provider rather than the “business purpose” of the business.
  • If a service provider’s internal use of personal information functionally operates to make personal information available to multiple businesses, this would constitute a sale, which includes “making [personal information] available” to others (Civ. Code, § 1798.140, subd. (t)(1)), and effectively usurp the consumer’s right to prevent the sale of their personal information.
  • However, a service provider employed by a business may render services to a third party at the direction of and on behalf of the business.
  • Fraud: The exception included in a previous version of the regs regarding sharing for fraud prevention purposes, has been reinstated. The Final Statement of Reasons states that this has been added to include this prior language which is consistent with other California privacy and consumer protection laws (e.g. (See Student Online Personal Information Protection Act, Bus. & Prof. Code, § 22584; California Financial Information Privacy Act, Fin.Code, § 4056; Consumer Credit Reporting Agencies Act, Civ. Code, § 1785.15.)

Request to Opt Out:

  • Per the Attorney General, the section of the CCPA regs requiring that "A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out" and the one that requires a business not to "utilize a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s decision to opt-out" is in fact a prohibition against using deceptive dark patterns.
  • Per the Attorney General "It would run counter to the intent of the CCPA if websites introduced choices that were unclear or, worse, employed deceptive dark patterns to undermine a consumer’s intended direction. "
  • Any privacy control designed or developed should clearly communicate or signal that a consumer intends to opt out of the sale of personal information.
  • This section offers consumers a global choice to opt out of the sale of personal information, as opposed to going website-by-website to make individual requests with each business each time they use a new browser or a new device.
  • When a business receives a global privacy control signal for a consumer who has previously agreed to allow the sale of their information, including through participating in a financial incentive program or through a previous business-specific setting, the subsection requires the business to respect the global privacy control signal, but allows the business to notify the consumer of the conflict and ask the consumer to confirm their business-specific privacy setting or participation in the financial incentive program. It appears that this notification would not then be deemed to be in breach of the 12-month prohibition on requesting that the consumer authorized the sale of their personal information.
  • Even if the 12 months have not passed, businesses may inform consumers who initiate a transaction or attempt to use a product or service that requires the sale of their personal information that they need to opt in to the sale of personal information in order to proceed.
  • Using a business’s designated methods for submitting requests to know or requests to delete for the submission of opt-out requests (in lieu of recognizing global privacy controls) is insufficient because it would not be an effective method to counterbalance the ease and frequency by which personal information is collected and sold in online contexts, such as when a consumer visits a website.

Additional Information

California Attorney General's CCPA Homepage

[View source.]