On Friday, February 7, 2020, the California Department of Justice, Office of the Attorney General (AG) released revisions to the proposed California Consumer Privacy Act (CCPA) regulations, which were originally published and noticed for public comment on October 11, 2019. The announced changes were made in response to public comments received regarding the proposed regulations and/or to clarify and conform the proposed regulations to existing law. The AG will accept written comments regarding the revised proposal or materials added to the rulemaking file until 5 p.m. (PST) on February 24, 2020.
This alert summarizes the notable changes to the proposed regulations and provides a preliminary analysis of the effects of those changes. This analysis is not intended to be exhaustive.
Authors: Sarah L. Bruno
UPDATE: Since this client alert was issued, the deadline to comment has been extended to Tuesday, February 25, 2020 and one substantive change was made: the notice requirements that previously applied to companies with the personal information of 4,000,000 consumers has been increased to 10,000,000 consumers.
Overview
The latest proposed and revised CCPA regulations from the California Attorney General may provide some relief and clarity for covered businesses. There is much to unpack in the AG's revisions. A few examples include:
(1) Personal Information Definition Exclusions. The regulations clarify the definition of "personal information" to exclude certain information based on the "manner" in which a business "maintains" the information;
(2) 90 Day Look Back Removal. The regulations remove the 90 day look back period from the sale opt-out requirement; and
(3) Non-Discrimination Clarification. The regulations clarify the non-discrimination provision to state that it is not discriminatory to deny a request to know, a request to delete, or an opt-out for reasons permitted by the CCPA.
What does it mean for my business?
While the revised regulations depart from the initial proposed regulations in a few key ways, businesses that built CCPA compliance programs based on the initial proposed regulations will largely be in good shape should these regulations become final as drafted. They should, however, consider how and to what extent these revisions will impact their existing efforts. The AG has provided no indication that he intends to delay the July 1, 2020 enforcement date, or eliminate the basic rights afforded to California consumers or the corresponding requirements placed on covered businesses by the CCPA. Any covered business that has not yet started its compliance program should start that work now.
Still, there may be more to come, as these changes are subject to additional comments until February 24.
What are the notable changes?
While a number of revisions were made to the proposed regulations, here are some of the key changes:
(1) Revisions to the definitions. In section 999.301, several definitions were clarified, added, or amended, including:
a. "Categories of sources" and "categories of third parties." These two definitions were bolstered to explain that the categories must be "described with enough particularity to provide consumers with a meaningful understanding" of the source or the type of third party.
b. "Household." Section 999.301 explains that a household is a "person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier." If enacted, this would eliminate some confusion about the scope of this term.
c. "Price or service difference." The definition was qualified to apply only to differences "related to the disclosure, deletion, or sale of personal information."
(2) Scope of "personal information." Industry stakeholders will likely be pleased to see the scope of "personal information" formalized into a provision of the revised regulations. The AG's office has added section 999.302, which clarifies that the manner in which a "business maintains information" can help determine whether it is considered personal information under the CCPA. The new provision provides a significant example to help with understanding: "For example, if a business collects the IP addresses of visitors to its web site but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be considered 'personal information.'" This is an important (and much needed) clarification for companies collecting information via cookies or pixels, and could serve as a victory for the adtech industry.
(3) Updates to notice requirements. Section 999.305 addresses the privacy notice requirements. Some of the more notable revisions to this section include:
a. Standard for accessibility. The revised regulations clarify the requirement that notices (and other rights) be reasonably accessible to people with disabilities, by explaining that businesses must follow "generally recognized industry standards, such as Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Web Consortium."
b. Focus on notice placement and conspicuousness. The AG's revisions to subsection 999.305(a)(3) include language to clarify that the notice must be "made readily available" to consumers somewhere where they will "encounter it at or before the point of collection," and, as an example, for online notices states that businesses "may post a conspicuous link to the notice on the introductory page of the business’s website." This confirms that no web banner is required.
c. Privacy notice compliance for mobile apps. The revisions explain that mobile apps may comply with the notice (and opt-out requirements) by linking to the notice on the app's download page and within the application, such as through the settings menu.
d. Just-in-time notice requirement for unexpected collection. The revisions provide that when a business collects personal information from a consumer's mobile device for a purpose that the consumer would not reasonably expect, such as collecting geolocation data in a flashlight app, the business must provide detail in a just-in-time notice (e.g., a pop-up window) containing a summary of the categories of personal information being collected and a link to the full notice at collection.
e. "Materially different" purpose. The proposed revisions add the language "materially different" to clarify the requirement for when a business needs to notify a consumer about and obtain consent for a new intended use of previously collected personal information. This is a helpful change, as previously the regulations seemed to require such a notice and consent when there was any different use of personal information.
f. Data brokers. The AG removed requirements for notices of sale in certain instances when a business does not directly collect information from consumers, instead relying on the California data broker registration law, which became effective on January 1, 2020 and applies to businesses that knowingly collect and sell to third parties the personal information of a consumer with whom the business does not have a direct relationship. Now, the proposed regulations state that if a company is registered as a data broker, it does not need to provide notice at collection to the consumer if it has included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt out.
g. Employment notices do not need the "do not sell" link. If adopted, this revision will remove the requirement to include a "do not sell" link in employee and job applicant privacy notices, at least until the employment exceptions are scheduled to sunset on January 1, 2021.
(4) Updates to sale opt-out requirements. Section 999.306 has been revised to add some clarity to the opt-out requirement:
a. "May in the future sell" has been struck. Good news! Businesses no longer have to predict the future. The proposed revisions strike language that previously stated that the purpose of the opt-out was to inform consumers of their right to direct a business that sells, or that "may in the future" sell, to stop. The language requiring that predictive forethought has been removed, which is a relief to those companies debating whether to include the opt-out because they may sell data at some point in the future.
b. Less language in the opt-out notice. The proposed revisions explain that the opt-out notice no longer needs to address an "authorized agent" or provide a link or URL to the business's privacy policy.
c. Opt-in consent is needed for data collected without an opt-out disclosure. The proposed revisions have added the following: "A business shall not sell the personal information it collected during the time the business did not have a notice of right to opt-out notice posted unless it obtains the affirmative authorization of the consumer."
d. The opt-out button. The proposed regulations now have added a button icon which "may be used," indicating it is not required. It appears as follows:
The proposed regulations also explain that if the button is used it shall appear to the left of the "Do Not Sell My Personal Information" or "Do Not Sell My Info" link and shall be approximately the same size as other buttons on the business's webpage.
(5) Privacy policy updates. Section 999.308 explains the purpose of the privacy notice. The latest revisions make some updates to privacy notice requirements:
a. Removal of requirement that businesses identify the source of the information. The revisions have removed the requirement that, for each category of personal information, a business list the categories of sources from which the information was collected, the business or commercial purpose(s) for which the information was collected, and the categories of third parties with whom the business shares personal information. This will certainly lighten the load for privacy notices, if approved. Thus, while a business must still provide the purpose for the collection of personal information, and the categories of third parties that are to receive the information, if the revisions to the regulations are adopted, a business no longer has to delineate the source for each category of information and businesses could consider removing this reference from their policies.
b. Disclosure to third parties. In subsection 999.308(c), the revisions seem to just tighten up the requirements; they remove the requirement that the business state whether or not it sold or disclosed personal information to third parties for a business or commercial purpose in the preceding 12 months. This makes a privacy policy only a sentence or two shorter because the regulations still require a business to identify the categories of personal information that the business has disclosed to third parties for a business purpose or sold in the preceding 12 months. Further, the revisions still include the requirement that, for each category of personal information identified as sold in a privacy policy, a business must list the categories of third parties that received the information.
c. Right to delete clarification. One important clarification was made to the notice related to deletion requests. The language was revised to state that a privacy notice must "explain that the consumer has a right to request the deletion of their personal information collected or maintained by the business." The deletion of the "maintained" concept could be important, as it appears to limit the right of deletion to only information collected by the business.
d. Notify whether the business sells data. The revisions clearly require that a business state in its privacy notice whether or not it sells personal information.
(6) Methods for submitting requests to know/delete. Section 999.312 clarifies the requirements for requests to know and requests to delete, including:
a. If a business is exclusively online, an email address is enough. The revised regulations now clearly provide that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address (versus a toll-free number and an interactive webform) for submitting requests to know.
b. In-person methods. If a business interacts with consumers in person, the revised regulations state that the business "shall consider" providing an in-person method such as a form that the consumer could directly submit or submit by mail, by using a tablet or computer portal, or by calling a telephone/toll-free number.
(7) Clarifications on responses to requests to know/delete. Section 999.313 was revised to clarify the requirements. The more noteworthy changes include:
a. Confirmation. This provision provides businesses with additional time (10 business days) to confirm a request to know or delete and notes that the confirmation may be given in the same manner in which the request was received (e.g., a phone request may be confirmed during the phone call). The prior draft required a confirmation within 10 days without further clarification.
b. No search required. The revised regulations now include the following language, which should assist businesses that maintain information in difficult-to-search formats for legal or compliance purposes, such as for legal holds:
"In responding to a request to know, a business is not required to search for personal information if all the following conditions are met:
a. The business does not maintain the personal information in a searchable or reasonably accessible format;
b. The business maintains the personal information solely for legal or compliance purposes;
c. The business does not sell the personal information and does not use it for any commercial purpose; and
d. The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above."
While the conditions presented in this revision appear onerous, businesses with established document retention policies and procedures may benefit from their ability to identify and distinguish data stores containing personal information maintained solely for compliance purposes that would require difficult manual processes to search.
c. No biometric data. Biometric data has been added to the list of data that should never be disclosed in a request to know.
d. Sale of data. The provisions summarizing the content of the response to a verified request to know now clearly require a business to inform the consumer if their personal information was "sold."
e. Business purpose. The revisions add a new provision that requires a business to include in a request-to-know response "the categories of personal information that the business disclosed for a business purpose in the preceding 12 months, and for each category identified, the categories of third parties to whom it disclosed that particular category of personal information."
f. A non-verified deletion request does not become an opt-out. The revisions removed the language stating that a non-verified deletion request should be treated as an opt-out of the sale, a provision that many commenters thought was problematic. Instead, the revisions now state that the business can ask the consumer if they want to opt out in such an instance.
g. Deletion responses no longer have to state how the data was deleted. Subsection 999.313(d)(4) containing this requirement was deleted.
(8) Service providers. Section 999.314 addresses and describes the requirements for service providers. Some of the more noteworthy changes are as follows:
a. Service providers to non-business entities. The revisions to subsection 999.314(a) attempt to offer some clarity to this often misinterpreted subsection, providing that a business that provides services to a non-business entity and otherwise meets the requirements and obligations of a "service provider," is considered a service provider. According to the AG's Initial Statement of Reasons released along with the original proposed rules, this subsection is not intended to address a service-provider-to-service-provider scenario. Rather, it is to address where a business provides services to entities such as non-profits and government entities that fall outside the definition of a "business" under the CCPA.
b. Service providers collecting information on behalf of a business. Revisions to subsection 999.314(b) allow for businesses that are acting as service providers to collect personal information directly from consumers on a business's behalf. The revisions to subsections 999.314(a) and (b) limit affected vendors’ responsibilities for responding to consumer requests for that personal information.
c. Permitted uses of personal information by service providers. The revisions confirm that a service provider may not retain, use or disclose personal information obtained in the course of providing services except in a few instances:
i. to perform the services specified in a written contract;
ii. to engage another service provider as a subcontractor, where the subcontractor also meets the requirements for a service provider under the CCPA and the regulations;
iii. for internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source;
iv. to detect security incidents, and protect against fraudulent or illegal activity; or
v. for reasons specified in CCPA, subsections 1798.145(a)(1) – (a)(4) (e.g., to comply with laws).
d. Service providers should not sell data on behalf of a business when the consumer has opted out. The revisions now make this point clear.
e. Requests to know/delete. If a service provider receives a request to know/delete, the revisions provide that a service provider may either fulfill the request on behalf of the business or inform the consumer that it cannot act on the request because the request was sent to a service provider; service providers are no longer directed to provide the consumer with the business's contact information. This is an important clarification for a number of companies that operate primarily as service providers.
(9) Opt-out requests. The revisions to section 999.315 contain a few notable changes:
a. Opt-out methods should be easy for consumers to execute. The revisions specify that opt-out mechanisms that effectively subvert or impair a consumer's decision to opt out will be considered non-compliant.
b. Privacy controls must clearly communicate or signal that a consumer intends to opt out of the sale of personal information. The revisions note that the consumer must affirmatively select their choice to opt out, and that it shall not be designed with pre-selected settings.
c. Consumers should have a right to choose. The revised regulations now address potential conflicts between privacy controls and required participation in financial incentive programs, permitting the business to notify the consumer of the conflict and requesting that the consumer choose between the control and the loyalty program.
d. Clarification of response time. Businesses now have 15 business days to comply with opt-out requests.
e. The "90 days prior" language was removed! It's time for celebration, because the revised regulations struck the language requiring businesses that receive an opt-out to notify those third parties to which the business sold the data within the 90 days prior. Instead, the revised regulations state that a business must notify third parties to whom it sells data in the period of time between receiving the request and complying with it; the relevant parties must be told of the opt-out and be directed not to sell that consumer’s information.
(10) Training and record keeping. Section 999.317 addresses the training and record keeping requirements. Some of the more noteworthy changes include:
a. Reasonable security measures. A revision to subsection 999.317(b) adds a requirement that businesses apply "reasonable security practices and procedures" to records maintained for CCPA purposes.
b. Records must not be shared with any third party. The revisions make it clear that information a business keeps for record keeping must not be shared with a third party.
c. Requirements for businesses that sell or share for commercial purposes more than 4,000,000 records. The record keeping requirements for these companies have not been modified, but the disclosure requirements have been clarified. Now, these companies must disclose their statistics in their privacy notice by July 1 of every calendar year. Language was also added to explain that a business may choose to identify the number of requests that it denied in whole or in part because such request was not verifiable, was not made by a consumer, called for information that is exempt, or was denied on other grounds. The revisions also state that upon request, the business must compile the information and provide it to the AG.
(11) Discriminatory practices. Section 999.336 was also clarified as follows:
a. No financial incentive if a business cannot calculate a good-faith estimate of the value of the consumer's data. Specifically, new language was added as follows: "If a business is unable to calculate a good-faith estimate of the value of the consumer's data or cannot show that the financial incentive or price or service difference is reasonably related to the value of the consumer's data, that business shall not offer the financial incentive or price or service difference."
b. Denial is not discriminatory. Another helpful clarification: a provision was added stating that a denial of a request to know/delete or opt out for reasons permitted by the CCPA is not discriminatory. The revised regulations also provide some clearer examples.
This preliminary analysis is intended to identify and analyze those revisions that we found most notable; the proposed revisions contain a number of changes aside from those identified here. As noted above, they will impact businesses in different ways depending on the personal information practices of the particular business.
There may also be further revisions after the next comment period. If a business would like to submit a public comment, it may do so before 5 p.m. (PST) on February 24, 2020 by email or by mail to:
Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013
Client Alert 2020-051