On Friday, February 7, the California Attorney General released modified draft regulations to the California Consumer Privacy Act (CCPA), which became effective January 1, 2020. These are not the final regulations. Rather, the modifications are in response to the substantial public comments received on the draft regulations to date. Public comments on the modified regulations are due by February 24, 2020. Final regulations are expected in May 2020, with Attorney General enforcement to commence on July 1, 2020.
The most significant modifications to the CCPA regulations include the following changes and/or clarifications:
1. Personal Information Must Be Used to Identify a Person/Household: The modifications confirm that whether or not data constitutes “personal information” depends on how the business maintains and uses the information. The modifications provide the following example:
• “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be 'personal information.'"
In other words, if data collected could be considered personal information under the CCPA definition, but the business does not reasonably link that data to any particular consumer or household, that data would not be considered personal information.
2. Notices at Point of Collection Required: The modifications clarify that a business may not use personal information for purposes that are materially different from those disclosed in the notice at collection, unless the business directly notifies the consumer of the new use and obtains explicit consent.
• The categories of personal information collected;
• The categories of sources from which it was collected;
• The business or commercial purpose for collecting or selling personal information;
• The categories of third parties with whom the business shares personal information;
• The categories of personal information the business sold in the past 12 months and, for each category, the categories of third parties to whom they sold it; and
• The categories of personal information disclosed for business purposes in the past 12 months and, for each category, the categories of third parties to whom they disclosed it.
4. Consumer Rights Requests: The modifications would update how a business responds to consumer rights requests as follows:
• Online-Only Businesses: If they have a direct relationship with a consumer, an online-only business need only provide an email address for submitting requests. This essentially eliminates the requirement for a toll-free telephone number for online-only businesses. All other businesses must have two methods, including the toll-free number and a method which reflects the primary way in which the business interacts with consumers.
• Timing: A business has 10 business days to confirm receipt of a request, and 45 calendar days to respond. If the business cannot verify the consumer’s identity within the 45 days, the business may deny the request. In other words, the clock does not run indefinitely if the consumer has not verified his or her identity during the initial 45-day period.
• “Right to Know” Search and Production Exceptions: A business does not need to search for personal information in response to a request if the business does not maintain the personal information in a searchable format, but maintains it only for legal and compliance purposes, does not sell the information or use it for any commercial purpose, and describes in its response to the consumer the categories of information it holds that it did not search but which may contain the information.
Similarly, the modifications struck the express exception preventing a business from providing specific pieces of personal information if the disclosure creates a substantial, articulate, and unreasonable risk to the security of the personal information, the consumer’s account with the business, or the security of the business’s systems or networks. Instead, the modifications more generally state that a business may avoid producing specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or based on an exception to the CCPA, but must inform the requester and explain the basis for the denial, unless prohibited from doing so by law.
• Deletion Denial/Opt-Out Notice: If the business receives a deletion request, it also must ask the consumer if he/she wants to opt out of the sale of her personal information (even if the consumer has not made the opt-out request), and include a link to the opt-out.
• Deletion Compliance: Two-step confirmation of deletion requests is no longer required. In fulfilling a deletion request, the business does not need to specify the manner in which it deleted the personal information.
• Verification: First, the modifications state that a business cannot require a consumer to pay a fee for the verification of a request to know or request to delete. Next, the modifications provide additional guidance on how to verify a request from a non-account holder in certain retail and mobile application settings, and they reiterate that a request may be denied due to lack of verification and/or no reasonable method by which verification may occur, with certain explanations provided by the business.
5. Do Not Sell Button: The modifications provide that the opt-out method must be easy for consumers to use and require minimal steps: “A business shall not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.”
The modifications provide additional information about the voluntary use of the opt-out button. When the opt-out button is used, it should be the same size as other buttons on the web page:
6. Opt Out: A business has 15 business days to comply with an opt-out request. Significantly, the modifications provide that businesses will not need to notify third parties to whom they sold the consumers data within 90 days, previously known as the 90-day “look back.” Instead, this obligation has been limited to circumstances when the business sold personal information to third parties between the date of the opt-out request and the date of compliance. For sales made during this limited period, the business shall direct the third-party purchasers not to further sell the data.
7. User-Enabled Privacy Controls: A privacy control developed in accordance with the regulations must clearly communicate that a consumer intends to opt out of the sale of their personal information. The privacy control must require that the consumer affirmatively select their choice to opt out and not be designed with pre-selected settings. If a global privacy control conflicts with a consumer’s existing business-specific privacy setting or participation in a business’s financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or to participate in the financial incentive program.
9. Loyalty Programs/Not Discrimination: If a consumer informs the business that he/she would like to remain in a loyalty program but otherwise have the business delete their information, it is lawful under the CCPA for the business to deny the deletion request as to the information necessary to maintain the enrollment in and benefits from the loyalty program. The modifications expressly state that a business’s denial of a consumer’s request to know, request to delete, or request to opt out for reasons permitted by the CCPA or the regulations are not discriminatory.
The modifications also provide illustrative examples of circumstances where the denial of financial incentives would be considered discriminatory.
10. Service Providers: The modifications clarify that it would be acceptable (and not a “sale”) for a service provider to use a business’s personal information to build or improve the quality of the service provider’s services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source. The modifications require the service provider to stop selling data on behalf of a business when a consumer has opted out of the business’s sale of their personal information. This clarification rejects an interpretation that using personal information to build or augment profiles, or to clean or augment personal information, are acceptable “business purposes” between a business and a service provider.
CCPA compliance should be evaluated in conjunction with the numerous other data security and privacy laws across the globe for a comprehensive program. The experienced team of Beckage PLLC is available to help navigate this fast-moving legal landscape.
*Attorney Advertising: Prior Results Do Not Guarantee a Similar Outcome