On Friday, February 7, 2020, the Office of Attorney General Xavier Becerra published a notice of modifications to the proposed regulations for the California Consumer Privacy Act (CCPA), which were initially published on October 11, 2019. The Attorney General’s office made the changes both in response to public comments and to clarify and conform the previously proposed regulations. A redline comparison of the original and revised proposed regulations can be found here.
The deadline to submit written comments regarding the proposed modifications is Monday, February 24, 2020 at 5:00 pm. The Attorney General has until July 1, 2020, to adopt final CCPA regulations. One signal sent by these proposed modifications is that it may still be some time before the CCPA regulations are finalized despite the fact that CCPA went into effect on January 1, 2020.
While there are many proposed modifications to the proposed regulations, what we view as the most significant changes are summarized below:
- “Household” No Longer Just Means People Who Live in the Same House. In a change that many privacy groups and businesses advocated for, the definition of “household” was updated from “a person or group of people occupying a single dwelling” to “a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.” This new definition adds much-needed clarity as to when a group of cohabiting individuals are considered a “household.”
- Changes to Household Requests to Know or Delete. Another modification that was advocated for by privacy and business groups alike impacts when a business is obligated to respond to a request to know or delete for a household. Under the proposed, modified regulations, businesses are only required to comply with a request to know or delete personal information (PI) of members of a household if all household members join the request and can be individually verified. If a consumer maintains a password protected account, this proposed regulation would not impact what information is made available pursuant to the ordinary business practices of any company.
- “Personal Information” Explained. The modifications to the proposed regulations support a plain reading of the CCPA’s definition of “personal information.” Specifically, the modifications make express that “personal information” is limited to information that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” As an example, the modified, proposed regulations explain that IP addresses that cannot be linked with a particular consumer or household are not PI under the CCPA
- Change to the Standard Under Which Businesses Can Use PI. The modifications provides that businesses must not use PI for purposes “materially different” from those the business originally disclosed upon collection. This modification relaxes the original, proposed regulation that businesses not use PI for “any other purpose than those disclosed.”
- Changes Regarding the Use of Personal Information by Service Providers. Under the text of the initial proposed regulations, service providers were not permitted to use personal information “for the purpose of providing services to another person or entity” other than the source of the PI. The modifications clarify that a service provider may retain, use or disclose PI to perform services pursuant to a written contract with the business that provided the PI, to employ a subcontractor (who meets CCPA requirements), for internal use to build or improve its own services, or to protect against security breaches
- Verified Consumer Requests to Service Providers. Under the initial, proposed regulations, service providers that received verified consumer requests for disclosure or for deletion were required to either comply with the request or both explain the basis for the denial and “also inform the consumer that is should submit the request directly to the business.” The modifications clarify that, in denying requests, service providers need only tell consumer that they cannot fulfill such requests because they are only service providers and not the business that collected the data.
- Mobile Apps Need to Provide Pop-Up Notices Before Collecting Unexpected Information. What appears to be one of the primary purposes of the modification is to provide additional guidance around mobile applications. One of the changes around mobile apps is that app providers would be required to provide “just-in-time” notices, like pop-ups, whenever a business collects PI through a mobile app that the consumer would not reasonably expect the business to collect.
- Financial Incentives Are Only Permitted if a Business Can Make a Good-Faith Estimate of Value. The revised proposed regulations continue to permit financial incentives or price or service differences if they are reasonably related to the value of a consumer’s data. However, the modifications provide that such differential treatment is not permitted unless the business can make a good-faith estimate of the value of consumer data or show that the difference is reasonably related to the value of the data.
- “Do Not Sell” Link. The modifications include two important aspects of the “Do Not Sell” regime under the CCPA. First, the modifications make express that businesses collecting employmentrelated information need not provide a Do Not Sell link for such information until January 1, 2021 when the employee information carve out of the CCPA sunsets. Second, the modified, proposed regulations include the much-anticipated “Do Not Sell” icon, which businesses can use.
- Where to Look for Consumer Information. The modifications add some important guardrails for businesses when responding to a verified consumer request to know. Under the modifications, a business would not be obligated to search for specific PI if: (1) the business does not maintain the PI in a searchable or reasonably accessible format, (2) the PI is kept only for legal or compliance reasons and (3) the PI is not sold or used for commercial purposes. If each of these three conditions is met, a business need only respond to a request to know by describing the categories of records that contain PI and explaining that it did not search for PI because each of these conditions was met.
- Unverified Requests to Delete and Additional Business Obligations. Under the initial, proposed regulations, if a consumer making a request to delete could not be verified, businesses were required to treat the request to delete as an opt-out request. Under the modifications, that obligation has been replaced with a different regime. Specifically, if a consumer cannot be verified after making a request to delete, businesses that sell PI must ask the requester if they would like to opt-out of the sale of their data.