On February 10, 2020, the California Attorney General published revisions to the proposed regulations (Revised Regulations) to implement the California Consumer Privacy Act of 2018 (CCPA). The changes largely clarify and soften some of the more onerous or prescriptive requirements of the proposed regulations—although many challenging aspects of the regulations remain, and some new concepts make an appearance as well.
Comments on the Revised Regulations are due by February 25, 2020, at 5 p.m. PT. The initial proposed regulations were published on October 11, 2019. The CCPA went into effect on January 1, 2020.
Below we highlight provisions in the Revised Regulations that are of particular interest.
Limited Relief From Searching and Disclosing Personal Information That Is Not Reasonably Accessible
Under the CCPA, a consumer’s1 “right to know” what personal information has been collected about them, including the right to know specific pieces of information, is not limited to electronic information or structured data. Rather, the CCPA could be read to require businesses to disclose all personal information whether electronic or contained in emails, handwritten notes, and other formats that are hard to identify and retrieve. The Revised Regulations provide limited relief on this point, stating that a business is not required to search for personal information if:
- The personal information is not maintained in a searchable or reasonably accessible format;
- The personal information is maintained solely for legal or compliance purposes;
- The business does not sell the personal information and does not use it for any commercial purpose; and
- The business describes to the consumer the categories of records that it did not search but that may contain personal information.2
A New Requirement for Just-In-Time Notices
When a business collects personal information from a consumer’s mobile device for a purpose that the consumer “would not reasonably expect,” the Revised Regulations would require the business to provide a “just-in-time notice.” This notice must summarize the categories of personal information being collected and provide a link to the full privacy notice required under the CCPA.3 Just-in-time notices have not previously appeared in the CCPA. Generally, such notifications must be made immediately before the collection of information described in the notice.
Notice Exemption for Information Collected From a Third Party Removed
The Revised Regulations spell out some new prohibitions around how businesses must operationalize the consumer rights provided under the CCPA, including:
- Verification and other procedures may not be used to “subvert” or “impair” a consumer’s decision to opt out. A business’s methods for submitting requests to opt out shall be “easy” for consumers to execute and require “minimal steps” to allow the consumer to opt out.5
- A business must not impose a fee for verification. For example, a business may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization.6
- A business may not disclose biometric data to a consumer in response to a “right-to-know” request. Biometric data was added to a list that includes Social Security Number and other identifiers.7
Clarifying the Role of Service Providers
The Revised Regulations clarify the role of service providers under the CCPA:
- Service providers are prohibited from retaining, using, or disclosing personal information obtained in the course of providing services, except for certain enumerated purposes, including for detecting data security incidents, protecting against fraudulent or illegal activity, and for “internal purposes” to improve the quality of their services.8
- The limited responsibility of service providers to respond to consumer requests was refined, specifying that service providers that receive an access or deletion request must either “act on behalf of the business” in responding to the request or inform the consumer that the request cannot be acted upon by the service provider. Service providers are no longer required to refer the requestor to the applicable business.9
User-Enable Privacy Controls Qualify as Opt-Out Requests
Despite not being mentioned in the text of the CCPA, the initial proposed regulations required businesses that collect information online to treat user-enable privacy controls (including browser plugins or privacy settings such as “Do-Not-Track” signals) as a sign of a consumer’s choice to opt out of the “sale” of their personal information. Companies have not historically responded to Do-Not-Track signals as there is no clear standard for receiving or interpreting those signals. The requirements in the Revised Regulations nonetheless appear to create an affirmative requirement to honor these automated signals, and they add language that provides context on how such signals should be interpreted.10
Adjusting Other Requirements
The Revised Regulations adjust some of the requirements from the initial proposed regulations, including:
- Data Rights Request Statistics. Businesses would be required to publish statistics on its response to consumer rights requests only if the business buys, receives, sells, or shares the personal information of 10 million or more consumers in a calendar year, where previously the threshold was 4 million or more consumers.11
- Notice to Third Parties of Opt-Out Requests. If a consumer exercises their right to opt out from the sale of personal information, the business would be required to provide notice of the consumer’s opt-out request to any third party to whom it sold the consumer’s information after the opt-out request was received and before complying with the opt-out request. Under the initial proposed regulations, notice had to be given to every third party the information was sold to in the last 90-days before receipt of the opt-out request.12
- Verification of Household Members. The Revised Regulations establish more detailed standards for the verification of requests to access or delete household information when not submitted through a password-protected household account. Businesses must now individually verify all of the members of the household and verify that each member is currently a member of the household.13
- Deny Requests to Know or Requests to Delete if No Verification. The Revised Regulations make clear that a business may deny a request to know or a request to delete if the business cannot verify the consumer within the 45-day time period.14
- Authorized Agent Clarified. The definition of an “authorized agent” now makes clear that any person or business registered with the Secretary of State to conduct business in California may operate as an “authorized agent” under the CCPA. No special license will be required.
Adding Flexibility to Prescriptive Standards
Another theme of the Revised Regulations is adding some flexibility to prescriptive requirements defined in the initial proposed regulations, including:
- The Scope of “Personal Information.” The Revised Regulations clarified that “Personal Information” does not include information that is maintained in a manner that does not identify, relate to, describe, or is reasonably capable of being linked to a particular consumer or household. The Revised Regulations specifically state that an IP address collected from visitors to a website would not constitute “personal information” under the CCPA if the IP address is not linked to any particular consumer or household.15
- Affirmative Consent Required Only if Material Change in Use. Under the Revised Regulations, a business is required to directly notify consumers and obtain explicit consent for a new use of previously collected personal information only if the new use is materially different from what was previously disclosed to the consumer in the notice at collection.16 Previously, there was no materiality threshold.
- Webform Requirements Removed. There is no longer a requirement that a webform be made available for submitting requests to delete and to know.17 Businesses are still required to provide an interactive form for submitting opt-out requests.18 The Revised Regulations also remove the requirement to use a two-step process to confirm online requests to delete.19
- Reasonable Accessibility. It is now required that policies and procedures be reasonably accessible to consumers with disabilities. The Revised Regulations direct businesses to follow “generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium.”20
- Request Acknowledgement. The Revised Regulations clarify that the 10-business-day requirement to acknowledge receipt of access or deletion requests may be given “in the same manner in which the request was received.”24 For example, if the request is made over the phone, the confirmation may be given on the phone during the phone call.