On February 7, 2020, the California Attorney General’s office issued proposed modifications (Proposed Modifications) to the October 10, 2019, Proposed Regulations (Proposed Regulations) to facilitate the implementation of the California Consumer Privacy Act (CCPA). The California Attorney General issued these Proposed Modifications in response to public comments to provide additional clarity to regulated businesses, and to conform the Proposed Regulations with existing law. The Proposed Modifications were slightly revised on February 10, 2020, to correct an omission in the February 7, 2020, version. The deadline to submit written comments on the Proposed Modifications is February 25, 2020.
Although the California Attorney General had made earlier statements suggesting that revisions to the Proposed Regulations would be minor, the Proposed Modifications contain a surprising number of redlined changes. While many of these changes are clarifying and/or administrative, some are more substantive and raise additional questions, particularly given the limited explanations for the changes that accompanied the Proposed Modifications.
Below we provide an overview of the substantive changes to the Proposed Modifications.
The Proposed Modifications clarify details regarding the required privacy notices to consumers. Mobile technology is also now addressed throughout the various notice requirements.
The Proposed Modifications eliminate some of the content requirements for online privacy policies that had been included in the Proposed Regulations. Going forward, a business will have to identify, for the previous 12 months, the categories of personal information it collected, the categories of personal information it disclosed for a business purpose or sold, and the third parties to whom it disclosed or sold personal information.
Notice at Collection
For the first time, there is now a requirement for just-in-time disclosures if an app collects personal information for a purpose that the consumer would not reasonably expect. As an example, the Proposed Modifications indirectly reference the well-known FTC settlement against Goldenshores Technologies, the popular Android flashlight app that transmitted geolocation data to third parties without the data subject’s knowledge (although the Proposed Modifications notably do not impose the same opt-in obligations required by the FTC in that action).
“[I]f the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the application, which contains the information required by this subsection.”
Consistent with the Proposed Regulations, the notice at collection should be made readily available where consumers will encounter them, such as on a mobile app’s download page and in the app’s main menu page. A business may post the notice at collection through a conspicuous link on the business’ homepage and on all webpages where personal information is collected. Where a business collects personal information by phone, the Proposed Modifications require the business to provide applicable notices orally.
For businesses that register as data brokers under the CCPA, if they do not collect personal information directly from consumers, such businesses will not need to provide notices to consumers at the point of collection so long as the businesses included such notice in their data broker submission and the notice includes instructions on how consumers can submit opt-out requests. The Proposed Modifications delete the previous Proposed Regulation’s requirement that data brokers contact consumers or the source of personal information before the data broker sells the data.
The Proposed Modifications further confirm that, despite the CCPA’s limited exemptions for personal information obtained from employees, contractors and job applicants, employers must still comply with the CCPA’s provisions requiring businesses to provide a notice to employees at the point of collection. However, the notice at collection:
- Is not required to include hyperlinks titled: “Do Not Sell My Personal Information” or “Do Not Sell My Info”; and
Format of Notices
With respect to the obligation to make online notices reasonably accessible to consumers with disabilities, the Proposed Modifications provide the World Wide Consortium’s Web Content Accessibility Guidelines (WCAG), Version 2.1 as an example of a generally recognized industry standard in this area. Although there is a circuit split regarding the applicability of the Americans with Disabilities Act to websites and mobile apps, courts are increasingly requiring compliance with WCAG for websites and mobile apps that are considered places of public accommodation—defined as a list of private entities that include public lodging (such as hotels, restaurants and bars, movie theaters, stadiums, and public entertainment facilities), places of public gathering, stores selling either goods or services, public transportation, museums and libraries, zoos and parks, schools and education facilities, facilities that care for children and adults, recreational facilities, and other similar entities.
Do Not Sell
The Proposed Modifications impose a new restriction prohibiting businesses from selling personal information collected when the business did not have a notice of the right to opt out posted, except with the consumer’s affirmative authorization to do so. In effect, this means that businesses will need to obtain affirmative authorization to sell any personal information collected before the CCPA took effect on January 1, 2020, in addition to information collected after January 1 if the business failed to provide a notice of the right to opt out.
At long last, the Proposed Modifications also provide some clarity around the manner in which the “Do Not Sell” link can be displayed, including unveiling the proposed design of the required button, which features a red x button to the left of the “Do Not Sell My Info” text in the same font size.
There is some controversy around the red x button because it is ambiguous as to whether the button is activated when the red x is shown, and whether that means it is set to restrict the sale of personal information, or whether the consumer must take further action to restrict the sale of their personal information. Use of the red x button, however, may be useful in drawing a consumer’s attention to the notice of right to opt out and may help strengthen the accessibility of the notice of right to opt out.
The Proposed Modifications further clarify that requests to opt out must be easy for consumers to execute; businesses are prohibited from using a method designed to subvert or impair a consumer’s decision to opt out.
The Proposed Modifications also extend the timeframe to comply with an opt-out request to 15 business days (from 15 days) and eliminate the business’ obligation to inform all third parties to whom it sold the consumer’s personal information in the 90 days prior to receipt of the opt-out request. A business now only has to inform the third parties to whom it sold a consumer’s personal information between the time when an opt-out request is received and the time the business fulfills the request.
Notice of Financial Incentive/Discriminatory Practices
The Proposed Modifications further clarify the requirements related to the notice of financial incentive and the prohibitions around discriminatory practices. If a business cannot calculate a good-faith estimate of the value of the consumer’s data or cannot show that the incentive is reasonably related to the value of the consumer’s data, the business is prohibited from offering the financial incentive or price or service difference. To illustrate when practices may be discriminatory, the Proposed Modifications include a number of new examples related to loyalty programs and pop-up offers of discounts in exchange for providing an email address.
The Proposed Modifications modify the time periods for responding to consumer requests and include clarifications as to how requests should be submitted and a business’ obligations in responding to requests.
Methods for submitting requests: Businesses that operate exclusively online and have a direct relationship with a consumer are only required to provide an email address for submitting requests to know. All other businesses must still offer at least two designated mechanisms for consumers to submit requests to know. Notably, the Proposed Modifications eliminate the requirement that a business offer an interactive form for requests to know. The Proposed Modifications have also deleted the interactive form from the list of designated methods. Accordingly, it is unclear if the interactive form implemented by many businesses on their websites since January 1 continues to be a valid method to offer consumers to make a request to know.
Time periods for responding to requests: Businesses must confirm receipt of requests to know and requests to delete within 10 business days (as opposed to 10 days in the Proposed Regulations) from the date the business receives the request. Businesses may send the confirmation in the same manner in which the request was received. Businesses must also respond to requests to know and requests to delete within 45 calendar days from the date the business receives the request. If the consumer’s identity cannot be verified within 45 days, the business may deny the request.
Responding to requests to know: A business can reject a request to know if it can meet all of the following conditions:
- The business does not maintain the information in a searchable or reasonably accessible format;
- The business maintains the information solely for legal or compliance purposes;
- The business does not sell the information and does not use it for any commercial purpose; and
- The business describes to the consumer the categories of records that may contain information that it did not search because it meets the conditions stated above.
Responding to requests to delete: If a business sells personal information and the consumer has not already made a request to opt out of that sale, upon receipt of a request to delete, the business must ask the consumer if they would also like to opt-out of the sale of their personal information and either include (1) the contents of the notice of right to opt-out in accordance, or (2) a link to the notice. Businesses also no longer need to carry out a e a two-step process for requests to delete.
The Proposed Modifications clarify that a service provider is restricted from retaining, using or disclosing personal information obtained in the course of providing services to a business except:
- To perform the services specified in the written contract with the business;
- To retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider;
- For internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source;
- To detect data security incidents, or protect against fraudulent or illegal activity; or
- For other enumerated purposes.