In Short

The Situation: Four months after releasing the initial draft proposed regulations to the California Consumer Privacy Act ("CCPA") of 2018, the California Attorney General ("Attorney General") issued modifications to these regulations in response to public comment.

The Result: The modified regulations propose a number of key changes that impact companies' compliance efforts.

Looking Ahead: The Attorney General will accept public comment on these modified draft regulations until Tuesday, February 25, 2020, at 5:00 p.m. (PST). Businesses subject to the CCPA should consult the newly revised draft regulations and consider adjusting their ongoing compliance efforts.

On February 7, 2020, the Attorney General released modifications to the proposed CCPA regulations for public comment ("modifications"). These modifications stem from feedback the Attorney General received during the comment period last year to the formerly released draft regulations. Below is a summary of some of the significant changes to the regulations:

Clarifying Definition of "Personal Information"

The modifications clarify that information must be reasonably linked to a consumer in order to constitute "personal information" under the CCPA. For example, certain information, such as an IP address, will not be considered "personal information" if a business does not link that information with a particular consumer or household and could not reasonably link it with a particular consumer or household. (§ 999.302).

New Notice Requirements for Businesses that Collect Data Indirectly

The modifications exempt businesses that are registered as data brokers (i.e., businesses that collect personal information from consumers indirectly) with the Attorney General from providing notice to consumers whose data they collect indirectly—provided their registration submission includes a link to their online privacy policy with instructions on how a consumer can submit a request to opt out. (§ 999.305(d)).

Right to Know

Under the modifications, businesses can now provide the categories of sources from which the personal information was collected, the business purpose for collection, and the categories of third parties they share personal information without listing this information for each identified category of personal information collected. However, businesses must still provide the categories of third parties to whom the businesses sold or disclosed that information in the preceding 12 months for each category of personal information identified. (§ 999.305; § 999.313(10)).

Businesses will have to change their privacy policies to make them more accessible for consumers on their mobile devices. Additionally, privacy policies must be available for consumers to download.

Newly Designed Opt-Out Button

The modifications include a newly designed opt-out button. (§ 999.306(f)). The modifications, however, do not provide any further clarifications to the definition of the broadly defined term "sale." Businesses, therefore, will still have to consider whether they are engaged in a sale of personal information under the CCPA.

Consumer Requests

The modifications make several changes to how businesses respond to consumer requests:

  • Online-only businesses that have a direct relationship with consumers are no longer required to have an interactive web form for consumers to submit requests to know. Instead, consumers can contact such businesses via the businesses' email address. All other businesses must provide at least two methods for submitting such requests to know, including, at a minimum, a toll-free telephone number. (§ 999.312(a)). This modification harmonizes previously inconsistent approaches set out by AB 1564 and the original draft regulations on the methods businesses must provide to consumers to exercise their right to know. Interestingly, all businesses must still provide two or more designated methods for submitting requests to delete. (§ 999.312(b)).
  • The modifications clarify that businesses have 10 business days to confirm receipt of a consumer's request and 45 calendar days to respond to requests to know and delete. (§ 999.313).
  • For responding to opt-out requests, businesses have 15 business days to act (as opposed to calendar days). (§ 999.315(f)).

Service Providers

The modifications clarify that an entity qualifying as a "business" can also be a "service provider." Additionally, the modifications contemplate that service providers may use personal information obtained in the course of providing services only for certain reasons, including, inter alia, for internal use to build or improve the quality of its services, without engaging in a "sale." (§ 999.314(c)).

Household Requests

The modified regulations clarify how businesses should process and verify requests to access or delete household information. In order for a business to process a request to know specific pieces of personal information about a household or a request to delete household personal information without a password-protected account, all three of the following requirements must be met:

  • All consumers of the household jointly make the request to know or delete;
  • The business individually verifies all the members of the household subject to the verification requirements; and
  • The business verifies that each member making the request is currently a member of the household. (§ 999.318).

Authorized Agents Explained

The modifications also change how businesses must process requests submitted by authorized agents. (§ 999.326).

  • First, the modifications narrow the definition of "authorized agent" to include only natural persons or business entities registered with the Secretary of State "to conduct business in California." (§ 999.301(c)).
  • And now, agents must "implement and maintain reasonable security procedures and practices to protect the consumer's information" and can use a consumer's personal information only to "fulfill the consumer's request, for verification, or for fraud prevention." (§ 999.326(d)-(e)).

The Attorney General also clarified in a subsequent revision issued on February 10, 2020, that the metrics reporting requirement will apply to businesses that buy, receive, sell, or share the personal information of 10 million or more consumers in a calendar year, an increase from four million in the original, proposed regulations. (§ 999.317(g)).

Two Key Takeaways

  1. These modified regulations are not the final version. The Attorney General has opened another public comment period for the modified regulations. The deadline to submit written comments to the California Department of Justice is February 25, 2020, at 5:00 p.m. (PST). The Department of Justice has provided more information on how to submit comments.
  2. Although the Attorney General cannot bring an enforcement action until July 1, 2020, businesses should carefully review these modified regulations and consider taking steps to adjust their data collection policies, procedures, and practices to comply with these newly revised requirements.