On March 11, 2020, the California Attorney General released another set of revisions to the California Consumer Privacy Act (CCPA) draft implementing regulations. The regulations are not yet finalized (a public comment period for this most recent version is open until March 27, 2020), but below we highlight key changes and takeaways for businesses under the latest version of the regulations. Note that this round of revisions to the regulations largely consist of updates to the prior modifications to the regulations, which we summarized in a previous alert available here.
Modified Definition of “Financial Incentive“
The definition of “financial incentive” was modified from a “program, benefit, or other offering, including payments to consumers as compensation for the disclosure, deletion, or sale of personal information” to a “program, benefit or other offering, including payments to consumers, related to the collection, retention, or sale of personal information.” This change seems to broaden the concept of financial incentive to potentially pick up other types of program and incentives so long as there is some sort of connection between the consumer’s personal information and incentives being offered.
The latest turn of the regulations clarifies restrictions related to service providers’ use of personal information by clarifying that while service providers can use personal information for internal purposes to build or improve the quality of their services, such use would not expand to using personal information to build or modify consumer profiles to use in providing services to another business or augmenting data acquired from another source.
Consumer requests. When responding to a request to know, businesses must now disclose when the business maintains consumers’ sensitive data (e.g., SSN), without actually disclosing the sensitive data. With respect to deletion requests, if a business that sells personal information denies a deletion request, it must ask the consumer if the consumer wants to opt out of the sale of the consumer’s personal information.
Businesses that do not collect PI directly from consumers are not required to provide a notice at the point of collection if such business do not sell consumers’ personal information.
Removal of the opt-out button
The latest version of the draft regulations removes the optional standard “Do Not Sell” opt-out toggle button and all accompanying language.
Privacy policies must include the categories of sources from which personal information is collected, as well as the business or commercial purposes for collecting or selling personal information.
The prior modifications to the draft regulations provided that IP addresses are considered personal information if a business can “reasonably link” IP addresses with a particular consumer or household. The latest version of the regulations removes this language completely. A link to a comparison version of the latest modifications to the draft regulations is available here.