Since the California Attorney General (AG) released proposed regulations back in October, and our comprehensive blog in February, keeping up with the California Consumer Privacy Act (CCPA) can be a challenge. The proposed regulations have changed twice, with the first proposed modifications in February and the second set about a month later on March 11.
Even though enforcement will not begin until July 1, 2020, consumers are still able to submit requests to “know” or “delete” to covered entities. On the other hand, there is a coalition pushing for delayed enforcement of the CCPA due to recent events around COVID-19. This post highlights the changes between the first and second sets of modifications, including additions and deletions, since our February report. The modifications are somewhat minor with technical tweaks and a few exceptions.
What has changed?
Article 1 has undergone some minor changes with the addition of more definitions, such as the Children’s Online Privacy Act (COPPA), employment benefits and employment-related information, along with the definition around the “value of the consumer’s data.” These are all important because it reiterates the AG’s focus and stance on minor data, the development of employee data handling and the emergence of organizations applying and calculating monetary value to a consumer’s data.
The updated rules require businesses who have “actual knowledge” of their minor data collection practices to provide additional disclosures in the online privacy notice around the collection of personal information of individuals under 16 years of age.
For employment-related information, businesses that collect this type of data must still provide notice upon collection, although a “Do Not Sell My Info” link or a notice to online privacy policies for employees and contractors is no longer required. This includes not having to provide weblinks to a business’s privacy policies for job applicants.
Financial incentives changed from the previous definition and now include payments or offerings to consumers “as compensation, for the disclosure, deletion, or sale of personal information” to payments or offerings that are “related to the collection, retention, or sale of personal information.” The new language adds “collection” and “retention” with “disclosure” and “deletion” removed in the updated definition. The change appears to resolve discrepancies between the statute description under 1798.125 (a) (1) (b) (1) and the previous definition in February’s proposed updates.
Further, the definition and interpretation of “personal information” (i.e., Section 999.302) have been deleted from Article 1, which initially proposed to serve as a balancing or clarification test for businesses to determine what constitutes “personal information.” The earlier proposed language was based on how a business maintains data, with the example of an IP address being reasonably linked to a consumer or household. With the elimination of the former guidance, the definition of “personal information” may seem less clear. However, with the clarification removed, the definition still defines whether information can be reasonably linked, directly or indirectly, with a particular consumer or household. The exclusion appears to align with the EU’s General Data Protection Regulation (GDPR) personal data definition, which details the context in which data is collected versus how a business maintains data under the CCPA.
The Opt-Out Button or Logo
In the February proposed regulation, the AG included a standardized logo or button to manage opt-out requests and to provide clarity around the required “Do Not Sell My Info” link. As a way to promote consumer awareness, the button included specifications such as size, font and design of a red “x” button (see sample below).
The button was removed in the updated proposed regulation, without alternatives. This seems counterintuitive, since the AG must “establish rules and procedures” for the “development and use of a … uniform opt-out logo or button…” (see 1798.185 (a) (4) (C). The updated proposed regulations deleted the button, yet the required “Do Not Sell My Personal Information” or “Do Not Sell My Info” titled links remain. We should see further developments in this area since the AG must provide clarity by July 1, 2020.
In February’s proposed regulations, there was an exemption, generally aimed at registered data brokers (who do not directly collect information from consumers), that detailed a notice to consumers upon collection of personal information. In the recent modifications, the exemption has been expanded to businesses that do not directly collect personal information from a consumer and do not sell the consumer’s data (see § 999.305 (d) and § 999.305 (e)).
Regarding Requests to Know, the recent modifications state that a business must inform the consumer “with sufficient particularity that is has collected the type of information.” The example given for a Request to Know is informing the consumer that it collects “unique biometric data, including a fingerprint scan.” However, in responding to a Request to Know, the business may not disclose the actual fingerprint data. This includes not disclosing within responses to consumers other sensitive data material like Social Security Numbers, financial account numbers, government-issued IDs and biometric data, among others.
In responding to Requests to Delete, the February proposed regulations required businesses to ask the consumer if they would also like to opt-out of the sale of their personal information if unexercised in conjunction with the Request to Delete. The current proposed regulation removes the requirement for businesses to inquire about opt-outs of the sale of the consumer’s personal information in tandem with the Request to Delete. However, if a business denies a consumer’s request to delete, and sells personal information, and the consumer has not exercised a request to opt-out, the business “shall ask the consumer if they would like to opt-out of the sale of their personal information…” (see § 999.313 (d) (7)).
The February proposed regulation offered circumstances under which service providers were restricted from “retaining, using, or disclosing personal information except to perform services specified in the written contract with the business that provided the personal information.” The updated regulation allows service providers to “build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source,” thereby clarifying acceptable uses of personal information by service providers (see § 999.314 (c) (3).
The AG was accepting written comments on these latest proposals with a deadline of March 27, 2020. With the Covid-19 events, this date may be extended and we will be sure to provide updates if it occurs.* Next, the AG will prepare and submit the final rulemaking record to the Office of Administrative Law (OAL) for approval. Subsequent, OAL will have 30 working days to determine whether the AG’s Final Statement of Reasons satisfies procedural requirements under California law. If met, the regulations will be adopted as final.
The proposed regulations are not final or official but do provide a roadmap for businesses to start implementing compliance measures. As recommended next steps, covered businesses, service providers and data brokers should scrutinize these changes because privacy policies, notices, consumer rights and contracts, including business processes, are all affected by modifications from the proposed regulations. It bears repeating that the CCPA is prone to change, in keeping with emerging data privacy trends around the world.
*Note: The California AG recently stated that his office is committed to enforcing the law, either upon upon finalizing the rules or July 1, 2020, whichever comes first (see article No Delay on CCPA Enforcement Amid COVID-19)