Risk and Compliance

Updates, Changes from the California Attorney General to the Proposed Text of CCPA Regulations

Ron Naulls
April 1, 2020
8 min read

Since the California Attorney General (AG) released proposed regulations back in October, and our comprehensive blog in February, keeping up with the California Consumer Privacy Act (CCPA) can be a challenge.  The proposed regulations have changed twice, with the first proposed modifications in February and the second set about a month later on March 11.

Even though enforcement will not begin until July 1, 2020, consumers are still able to submit requests to “know” or “delete” to covered entities. On the other hand, there is a coalition pushing for delayed enforcement of the CCPA due to recent events around COVID-19. This post highlights the changes between the first and second sets of modifications, including additions and deletions, since our February report. The modifications are somewhat minor with technical tweaks and a few exceptions.

What has changed?

Article 1 has undergone some minor changes with the addition of more definitions, such as the Children’s Online Privacy Act (COPPA), employment benefits and employment-related information, along with the definition around the “value of the consumer’s data.” These are all important because it reiterates the AG’s focus and stance on minor data, the development of employee data handling and the emergence of organizations applying and calculating monetary value to a consumer’s data.

The updated rules require businesses who have “actual knowledge” of their minor data collection practices to provide additional disclosures in the online privacy notice around the collection of personal information of individuals under 16 years of age.

For employment-related information, businesses that collect this type of data must still provide notice upon collection, although a “Do Not Sell My Info” link or a notice to online privacy policies for employees and contractors is no longer required. This includes not having to provide weblinks to a business’s privacy policies for job applicants.

Financial incentives changed from the previous definition and now include payments or offerings to consumers “as compensation, for the disclosure, deletion, or sale of personal information” to payments or offerings that are “related to the collection, retention, or sale of personal information.” The new language adds “collection” and “retention” with “disclosure” and “deletion” removed in the updated definition. The change appears to resolve discrepancies between the statute description under 1798.125 (a) (1) (b) (1) and the previous definition in February’s proposed updates.

Further, the definition and interpretation of “personal information” (i.e., Section 999.302) have been deleted from Article 1, which initially proposed to serve as a balancing or clarification test for businesses to determine what constitutes “personal information.” The earlier proposed language was based on how a business maintains data, with the example of an IP address being reasonably linked to a consumer or household. With the elimination of the former guidance, the definition of “personal information” may seem less clear. However, with the clarification removed, the definition still defines whether information can be reasonably linked, directly or indirectly, with a particular consumer or household. The exclusion appears to align with the EU’s General Data Protection Regulation (GDPR) personal data definition, which details the context in which data is collected versus how a business maintains data under the CCPA.

The Opt-Out Button or Logo

In the February proposed regulation, the AG included a standardized logo or button to manage opt-out requests and to provide clarity around the required “Do Not Sell My Info” link. As a way to promote consumer awareness, the button included specifications such as size, font and design of a red “x” button (see sample below).

The button was removed in the updated proposed regulation, without alternatives. This seems counterintuitive, since the AG must “establish rules and procedures” for the “development and use of a … uniform opt-out logo or button…” (see 1798.185 (a) (4) (C). The updated proposed regulations deleted the button, yet the required “Do Not Sell My Personal Information” or “Do Not Sell My Info” titled links remain. We should see further developments in this area since the AG must provide clarity by July 1, 2020.

Consumer Rights

In February’s proposed regulations, there was an exemption, generally aimed at registered data brokers (who do not directly collect information from consumers), that detailed a notice to consumers upon collection of personal information. In the recent modifications, the exemption has been expanded to businesses that do not directly collect personal information from a consumer and do not sell the consumer’s data (see § 999.305 (d) and § 999.305 (e)).

A business must still provide consumers a comprehensive description of its online and offline personal information data collection practices within the business’s online privacy policy (see § 999.308). The privacy notice must describe the collection, use, disclosure and sale of personal information and the rights of consumers regarding their personal information. The differences between the regulations proposed in February to March include adding the need to identify the categories of sources from which the personal information was collected, along with describing the information collected in a “meaningful understanding” to consumers, including the business or commercial purpose for collecting or selling personal information. The notice requirement still applies to employment-related information, albeit without requiring a link to the privacy policy.

Regarding Requests to Know, the recent modifications state that a business must inform the consumer “with sufficient particularity that is has collected the type of information.” The example given for a Request to Know is informing the consumer that it collects “unique biometric data, including a fingerprint scan.” However, in responding to a Request to Know, the business may not disclose the actual fingerprint data. This includes not disclosing within responses to consumers other sensitive data material like Social Security Numbers, financial account numbers, government-issued IDs and biometric data, among others.

In responding to Requests to Delete, the February proposed regulations required businesses to ask the consumer if they would also like to opt-out of the sale of their personal information if unexercised in conjunction with the Request to Delete. The current proposed regulation removes the requirement for businesses to inquire about opt-outs of the sale of the consumer’s personal information in tandem with the Request to Delete. However, if a business denies a consumer’s request to delete, and sells personal information, and the consumer has not exercised a request to opt-out, the business “shall ask the consumer if they would like to opt-out of the sale of their personal information…” (see § 999.313 (d) (7)).

Service Providers

The February proposed regulation offered circumstances under which service providers were restricted from “retaining, using, or disclosing personal information except to perform services specified in the written contract with the business that provided the personal information.”  The updated regulation allows service providers to “build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source,” thereby clarifying acceptable uses of personal information by service providers (see § 999.314 (c) (3).

Record-Keeping

The threshold obligation for reporting and compiling metrics on requests to know, delete and opt-outs increased from 4 million or more consumers to 10 million. In sum, businesses that “know or reasonably should know” that it alone or in combination, buys or receives for the business’s commercial purposes, sells, or shares the personal information of 10 million or more consumers are subject to compiling metrics and disclosing this information within the online privacy policy or posted on the organization’s website.

Conclusion

The AG was accepting written comments on these latest proposals with a deadline of March 27, 2020. With the Covid-19 events, this date may be extended and we will be sure to provide updates if it occurs.* Next, the AG will prepare and submit the final rulemaking record to the Office of Administrative Law (OAL) for approval. Subsequent, OAL will have 30 working days to determine whether the AG’s Final Statement of Reasons satisfies procedural requirements under California law. If met, the regulations will be adopted as final.

The proposed regulations are not final or official but do provide a roadmap for businesses to start implementing compliance measures. As recommended next steps, covered businesses, service providers and data brokers should scrutinize these changes because privacy policies, notices, consumer rights and contracts, including business processes, are all affected by modifications from the proposed regulations.  It bears repeating that the CCPA is prone to change, in keeping with emerging data privacy trends around the world.

*Note: The California AG recently stated that his office is committed to enforcing the law, either upon upon finalizing the rules or July 1, 2020, whichever comes first (see article No Delay on CCPA Enforcement Amid COVID-19)

Ron Naulls

Senior Manager
Technology Consulting - Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More