CCPA Update: Attorney General Makes Another Move with Revised Proposed Regulations
Accordingly, the Attorney General published Initial Proposed Regulations on October 11, 2019, to implement the requirements of the CCPA. Following the initial comment period, the Attorney General has come forward with an updated version through the Revised Proposed Regulations, made public Friday on February 7, 2020 (with an additional update sent out on February 10, 2020). Both the prior Initial Proposed Regulations and the new Revised Proposed Regulations can be found on the Attorney General’s website here.
What Has Changed?
Although a substantial portion of the Proposed Regulations were minor clarifications and much of the text remains the same, below are some major updates to note. They are organized in the sequence they appear in the Proposed Regulations.
A significant update is that an IP address isn’t personal information if a business does not link the IP address to any particular individual or household. Previously, IP addresses alone were considered an identifier that would count as personal information under the CCPA. The Revised Proposed Regulations clarify that whether the information is considered personal information depends on if the business maintains information in a way that can be associated with a particular individual or household. If it cannot, then the information such as IP addresses, are not considered personal information under the CCPA.
Access for consumers with disabilities needs to follow generally recognized industry standards. In particular, the Attorney General recommends the Web Content Accessibility Guidelines (WCAG), version 2.1 of June 5, 2018, from the World Wide Consortium. As the prior draft of the regulations previously indicated that privacy disclosures must be accessible, the specific reference to the WCAG gives more clarity though ensuring WCAG compliance has long been a standard for website compliance.
Notice at collection is now at or before the point of collection. In mobile device settings, provide a just-in-time notice for unexpected personal information use and maintain the notice in the settings menu. In addition to the homepage, whenever information is collected, the Revised Proposed Regulations require that businesses provide a link at or before the point of collection to a notice containing information about the categories of personal information collected, as well as information about how the personal information will be used. In mobile settings, businesses may provide a link to the notice on the mobile application’s download page and within the app through the settings menu. Additionally, whenever a business collects personal information from a mobile device for a purpose that a consumer wouldn’t expect, the business must provide a just-in-time notice. The Attorney General provides an example of an unexpected purpose where a flashlight app collects geolocation information. A just-in-time notice can be provided as a pop-up window. This largely mirrors past FTC guidance.
We now have the opt-out button. The CCPA requires a link labeled “Do Not Sell My Personal Information” or “Do Not Sell My Information” for consumers to be able to opt-out of any “sale” of their data. As a reminder, a “sale” under the CCPA includes an exchange of personal information “for monetary or other valuable consideration.” The button provided by the Attorney General is as pictured below:
Businesses are required to calculate the value of personal information for financial incentives. If the value of the financial incentive isn’t reasonably related to personal information, it can’t be offered. If a business offers financial incentives related to the disclosure, deletion, or sale of personal information, the business must provide a notice with a description of the material terms and the value of the consumer’s data. If unable to calculate a good-faith estimate of the value of the personal information, or if a business is unable to show that the price difference is “reasonably related” to the value of the information, then the business must refrain from offering the financial incentive.
You may only be required to have an email address for consumers to submit requests to know. While the Initial Proposed Regulations stated that websites must provide a webform, the Revised Proposed Regulations indicate that a business that operates exclusively online and has a direct relationship with a consumer is only required to provide an email address for consumers to submit requests to know. At least two methods must still be provided for consumers to submit requests to delete, but this is a welcome update.
A business is no longer required to use a two-step process for online requests to delete. Previously, businesses were required to use a two-step process to honor requests to delete. The Revised Proposed Regulations state that a two-step process may be used, but is no longer required.
Response times are clarified – 10 business days for initial response and 45 calendar days for the full response. When businesses respond to requests to know or requests to delete, they should keep in mind the timing requirements. The Attorney General has updated the timing requirements by stating that the initial response must be provided in 10 business days, whereas the full response to requests to know and requests to delete must be done within 45 calendar days. If needed, businesses can take an additional 45 calendar days, for a maximum total of 90 calendar days to respond to the requests. Lastly, responses to requests to opt-out must be processed no later than 15 business days from the date of receipt.
A business no longer has to respond to a request to know if certain conditions are met regarding how the business maintains and uses personal information. A business isn’t required to respond to a request to know if it meets four conditions: the business doesn’t maintain personal information in a searchable or reasonably accessible format; the business only uses the personal information for legal or compliance purposes; the business doesn’t sell personal information or use it for any commercial purpose; and the business describes to the consumer the categories of records that may contain the personal information that it didn’t search due to these conditions.
When a business receives a request to delete, the business must affirmatively ask a consumer if they want to opt-out. Previously, it was required that the business must automatically treat an unverifiable request to delete as a request to opt-out. Now, if the business sells personal information, the business will ask if the an opt-out is desired.
A service provider may either respond to data subject requests directly or may tell the consumer that it is a service provider. Notably, this clarification requires that even if service providers choose to direct data subject requests to the business with whom the consumer has the main relationship, service providers still need to respond to the consumer. This may help assist with faster response times to data subject requests, as otherwise the consumer would be waiting for a response from the business itself after it receives the request from the service provider. Businesses and service providers are still encouraged to agree to specific terms to ensure that CCPA timing requirements are met for all requests.
Businesses must recognize user-enabled global privacy controls, such as a browser plugin or privacy setting, as a request to opt-out of the sale of their personal information. This affects whether businesses will have to recognize Do-Not-Track settings. The privacy control must clearly communicate or signal that a consumer intends to opt-out of the sale of personal information and must require that the consumer affirmatively select their choice to opt-out, as opposed to having pre-selected settings.
Additional metrics required if you have the personal information of 10,000,000 California consumers. The prior requirement to provide additional metrics about data subject requests applied to businesses that have the information of 4,000,000 or more California consumers. This increased threshold from 4,000,000 to 10,000,000 means that less businesses will have to disclose metrics about data subject requests processed by them.
An authorized agent must have “reasonable security.” There is some uncertainty regarding who may act as an authorized agent. The addition of this requirement that authorized agents to implement and maintain reasonable security procedures and practices suggests that authorized agents wouldn’t be informal contacts, such as family members or friends. This is an area where many will want increased clarification, as the current language would benefit from increased guidance.
What to Do?
If you have privacy policies and internal procedures that have been crafted with consideration of the Initial Proposed Regulations, please consider whether you will need to revise them to incorporate the changes from the Revised Proposed Regulations.
The Attorney General will accept comments on this latest version of the Proposed Regulations. The deadline to submit written comments is fast approaching on February 25, 2020 at 5 p.m. PST. If considering a comment for submission, please review the “Tips for Submitting Effective Comments” by the Department of Justice here.
Written comments may be submitted by email to PrivacyRegulations@doj.ca.gov, or by mail at the address listed below.
Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013
- Related Practices