CCPA Update: Hang Tight, More Changes Afloat

After receiving comments to the Initial Proposed Regulations, the Attorney General came forward with updated “Modified Proposed Regulations” on February 7 and 10 (February Proposed Regulations) of this year. After receiving another round of about 100 comments in response to the February updates, the Attorney General released updates again in the “Second Set of Modified Regulations,” released March 11, 2020 (March Proposed Regulations). The final regulations from the Attorney General are expected before enforcement begins July 2020 (Final Regulations). All versions of the Proposed Regulations along with helpful redlines can be found on the Attorney General’s website here.

What Has Changed?

The major rights and requirements from the Initial and February Proposed Regulations remain in place. Though not comprehensive, below are the more significant updates to note. The overview of the updates is grouped together by topic headings.

Financial Incentive Programs

Updated definitions of “financial incentive” and “price or service difference”: Both the terms “financial incentive” and “price or service difference” have updated definitions that replace “disclosure, deletion, or sale” of personal information with the “collection, retention, or sale” of personal information. This means that if a business offers a program, benefit, or other offerings related to the collection, retention, or sale of consumers’ personal information, notice and disclosures about the price or service difference must be provided. This affects a larger scope of businesses than the previous definition. For example, many websites will offer 10% off when consumers submit their emails and sign up for subscription lists. Those businesses will now have to offer notice of financial incentives.

Updated value calculation for notice of financial incentive: When calculating the value of data for disclosure in a notice of financial incentive, businesses may consider the value of all natural persons in the United States, and not just the value to the business of California resident data.

Opt-Out Button

Opt-out button is gone: The opt-out of sales icon released in the February Proposed Regulations has gone, poof! It was a short-lived, one-month suggestion from the Attorney General. Although the opt-out button is deleted, for now, a future version is still likely to appear in the final regulations given that the CCPA text requires the Attorney General to develop a recognizable and uniform opt-out of sale logo or button.

Notice At Collection

Fewer notice requirements for service providers: Businesses that do not directly interact with consumers have one less requirement with which to comply. The March Proposed Regulations remove the requirement to provide notice at collection for those businesses that (i) do not collect personal information directly from a consumer and (ii) do not sell the consumer’s personal information. The business should still provide a privacy policy on its homepage.

Employment notice: The March Proposed Regulations clarify that a notice provided for collection of employment-related information does not need to provide a link to the business’s general privacy policy.

Privacy Policy Content

Source information needed: A business does need to provide information about categories of sources from where the business collects personal information. Some businesses may have been looking forward to slightly shorter privacy policies from not having to disclose the sources of personal information, but the March Proposed Regulations put the requirement for source categories back in place. Now, information about sources of personal information must be provided in privacy policies in a way that provides “meaningful understanding.”

Purpose information also needed: Related but less exciting, the March Proposed Regulations revisions also clarify that the business or commercial purpose must be described in a way that provides “meaningful understanding” as well.

Explain opt-in for sale of personal information of minors under 16: If a business has actual knowledge that it sells the personal information of minors under 16 years old, the business needs to provide a description of the process for opting-in to sale of personal information and the process for opting-out at a later date in the privacy policy.

Sensitive Personal Information

Tell the data subject if the sensitive personal information exists and what it is: In response to a Right to Know request, a business needs to tell data subjects if sensitive personal information exists in their records, even if the business doesn’t give the data subject a copy of the data itself. For example, if a business collects social security numbers, it must respond to a Right to Know request with sufficient particularity that a social security number is collected, without providing the exact number.

Right to Delete Triggers Offer to Opt-Out, Sometimes

If a Request to Delete is denied, ask data subjects if they want to submit a Request to Opt-out: The Proposed Regulations have consistently attempted to have the Right to Opt-Out of Sale accompany any Requests to Delete. The March Proposed Regulations include a common-sense tweak. For businesses that (i) sell personal information and (ii) deny a consumer’s Request to Delete, the business is required to ask the consumer if they would like to submit a Request to Opt-Out of Sale.

Authorized Agents

Authorized agents get additional help: The March Proposed Regulations make the verification process easier for authorized agents in two ways.

• First, the verification process needs to remain free, and businesses can’t make agents pay to verify their identity. 
• Second, consumers can direct authorized agents to act on their behalf through signed (either physically or electronically) permission. The March Proposed Regulations delete the requirement of “written” permissions and require just “signed” permissions. This makes it clear that authorized agents can receive permission in an electronic format, as “written” had previously suggested that hardcopy, written permissions would be required. 

The CCPA Definition of Personal Information is Maintained

Examples provided to clarify what is/is not PII were removed: The original definition of “personal information” as defined in the CCPA is maintained. The February Proposed Regulations added a major change with a new section stating that information, most notably IP addresses, would not be considered personal information if the business maintained it in a way that could not be reasonably linked to a particular consumer or household. In deleting the language, the March Proposed Regulations seemingly go back to the CCPA text that strictly holds that any information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household is indeed personal information.

Browser Setting Requirement Isn't Going Away

Opt-out of sale browser settings do not need affirmative selection: Businesses must treat user-enabled global privacy controls, such as browser plugins or privacy settings, device settings, or other mechanisms that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request submitted for that browser, device, or if known, for the consumer. The March Proposed Regulations remove an exemption that required privacy controls to have consumers make an affirmative selection. Now, pre-selected settings are permitted. It will be interesting to see if the requirement regarding browser settings as opt-out methods will be further modified in the Final Regulations since it is a significant departure from previous requirements and industry standards.

Businesses Are Expected to Reasonably Know Whether the Business Has the Personal Information of 10 Million+ California Residents

Businesses should know how much personal information they hold: Previously, a business was only required to provide metrics where it had actual knowledge that it processes the data of 10 million or more California residents in a calendar year. The March Proposed Regulations have expanded the standard to include where a business “should have known” as well.

What to Do?

If your business has privacy policies and internal procedures that have been crafted with consideration of the previous versions of the Proposed Regulations, you may consider whether you will need to revise them to incorporate the changes from this March Proposed Regulations. And with subsequent changes coming at this rate, it may be worth considering some flexibility in implementation before systems are more concretely finalized.

The Attorney General will accept comments on the March Proposed Regulations. The deadline to submit written comments is fast approaching on Friday, March 27, 2020, at 5 p.m. PST. If considering a comment for submission, please review the “Tips for Submitting Effective Comments” by the Department of Justice, available here.

Written comments may be submitted by email to PrivacyRegulations@doj.ca.gov, or by mail at the address listed below.

Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013