Recently, the California Consumer Privacy Act ("CCPA") regulations were modified by the California Attorney General for a second time. These modifications are an attempt to address issues raised by approximately one hundred comments that followed the release of the Modified Draft Regulations on February 7, 2020. The California Attorney General is accepting written comments on the latest modifications until March 27, 2020. All of these measures are being taken to ensure that businesses have a clear understanding of what the CCPA regulations require before the enforcement date of July 1, 2020.
What are the mostrecent modifications to the CCPA regulations?
The California Attorney General has provided text of the modified CCPA regulations that illustrates all of the changes that have been made since release of the CCPA regulations on October 11, 2019. Some of the important new modifications that businesses should be aware of include:
- Section 999.302, which had provided guidance on the interpretation of what "personal information" is within the meaning of the CCPA, has been deleted. The guidance had attempted to clarify the CCPA definition of "personal information" by explaining that an IP address, for example, would not be deemed "personal information" if that IP address could not be reasonably linked to any particular consumer or household. Without this guidance, businesses are left with interpreting section 1798.140 (o) of the CCPA for purposes of determining whether they are collecting, sharing and/or selling "personal information."
- The CCPA requires businesses to provide consumers with notice of the personal information that is collected from them at or before the point of collection. The new modifications provide clarification that businesses that collect personal information from third parties (and not directly from consumers) do not need to provide notice at collection unless they are selling consumer personal information.
- Businesses are no longer required to include links to their privacy policies in notices at collection for prospective employees and contractors.
- The original modifications had deleted the requirement that businesses must disclose in their privacy policies, by category, the purposes for which data is collected, the sources of data, and the third parties with which data is shared. The new modifications reintroduce that businesses must identify the categories of sources and the business or commercial purpose for collecting or selling personal information, but allows for the categories to be listed generally, rather than specifically by category of personal information.
- The new modifications have eliminated the (unpopular) uniform opt-out button or logo, but still require businesses to provide consumers with notice of the right to opt-out of the sale of their personal information.
- When responding to requests to know, businesses would now be required to disclose when they have collected highly sensitive information from consumers, such as consumers' Social Security Numbers and drivers license numbers, without actual disclosure of the subject sensitive information.
- Under the initial version of the regulations, businesses that were unable to verify a consumer's identity in connection with a deletion request were required to opt that consumer out from the sale of her/his personal information automatically. The first modification removed that automatic opt-out, allowing businesses to ask whether the consumer would like to opt out of sale. Under this second modification, businesses would now be required to ask consumers whether they would like to opt out of sale only if the consumers had not already opted-out.
- Under the original modifications, service providers were allowed to retain, use or disclose personal information to provide the services specified and in compliance with, written contracts with their business customers who collected and provided them with California consumer information. The new modifications expand this exception, allowing service providers to retain, use or disclose personal information to process or maintain personal information on behalf of businesses that provided the personal information, or that directed service providers to collect the personal information, and in compliance with written contracts. The new modifications also clarify that a service provider may use consumer personal information: 1) to build or improve on the quality of its services, "provided that the use does not include building or modifying household or consumer profiles to use in providing services" to other businesses; or 2) for purposes of "correcting" or augmenting data acquired from another source.
- The new modifications add the exception that "information retained for record-keeping purposes shall not be shared with any third party except as necessary to comply with a legal obligation." For example, if someone alleges that consent was not properly obtained under the Telephone Consumer Protection Act ("TCPA"), such records may be presented as part of a legal proceeding or investigation to provide evidence of consent.
Complying with CCPA Regulations
We will continue to provide any updates on the CCPA regulations as they are released by the California Office of the Attorney General. In the interim, businesses should be working diligently to make sure that they are up to date with the latest CCPA regulations.
Related Blog Posts:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.