United States: Understanding What The Revised Draft CCPA Regulations Mean For Business

Key Points

• The California Attorney General Office (AGO) issued revised proposed regulations (Version 2) regarding the California Consumer Privacy Act on February 7, 2020. The AGO will collect comments on the revised regulations until February 25, 2020.
• Version 2 includes many changes and appears to respond to comments received on the prior version. Issues addressed in Version 2 include permitted uses of personal information by service providers, the appearance of the "Do Not Sell" logo, notice requirements for apps and more.
• There is still no clear indication of when the final regulations will be released. Given the issues that remain in Version 2, businesses should consider submitting comments.

I. Introduction

On February 7, 2020, the AGO released revised proposed regulations related to the California Consumer Privacy Act (CCPA) (Version 2). These are not the final regulations. Version 2 varies considerably from the initial proposed regulations (Version 1), undercutting statements by the Attorney General (here) that there was likely to be little change between Version 1 and the final regulations. Below, we analyze the changes.

The CCPA charges the AGO with promulgating regulations to implement the CCPA. The AGO issued its first version of proposed regulations (Version 1) in October 2019, which we analyzed here. Comments submitted during the following public comment period highlighted a variety of practical issues with Version 1. Many of the changes in Version 2 appear to address comments received during the initial comment period.

It is not clear when the AGO will issue final CCPA regulations. The public comment period for Version 2 will close on February 25. The timing and exact process for finalizing the CCPA regulations will depend, in part, on the AGO's response to the comments on Version 2. It could issue revised regulations or submit the final text of its proposed regulations to the Office of Administrative Law, which must approve the regulations before they take effect. Information on the rulemaking process can be found here.

II. Discussion of Revised Draft

Version 2 includes a number of important changes. As we did with the prior Version 1, below we provide a chart with a high-level summary of: (1) provisions that clarify or provide helpful operationalization guidance, (2) provisions that outline new requirements beyond the current terms of the CCPA or raise other issues, and (3) ambiguous or difficult issues that Version 2 either does not address or leaves unresolved.

Version 2 revises and/or adds several important definitions. Below, we walk through key changes. Text in red indicates text that was added to the proposed regulations in Version 2.

• Personal Information - Clarifies that whether information is "personal information," depends, in part, on how the information is maintained. Information is not "personal information" unless it is maintained in a manner that "identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular" California resident or household. It provides that IP addresses, for example, do not qualify as personal information if the IP addresses are not linked and could not reasonably be linked to a particular consumer or household. This guidance may have significant implications for business and could ease compliance costs.
• Household - Narrows the definition of "household" to mean people who (1) live at the same address, (2) share a common device or receive the same service from the business, and (3) are identified by the business as sharing the same account or unique identifier. This appears likely to help address some of the safety concerns raised by the prior definition, which categorized all people occupying a single dwelling as a "household." Other revisions in Version 2, together with the revised definition, appear geared toward limiting the ability of one member of a household to gather information on other members without the other members' knowledge.
• Employment-Related Information - Adds a new definition for "employment-related information" that aligns with the employee exemption in Section 1798.145 and provides that the collection of employment-related information is a "business purpose." This latter point provides a path to permit sharing employment-related information with service providers and may become more important should the employee exemption expire.
• Request to Know - Specifies that a "request to know" is a request that a business disclose personal information it "has collected" about the consumer, not just personal information that the business has on the consumer.
• Authorized Agent - Specifies that an "authorized agent" must be, among other things, registered with the California Secretary of State "to conduct business" in California. The lack of this specification in Version 1 had led to some confusion.
• Price or Service Difference - Targets the definition of "price or service difference" to mean a difference "related to the disclosure, deletion, or sale of personal information." This appears to limit the applicability of the related provisions in a manner that better aligns with legislative intent behind the non-discrimination provisions.
• Fixes for Minors - Provides that a "request to opt-in" is necessary from "a minor at least 13 and less than 16 years of age." This change fixes a gap in Version 1 that did not account for the need to seek opt-in consent from consumers in the 13 to 16 bracket. Version 2 also clarifies that "verification" includes verifying that a request submitted for a minor under 13 was submitted by the minor's parent or legal guardian.

To see the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.