On February 10, 2020, the California Attorney General's office released its latest version of the regulations implementing California's new data privacy law, the California Consumer Privacy Act (CCPA). These regulations modify the initial draft of CCPA regulations released by the Attorney General on October 10, 2019. The modified regulations are not final, and focus on implementing some of the public feedback received by the Attorney General following the publication of the initial draft last year. After further feedback, the Attorney General's office is expected to release final regulations in the next few months.

The CCPA is the strictest privacy law in the nation. It imposes significant obligations on companies with respect to the personal information of California residents. The law took effect on January 1, 2020, with enforcement delayed until July 1, 2020.

Some of the major changes to the proposed regulations include:

  • Notice Requirement for Changes in Use:  Setting a more lenient standard that notice is now required only if the new use of the consumer's information is "materially different" from the purpose originally disclosed.
  • Narrowing the Scope of "Personal Information":  Providing further guidance that data is not "personal information" covered by the CCPA simply because it falls within one of the categories enumerated in the statute; in any event the data must still be reasonably associated or reasonably linked to a person.  The regulations provide a clarifying example that an IP address is not "personal information" when a business collects it from its own website visitors, but does not link it to any particular customer or household and could not reasonably link it with a particular customer or household.
  • Clarifying the Definition of "Household":  The definition of "household" is now limited to a person or group of people who (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.  The amended proposed regulations also provide new requirements that businesses must meet before responding to requests to access and requests to delete originating from a household that does not have a password-protected account with that business, including that all members of the household must jointly make the request, that the business verify the identity of each member of the household and that the business verify that each member making the request is a current member of the household;
  • Opt-Out Button Design:  Introducing the following design of an opt-out button, which businesses may use in addition to posting a notice of a consumer's right to opt out of the sale of their personal information:

896164.jpg

  • Opt-Out and Third Parties:  Modifying the requirement to pass opt-out requests only to third parties to which the business sold personal information after the consumer's request has been made.
  • Notice Requirement for Mobile Users:  Requiring that when a business collects personal information from a consumer's mobile device for a purpose that the consumer would not reasonably expect, it must provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection. 
  • Service Provider Requirements:  Outlining five exceptions under which service providers may retain, use, or disclose personal information obtained while providing services; describing other compliance requirements—such as prohibiting service providers from selling data on behalf of a business after a consumer has opted out of the sale of their personal information with the business—and giving guidance for responding to a consumer's request to know or delete personal information; and clarifying that a service provider can use personal information to build or improve the quality of the service provider's services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.
  • Accessibility Requirements:   Proposing that the accessibility requirements for the notice at collection, the opt-out notice, the notice of financial incentive, and the privacy policy be based on "generally accepted standards" (citing as an example the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium).  
  • Increased Threshold for Reporting Metrics:  Increasing from 4,000,000 to 10,000,000 the threshold for the number of consumers whose personal information a business buys, sells, and shares for commercial purposes in a calendar year that triggers reporting metrics for the previous calendar year to the Attorney General and in the business's privacy policy on the number of requests to know, delete and opt-out that the business has received, complied with in whole or in part and denied, and the median number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.
  • Email Only For Data Subject Requests For Exclusively Online Business:  Allowing a business that operates exclusively online and has a direct relationship with a consumer to provide only an email address for submitting requests to know, while requiring all other businesses to provide two or more designated methods for such requests.
  • Financial Incentives:  Describing several scenarios of when refusing a request to delete or terminating a consumer's participation in a loyalty or other financial incentive program offered by a brick-and-mortar or online because of a CCPA request may be discriminatory.
  • Search ObligationsDenying Consumers' Requests:  Introducing an exception as to when a business is required to search for a consumer's personal information in response to a consumer's request.  The exception applies if the business satisfies four conditions:  it does not maintain the personal information in a searchable or reasonably accessible format; it maintains it solely for legal or compliance purposes; it does not sell or use it for any commercial purpose; and it describes to the consumer the categories of records that may contain personal information that the business did not search because such personal information meets the preceding three conditions.

The modified regulations address some concerns of industry and clarify some ambiguities, but they will likely generate additional comments and concerns. In particular, the modified regulations do not provide specific guidance on what constitutes a sale and how the ad tech industry should implement policies and procedures to comply with the CCPA.   

The Attorney General is accepting written comments on the modified regulations.  All written comments must be submitted by 5:00 p.m. on February 25, 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.