The California Attorney General ("AG") proposed additional modifications to proposed regulations for the California Consumer Privacy Act ("CCPA"), which went into effect on January 1, 2020, and will be enforced starting July 1, 2020.
The latest modifications are in response to public comments received to the previous iteration of proposed regulations released in February 2020 (see previous coverage). If accepted, the latest version of the proposed regulations would include:
- Backtrack on Internet Addresses as "Personal Information." The proposed regulations remove a clarification to the definition of "personal information" that would have seemingly carved out Internet Protocol (IP) addresses collected but not linked to a particular consumer or household.
- Partial Relief from Notice at Collection. A business that does not collect personal information directly from a consumer will not be required to provide a notice at collection to the consumer if it does not sell the consumer's personal information.
- Removal of Opt-Out Button. Apparently in response to criticism that the previously provided opt-out button template was confusing, the concept of an opt-out button was deleted entirely.
- Acknowledgement of Confidential Data Collection. While businesses shall not disclose a consumer's identification number, bank account number, account password or security information when responding to a request to know, they will be required to inform the consumer of the nature of such confidential data in its possession.
- Limits on Service Provider Activities. The latest proposed regulations further limit how service providers can process personal information on behalf of businesses or for internal use.
Comments on the proposed modifications must be submitted by March 27, 2020.
The good news is that these relatively minor revisions to the proposed regulations means that final CCPA regulations should not be far off. The bad news is that while these proposed regulations further clarify how consumer-facing business would comply with their mechanical obligations under the CCPA (e.g., rights of access, deletion, opt-out and notice) they do little to tackle the complexity and broad range of the law or to address concerns that financial institutions have in the commercial transaction context. For example, serious questions remain about the applicability of the CCPA to businesses that do not collect "consumer" personal information, the scope of exemptions for data subject to the Gramm-Leach-Bliley Act (GLBA) or the Fair Credit Reporting Act (FCRA), and how far the one-year exemption for certain business-to-business (B2B) communications can be stretched. Even in cases where these partial exemptions may apply to certain requirements under the CCPA, they may not provide financial institutions with complete coverage due to mismatches between how "personal information" is defined under the CCPA versus under the various banking laws. While final regulations for the CCPA may be forthcoming, it appears practitioners struggling with these issues will continue to do so until further legislative or regulatory guidance is provided.