On March 11, 2020, California’s Office of the Attorney General (OAG) released a second set of proposed revisions to the California Consumer Privacy Act (CCPA) draft regulations originally released in 2019 (Proposed Regulations).
The latest revisions, available here, are substantial and come in response to public comments submitted to the OAG during a 15-day comment period that concluded in late February. The new revisions request additional comments from the public, to be submitted by March 27, 2020.
Below is an overview of new changes to the Proposed Regulations that, if adopted, could have a significant impact on businesses’ compliance efforts. These revisions cover the following topics:
- Notice at Collection of Personal Information
- Notice of Right to Opt-Out of Sale of Personal Information
- Privacy Policies
- Requests to Know and Requests to Delete
- Service Providers
Key Proposed Changes to CCPA Implementing Regulations
There are a number of newly proposed revisions to the definitions section set forth in Section 999.301 of the Proposed Regulations. Highlighted below are key definitions that relate to required consumer disclosures and actions businesses must take.
1. Triggering language for “financial incentives” and “price or service differences”: The definitions of both “financial incentives” and “price or service differences” are now tied to whether “a program, benefit, or other offering [or difference in the price or rate charged for a good or service] is related to the collection, retention or sale of personal information” instead of the “disclosure, deletion or sale of personal information.”
Businesses offering financial incentives are required to make a separate disclosure with details about the program and are prohibited from charging a different price or offering a different service in exchange for a consumer’s data unless that difference is reasonably related to the value of the data.
Businesses that rely on a previously made determination that they do not need to issue a notice of financial incentive or are not offering a “price or service difference” because their processing did not include the “disclosure, deletion or sale of personal information” should take careful note that the triggering behavior for such a disclosure has changed to the “collection, retention, or sale of personal information.”
2. Deletion of guidance on interpreting CCPA definitions: The new Section 999.302 introduced in the last round of revisions to offer additional clarity on whether information is “personal information” under CCPA, including an example related to the collection and use of IP addresses, has been deleted.
The removal of this interpretive guidance and the accompanying example leaves businesses with less information on what the Attorney General is likely to consider “reasonably capable of being associated with” an individual and thus qualify as “personal information” under the CCPA.
II. Notice to Consumers at Collection of Personal Information:
The latest revisions add information on how businesses should provide “Notice at Collection of Personal Information.”
New changes include:
1. No notice requirement for indirect collection of personal information by non-sellers: Businesses that “[do] not collect personal information directly from a consumer [do] not need to provide a notice at collection to the consumer” if they “do not sell the consumer’s personal information.”
III. Notice of Right to Opt-Out of Sale of Personal Information:
Regarding businesses’ compliance with the CCPA’s guarantee that consumers have the right to opt-out of the sale of their personal information, the new revisions include:
1. Removal of the example “Opt-Out Button or Logo”: Section 1798.185(4)(C) of the CCPA specifically tasks the OAG with adopting regulations “[f]or the development and use and a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.” The example of the opt-out button in the previous draft, as well as the accompanying guidance on how businesses that sell consumers’ personal information could implement the proposed button, has been removed.
As a result, while businesses that sell consumer data are still obligated to provide notice of the right to opt-out out of the sale of information, and comply with the requirement imposed by Section 1798.135(a) to submit a “clear and conspicuous link on the business’s Internet homepage titled “Do Not Sell My Personal Information,” there is no longer any guidance or example opt-out button for use on a business website.
IV. Privacy Polices:
For privacy policies, the latest revisions propose:
1. A requirement that businesses identify the categories of sources of personal information: Businesses must “identify the categories of sources from which personal information is collected.” The categories “must be described in a manner that provides consumers a meaningful understanding of the information being collected.”
Per the proposed definition found at Section 999.301(d), categories of sources “may include the consumer directly, advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers.” It is important to note that this definition is non-exclusive, so businesses may have to provide additional information in order to make the disclosure “meaningful” to consumers.
2. A specific description of the business or commercial purpose for collecting or selling personal information: Businesses must identify the business or commercial purpose for collecting or selling personal information. The purposes must be described “in a manner that provides consumers with a meaningful understanding of why the information is collected or sold.”
While the Proposed Regulations do not define business or commercial purposes with any more specificity, Section 1798.140(d) of the CCPA defines a “business purpose” as “the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.”
The CCPA further provides seven specific examples of business purposes, which can be accessed in full here. Without a separate definition in the proposed regulations, businesses may consider structuring their proposed purpose disclosures based on the example purposes provided in the statute itself.
3. A requirement that businesses describe the required opt-in processes if they have actual knowledge that they are selling the information of minors under 16 years of age.
This description must follow the processes described in Sections 999.330 and 999.331 of the Proposed Regulations. Section 999.331 requires that a business with actual knowledge that is selling the personal information of children between 13 and 16 years of age must “establish, document, and comply with a reasonable process for allowing such minors to opt-in to the sale of their personal information.”
V. Requests to Know and Requests to Delete:
The latest revisions propose several crucial clarifications to businesses’ obligations when responding to requests to know or delete, including the following:
1. A requirement to inform consumers that information that cannot be disclosed in response to a collection request has been collected: Businesses that collect information that cannot be disclosed in response to a request to know, such as a consumer’s Social Security Number, other government identification number, or other information prohibited by the regulations, must inform a consumer “with sufficient particularity” if it has collected that type of information when responding to a request to know (where the business would be prohibited from disclosing the information itself).
2. No requirement to ask consumers to opt-out of sales if responding to a deletion request: The requirement that businesses selling consumer information inquire whether a consumer requesting the deletion of their information would also like to opt-out of the sale of information (if the consumer has not already done so) has been removed.
3. A requirement that businesses denying a request to delete inquire if the consumer would like to opt-out of the sale of information: Businesses selling consumer information must now inquire whether a consumer requesting the deletion of their information would also like to opt-out of the sale of information (if the consumer has not already done so) if the business denies the consumer’s request to delete their information.
Businesses that have developed processes for responding to consumer requests to know and delete based on previous versions of the Proposed Regulations should take note of the specific information that must now be provided to a consumer in the event that a request to know is denied.
VI. Service Providers:
The latest revisions propose several changes regarding service providers:
Service provider permitted uses of personal information: The latest revisions alter the list of “permitted uses” of personal information that service providers receive from businesses in order to provide services, including:
- Replacing “To perform the services specified in the contract with the business” with “to process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA.”
- Changing Section 999.314(c)(3) of the Proposed Regulations to permit service providers to use personal information: “[f]or internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source.” Altering the internal use permitted from “to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles” to include “to use in providing services to another business,” and replacing “cleaning” with “correcting” when referring to data acquired from another source.
The previous version of these permitted uses did not specify that only profiles created for use in providing services to another business were prohibited. Specifying that service providers may use information “for internal use by the service provider to build or improve the quality of its services” applies to building profiles, so long as the service is confined to the original business customer, is a major clarification from the earlier proposed regulations and a significant reduction in CCPA risk for many service providers in the consumer profiling space. Changing to “correcting and augmenting data acquired from another source” rather than “cleaning” avoided potentially creating confusion around what conduct would qualify as “cleaning,” a term not otherwise used or defined in the statute or regulations.
Businesses should continue to monitor changes and updates to the CCPA regulations and how the law and associated regulations are enforced and interpreted. The California Attorney General’s Office has indicated that the COVID-19 pandemic will not delay the beginning of CCPA enforcement, which remains set for July 1, 2020.