Third Time’s the Charm? California AG Proposes Another Round of Modifications to CCPA Regulations

Overview


Just a month after the California Attorney General issued proposed modifications to the Proposed Regulations to facilitate the California Consumer Privacy Act’s (CCPA) implementation, the California Attorney General has issued a second set of proposed modifications. This second set of proposed modifications is in direct response to more than 100 comments that have been received, and include a number of important clarifications and substantive changes to the Proposed Regulations.

In Depth


On February 10, 2020, the California Attorney General issued proposed modifications (Initial Modifications) to the October 10, 2019, Proposed Regulations (Proposed Regulations) to facilitate the implementation of the California Consumer Privacy Act (CCPA). This week, in an another attempt to modify the Proposed Regulations, the California Attorney General issued a second set of proposed modifications (Current Modifications) in response to over 100 comments submitted in response to the Initial Modifications.

The Attorney General is accepting written comments to these Current Modifications until March 27, 2020.

The Current Modifications make several clarifications and substantive changes to the Proposed Regulations, including the following:

Notices

Privacy Policy

While the Initial Modifications eliminated some of the content requirements for privacy policies that had been included in the Proposed Regulations, the Current Modifications would restore some of those same content requirements and add new requirements. Under the Current Modifications, in addition to the other content requirements specified in the Proposed Regulations, a CCPA-compliant privacy policy would also need to identify:

  • The categories of sources from which the personal information is collected. The categories should be described in sufficient detail such that consumers have a meaningful understanding of the information being collected.
  • The business or commercial purpose for collecting or selling personal information. The purpose should be described in sufficient detail such that consumers have a meaningful understanding of why the information is collected or sold.

If the business has actual knowledge that it sells the personal information of minors under the age of 16, the privacy policy must include a description of the following processes for minors under 13 years of age, and minors 13 to 16 years of age:

  • The processes for opting-in to the sale of personal information.
  • The requirement to inform parents or guardians of children under the age of 13 (or to inform minors between 13–16 years of age) of the right, and process, to opt-out once they have opted-in.
  • The method for verifying that the person submitting a request to know or delete the personal information of a child is the parent or guardian.

Notice at Collection

The Current Modifications clarify that a business that does not collect personal information directly from a consumer would not be required to provide a notice at the point of collection if the business does not sell the consumer’s personal information.

Data Brokers

A data broker that is registered with the Attorney General would not need to provide a notice at the point of collection if it has included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out. The Initial Modifications limited this right only to those businesses that did not collect information directly from consumers. The Current Medications deleted that limitation.

Employee Data

The Initial Modifications specified that the notice at collection of employment-related information could, in lieu of a link or URL to the business’s consumer privacy policy, include a link to, or paper copy of, its privacy policies for job applicants, employees and contractors. The Current Modifications struck this language. Instead, under the Current Modifications, a business collecting employment-related information would not be required to provide a link to the business’s privacy policy at the point of collection. Businesses collecting employment-related information would otherwise need to comply with the remainder of the requirements for notice at the point of collection.

Do Not Sell/Requests to Opt-Out

The Initial Modifications attempted to provide clarity around the manner in which the “Do Not Sell” link should be displayed to consumers by revealing the design of a red x button, which would need to be in the same font size, and to the left of, the “Do Not Sell My Info” link. There was some controversy around the design of the red x button, because it was unclear whether the button would be activated when the red x was shown, or whether the consumer would need to take additional actions to restrict the sale of their personal information. In light of this confusion, the Current Modifications deleted the red x button in its entirety. The other Initial Modifications regarding specifics of “Do Not Sell” remain unchanged.

Addressing user-enabled global privacy controls, the Current Modifications delete the prior version’s obligation that any privacy control require consumers to affirmatively select their choice to opt-out. The Current Modifications also remove the earlier prohibition on designing privacy controls with any pre-selected settings. In other words, any privacy control mechanism only needs to clearly communicate or signal the consumer’s intent to opt-out of the sale of their personal information.

Financial Incentives

The Proposed Regulations, as modified by the Initial Modifications, permitted a business to avoid providing a notice of financial incentive if the business did not offer a financial incentive, or a price or service difference related to the disclosure, deletion or sale of personal information. The Current Modifications now make this exemption applicable only to businesses that do not offer a financial incentive, or price or service difference related to the collection, retention or sale of personal information. “Collection” and “retention” were added to this section, while “disclosure” and “deletion” were deleted. This change would narrow the number of businesses required to provide a notice of financial incentive. When calculating the value of data, the Current Modifications clarify that the business can consider the value to the business of the personal information of all natural persons in the United States, not just consumers (which the CCPA defines as California residents).

Consumer Rights

Requests to Know

Although a business would be prohibited under the Current Modifications from disclosing certain sensitive information in response to requests to know (such as SSN, driver’s license number, financial account number, health insurance or medical ID number, account passwords, security questions and biometric data), the business would still be required to inform the consumer that it has collected the type of information, with sufficient particularity. For example, a business shall respond that it collects unique biometric data, including a fingerprint scan, without disclosing the actual fingerprint scan data.

Requests to Delete

With respect to those consumers making requests to delete their personal information who have not also made a request to opt-out of the sale of their personal information, the Current Modifications remove the obligation for a business to ask those consumers if they would like to opt-out, as well as the obligation to include either the contents of, or a link to the notice of the right to opt-out. However, if a business which denied a request to delete personal information subsequently sells personal information, and the consumer has not already requested to opt-out, the business must ask the consumer if they would like to opt-out of the sale, and must include either the contents of, or a link to the notice of, the right to opt-out.

Service Providers

The Initial Modifications proposed restricting service providers from retaining, using or disclosing personal information except to perform services specified in the written contract with the business that provided the information. The Current Modifications would change this restriction to limit a service provider from retaining, using or disclosing personal information except to process or maintain such information on behalf of the business that provided the information, or that directed the service provider to collect the information, in compliance with the written contract required by the CCPA.

Other Changes

  • Record-Keeping: The Current Modifications clarify the threshold for businesses to be subject to the obligation to compile metrics on requests to know, delete and opt-out; the obligation is triggered if the business knows or reasonably should know that it purchases, receives, sells or shares the personal information of 10,000,000 or more consumers.
  • Authorized Agent: The Current Modifications remove the requirement that permission for an agent to submit a request to know or delete be in writing, although a signed permission is still required. Although the proposed change does not expressly permit electronic signatures, one can presume that is the intent behind striking the obligation to be in writing. In addition, the Current Modifications would extend the prohibition on requiring consumers to pay a fee for the verification of their requests to know or delete to a consumer’s authorized agent.

NEXT STEPS

The deadline for written comments is March 27, 2020. We will continue to monitor this rapidly—and repeatedly—changing regulatory environment.