Overall, most of the changes were of a technical nature and not substantive.
On March 11, 2020, California’s Office of the Attorney General proposed a second set of revisions to the draft California Consumer Privacy Act (CCPA) regulations. These proposed regulations were first published on October 11, 2019, and summarized in our previous Alert. The most recent changes come on the heels of modifications to the regulations released on February 10, 2020, which were summarized in this Alert.
The deadline for providing comments to the second set of modified proposed regulations is March 27, 2020.
Overall, most of the changes were of a technical nature and not substantive. This Alert highlights the notable changes.
Removal of Definitional Guidance Section
The section titled “Guidance Regarding the Interpretation of CCPA Definitions” was removed. The section, included for the first time in the modified regulations released on February 10, 2020, was the subject of numerous comments received by the attorney general’s office, particularly from consumer advocacy groups opposed to it. The now-removed guidance appeared to narrow the definition of “personal information” by confirming that the manner in which the information is maintained by a business could result in the information being outside the scope of the definition of personal information.
Businesses Not Collecting Information Directly from Consumers
The initial proposed regulations exempted businesses from providing notice at the point of collection if they did not collect information directly from consumers. It did however, require certain opt-out disclosures prior to the sale of any of that information (§ 999.305(d),(e)). The February 10 revised regulations eliminated these special opt-out disclosures if the business registered as a data broker and included in their registration submission a link to their online privacy policies (the privacy policy must include instructions on how a consumer can opt-out of the sale of their personal information). Under California law, a data broker is defined, with limited exceptions, as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship” (Cal. Civ. Code § 1798.99.80 et seq.). Data brokers are now required to register with the California attorney general.
The February 10 revisions did not address other businesses that do not collect information directly from consumers. The March 11 revised regulations appear to close this gap and confirm that a business that does not collect personal information directly from consumers and does not sell that personal information (and is not required to register as a data broker) is not required to provide notice at the point of collection (§ 999.302(e)).
Financial Incentives Refocused on Collection and Retention of Personal Information
The revised regulations modify the definitions relating to financial incentives to focus on the collection and retention of personal information rather than the disclosure or deletion of personal information (§§ 999.301(j),(o); 999.307). As a result, any financial incentive program that relates to the collection or retention of a consumer’s personal information, even if that information is not disclosed or sold, is covered. Financial programs relating to the sale of personal information remain covered under the revised regulations. In addition, a business is now limited to considering the value of data of only natural persons in the United States (as opposed to globally) for purposes of calculating the value of consumer data in offering a financial incentive or price or service difference (§ 999.337(b)).
Additional Privacy Policy Requirements for the Sale of the Personal Information of Minors
Under the March 11 revised regulations, if a business has actual knowledge that it sells personal information of minors under the age of 16, the business must include in its privacy policy a description of its opt-in processes (§ 999.308(c)(9)).
Responding to Requests to Know Certain Sensitive Data
The March 11 revised regulations provide guidance for responses to a consumer “request to know” involving certain sensitive data. While a business may not disclose a consumer’s actual sensitive personal data, it must inform a consumer with sufficient particularity that it has collected sensitive personal data. Sensitive personal data includes: Social Security numbers, driver’s license numbers or other government-issued identification numbers, financial account numbers, any health insurance or medical identification number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics (§ 999.313(c)(4)).
Denials of Requests to Delete and Offers to Opt-Out
The March 11 revised regulations clarify that, along with any denial of a request to delete (not just a denial based on a failure to verify the requestor), the business must ask the consumer if they would like to opt-out of the sale of their personal information if the business sells personal information and the consumer has not already opted out (§ 999.313(d)).
Service Provider Use, Retention and Disclosure of Personal Information
The February 10 revised regulations permitted service providers to retain, use and disclose personal information obtained in the course of providing services in certain enumerated situations (§ 999.314(c)).
This first set of revisions to the draft regulations provided that, in what appeared to be closer alignment with the statutory text of the CCPA, the use, retention and disclosure of personal information “to perform the services specified in the written contract” is permissible. The March 11 revisions replace this fairly broad language to instead allow a service provider to “process or maintain” personal information “on behalf of the business” that provided or directed the service provider to collect personal information, and in compliance with the written contract for services required by the CCPA. It is not yet clear what limiting effects this change may have on businesses’ contracts with service providers.
The February 10 regulations also permitted a service provider to use personal information for its own internal use to build or improve the quality of its services, provided that the personal information was not used to build or modify household or consumer profiles or clean or augment data from another source. The March 11 revisions explicitly prohibit the building of consumer or household profiles to provide services to another business. The revisions also replace the technical data science term “cleaning” data with a more commonly understood “correcting” data.
User-Enable Privacy Controls; Opt-Out Logo
The March 11 revised regulations remove the requirement that a user-enabled global privacy control (such as a browser plugin or privacy setting) require the consumer to “affirmatively select their choice to opt-out and not be designed with any pre-selected settings” (§ 999.315(d)). The revised regulations continue to require that any such user-enabled global privacy controls clearly communicate or signal that a consumer intends to opt-out of the sale of personal information and that the business treat the consumer’s use of such privacy controls as a valid request to opt-out for that browser or device, and if known, the consumer.
The sample opt-out button/logo for the sale of personal information was also removed from the draft (§ 999.306(f)).
For Further Information
If you have any questions related to this Alert, please contact Michelle Hon Donovan, Sandra A. Jeskie, Brandi A. Taylor, Angelica A. Zabanal, any of the attorneys in our California Consumer Privacy Act Group, attorneys in our Technology, Media and Telecom Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.