On February 7 and 10, 2020, the California Attorney General released modifications to the proposed regulations implementing the California Consumer Privacy Act. The modifications substantially revise the initial version of the proposed regulations released last October. Notable changes focus on the following topics:
- Definitions of “personal information” and other key terms
- Privacy policy requirements
- Consumer requests
- Updated CCPA service provider obligations
- Additional recordkeeping requirements
The modified regulations do not specifically address whether data sharing for interest-based advertising constitutes a “sale” of personal information under the CCPA, a topic that has been hotly debated and a source of uncertainty for businesses.
Interested parties may submit written comments to the AG by February 25, 2020, 5:00 pm Pacific. UnderCalifornia’s rulemaking process, the regulations are unlikely to be finalized before the end of Q2 2020. In the meantime, businesses subject to the CCPA should prepare to modify their privacy policies and internal practices in line with the proposed regulations with the goal of minimizing compliance gaps.
Definitions of “personal information” and other key terms
Personal information may not include IP addresses or unstructured data…in theory
- Prior version of regs: Relied on definition in the CCPA.
- Modified regs (§ 999.302): Emphasize that determining whether information is “personal information” means evaluating whether it is reasonably capable of being associated with, or reasonably linked to, a consumer or household. For example, the modified regulations note that an IP address collected by a business’s website is not personal information if the business could not reasonably link the IP address to a consumer or household.
- Implications:
- This modification clarifies that an IP address is not personal information per se. But this view does not preclude the AG from ultimately joining regulators and courts outside of California in concluding that IP addresses are reasonably linkable to individuals such that they constitute personal information in various common contexts. Moreover, by essentially reiterating parts of the definition of “personal information” under the CCPA, the update to this regulation does not provide much guidance as to when the IP address is not considered personal information. Similarly, unstructured data, such as security camera footage or raw images, may not be personal information, depending on how the business maintains that information and whether it is reasonably linkable to an individual consumer.
“Household” definition clarified
- Prior version of regs: A person or group of people occupying a single dwelling.
- Modified regs (§ 999.301(k)): A person or group of people who (1) reside at the same address, (2) share a common device or the same service provided by a business and (3) are identified by the business as sharing the same group account or unique identifier.
- Implications:
- Under this definition, an individual appears unable to claim CCPA rights as a member of a household unless the business identifies the individual as sharing a service/device with another household member (e.g., where household members have sub-accounts or profiles within a “family” account).
- The individual would not be barred from claiming CCPA rights in their own individual capacity, but in practice, the business may be unable to find their information in its records, thus either preventing the individual’s information from being personal information, or preventing the business from being able to verify the requester’s identity as required to honor their request.
Privacy policy requirements
Notice of ”unexpected” collection on mobile devices must be delivered “just-in-time”
- Prior version of regs: N/A.
- Modified regs (§ 999.305): If a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, the business must provide a “just-in-time” notice (such as a pop-up window) with a summary of the personal information collected and a link to the full privacy notice. As an example, the regulations note that a flashlight app collecting geolocation information would be unexpected and thus must deliver a “just-in-time” notice such as a pop-up window.
- Implications: If the permission requests launched by apps before they collect certain device data (e.g., geolocation, contacts, photos, camera, speaker) qualify as “just-in-time” notices, almost every app developer would need to redesign these prompts to give the required disclosures and add privacy policy links.
Standard set for achieving accessibility for consumers with disabilities
- Prior version of regs: Notices required by the CCPA must be accessible to consumers with disabilities.
- Modified regs (§ 999.305): Notices required by the CCPA must follow generally recognized industry standards for accessibility, such as the Web Content Accessibility Guidelines from the World Wide Consortium.
- Implications: The regulations specify a common industry standard that will satisfy notice accessibility requirements under the CCPA. However, meeting the WCAG 2.1 standard is a nontrivial effort that will add to the cost of CCPA compliance.
Oral CCPA privacy notices may be required
- Prior version of regs: N/A.
- Modified regs (§ 999.305): When a business collects personal information over the telephone or in person, it may provide the privacy policy orally.
- Implications:
- The modifications suggest that the AG expects notices at collection to be given orally on phone calls during which personal information is collected (e.g., sales calls, customer service calls). This would be a major change to the status quo given that oral privacy-related disclosures over commercial phone calls are extremely rare.
- It remains unclear whether an oral privacy notice would be necessary if the business had previously given a notice of collection covering the data collection that occurs on the call earlier in the consumer relationship, such as during online registration, in its website privacy policy or in an online call-to-action prompting the phone call.
Registered data brokers do not need to provide notice at or before collection
- Prior version of regs: A business that does not collect information directly from consumers (i.e., collects personal information from a third-party source) does not need to give a notice at collection. But if the business wanted to sell the data (i.e., be a data broker), then it would first need to either provide notice to the consumer or contact the third-party source to confirm that they gave the notice.
- Modified regs (§ 999.305): A business that does not collect information directly from consumers (i.e., collects personal information from a third-party source) does not need to give a notice at or before collection if it registers with the AG as a data broker and provides the AG with a link to its privacy policy that includes an opt-out.
- Implications:
- Businesses that are not data brokers. Businesses that collect sales leads or other personal information only from public sources (e.g., scraping from social networks) or purchase it from data brokers – yet have no intention to sell that information such that they would become data brokers themselves under California law – arguably would be required to give a notice at collection in a context where it is practically impossible to do so (i.e., when collecting from a third-party source). In this context, businesses may lack contact details for the individuals in question, making compliance impossible in practice. Even where they do have contact details, businesses who send notices at or before collection are likely to see these third-party consumers react with confusion or irritation. In addition, industry compliance with this requirement could cause consumers to see a massive (and in many cases unwelcome) increase in the volume of privacy notice-related email, which could make consumers even more likely to ignore privacy policies than they are now.
- Businesses that are data brokers. The modified regulations ease off on data brokers (i.e., businesses that knowingly collect and sell to third parties the personal information of a consumer with whom the business does not have a direct relationship) in recognition of the obligations they face under California’s new data broker law to register with the AG. However, the removal of the notice at collection obligation means consumers may be unable to determine whether a particular data broker is collecting or selling their personal information.
Failure to disclose a “sale” at the time of collection requires “affirmative authorization” for going-forward sales
- Prior version of regs: A consumer whose personal information is collected when the business did not post a notice of the right to opt-out is deemed to have submitted a valid opt-out request.
- Modified regs (§ 999.306): A business cannot sell the personal information it collected during the time it did not post the notice of the right to opt-out unless it first obtains the consumer’s “affirmative authorization.”
- Implications:
- Under the prior version of the regulations, failure to provide notice of the right to opt-out was treated as the consumer’s opt-out of any sales. As such, a business would be required to refrain from any transfers that could be considered sales without obtaining “express authorization” and could not ask consumers to opt-in to a sale for 12 months.
- The modified regulations now require “affirmative authorization” before selling any personal information where there was no notice. Notably, however, unlike the prior version of the regulation, the business would not have to wait 12 months to obtain the affirmative authorization to engage in sales.
- This updated requirement may apply to many businesses that did not post the notice of the right to opt-out at the time it collected the personal information – whether because the business did not consider its activities to be a sale at the time and later changed its position due to evolving regulatory guidance, because it was behind on CCPA compliance and had not yet implemented the notice provision, or for some other reason.
Businesses must disclose whether they have “actual knowledge” of selling minors’ personal information
- Prior version of regs: A business must state in its privacy policy whether it sells the personal information of minors under 16 years of age without their consent.
- Modified regs (§ 999.308): A business must state in its privacy policy whether it has “actual knowledge” that it sells the personal information of minors under 16 years of age.
- Implications:
- Based on this change, a CCPA violation could arise not only from the failure to obtain consent of the minor under 16, but also from the failure to disclose whether the business has actual knowledge that the minor’s personal information is being sold.
- In practice, businesses are unlikely to make this disclosure unless they have implemented parental consent mechanisms, as doing so otherwise would be to admit a CCPA violation.
- Moreover, because businesses are taking a variety of positions as to what constitutes a sale under the CCPA, this provision poses risk if a business’s interpretation is incorrect (i.e., a transfer they felt was not a sale actually is a sale under the law).
Consumer requests
Methods to submit consumer requests
Opt-outs cannot be difficult for consumers to effectuate
- Prior version of regs: N/A.
- Modified regs (§ 999.315): Opt-out requests must be easy, require minimal steps and cannot have the “purpose or substantial effect of subverting or impairing” the decision to opt-out.
- Implications: This change appears to take aim at all opt-out instructions, not only those that are intentionally burdensome. This may also impact opt-out processes that require users to set preferences on multiple platforms, sometimes repeatedly and on multiple devices, to prevent the sale of their personal information, which may not satisfy the “easy” and “minimal steps” requirement.
Businesses must consider providing options for consumers to submit in-person consumer requests
- Prior version of regs: One of the methods for consumers to submit requests to know and delete must reflect the manner in which the business primarily interacts with the consumer.
- Modified regs (§ 999.312): Businesses that interact with consumers primarily in-person must consider providing (but need not offer) an in-person method for consumers to submit requests to know and delete, such as a printed form, a tablet or computer portal that links to the business’s webform submission, or a telephone that the consumer can use to call the business. Businesses are not required to consider these options for sale opt-outs (but can do so if they wish).
- Implications: This requirement may place the onus on businesses that do not use one of the referenced methods for in-person requests to justify the decision not to. In practice, many businesses may elect to employ one of the referenced methods
Verifying a consumer’s identity
Businesses cannot charge fees to satisfy consumer rights requests
- Prior version of regs: N/A.
- Modified regs (§ 999.323): A business cannot require a consumer to pay any fees to verify their identity for requests to know or delete, including notarization fees, unless it reimburses those fees.
- Implications: Requiring businesses to reimburse notary fees disincentivizes them to require notarization in verifying consumer requests as a security precaution, which could make consumers more vulnerable to having their personal information compromised by fraudulent CCPA requests. Moreover, this regulation would undermine a business’ use of notarized declarations to verify the identity and authority of authorized agents. Of course, by dissuading higher levels of identity verification, this provision may result in increased personal information security risk.
Additional methods for businesses to verify authorized agents
- Prior version of regs: When a consumer uses an authorized agent, unless the agent has power of attorney, a business can require the consumer to:
- Provide a written authorization authorizing the agent to act on their behalf; and
- Verify their own identity.
- Modified regs (§ 999.326): When a consumer uses an authorized agent, unless the agent has power of attorney, a business can require the consumer to:
- Sign a written authorization authorizing the agent to act on their behalf;
- Verify their own identity; and
- Directly confirm with the business that they gave the agent permission to submit the request.
- Implications: Organizations seeking to act as authorized agents of large numbers of Californians may now find it more difficult to seamlessly enroll clients in a manner that will satisfy the requirements for establishing an agent’s authority under the CCPA.
Authorized agents’ obligations
- Prior version of regs: N/A.
- Modified regs: An authorized agent must use reasonable security to protect the consumer’s information. An authorized agent cannot use the consumer’s personal information, or any information collected from or about the consumer, for any purpose other than fulfilling the request, for verifying identities or for preventing fraud.
- Implications: The reasonable security requirement increases the cost and risk associated with acting as an authorized agent and is a reminder that authorized agents themselves may be businesses subject to the private right of action under the CCPA for data breaches arising from the failure to implement reasonable security.
Parental consent necessary for requests to know and delete personal information of minors
- Prior version of regs: N/A.
- Modified regs (§ 999.330): A business must establish, document and use a reasonable method to verify that a person submitting a request to know or a request to delete the personal information of a child under 13 is that child’s parent or guardian.
- Implications: A CCPA-compliant parental consent process would be required not only for requests for authorization to sell the personal information of children under 13, but also to verify requests to know/delete submitted on behalf of children under 13. While unclear, the requirement also seems to imply that these requests may be submitted for children under 13 only by their parents or guardians and not by the children themselves.
Handling consumer requests
Deadlines for responses clarified: The revised draft regulations clarify deadlines for making responses.
- Preliminary response for right to know and delete:
- Prior version of regs: 10 days
- Modified regs (§ 999.913): 10 business days
- Substantive response for right to opt-out:
- Prior version of regs: 15 days
- Modified regs (§ 999.915): 15 business days
Security risk exemption eliminated
- Prior version of regs: A business can reject a request for specific pieces of personal information if disclosing the information would create a substantial, articulable and unreasonable risk to the security of that personal information, the consumer’s account with the business or the security of the business’ systems or networks.
- Modified regs (§ 999.313): N/A – exemption eliminated.
- Implications: Eliminating the exemption, which arguably benefitted both businesses and the security of consumers’ data, may encourage businesses to err on the side of complying with access requests even in the face of real security concerns. Now, businesses should consider whether denying requests on the basis of protecting the security of another individual’s personal information can be justified under Section 1798.145(l) of the CCPA, which provides that “…the obligations imposed on the business…shall not adversely affect the rights and freedoms of other consumers.”
New basis for denying a request to know related to unstructured personal information
- Prior version of regs: N/A.
- Modified regs (§ 999.313): A business can deny a request to know when all of the following are met:
- The personal information is not kept in a searchable or reasonably accessible format;
- The personal information is kept only for legal or compliance purposes;
- The personal information is not sold or used for a commercial purpose; and
- The business discloses to the consumer the categories of records that may contain personal information that it did not search because they meet the above conditions.
- Implications: This exemption could apply to certain types of unstructured or backup data, both of which are also addressed in other sections of the proposed regulations. The key criterion is whether such data is kept for legal or compliance purposes. Unstructured data such as raw security footage may not be. However, unstructured data may not be personal information at all, depending on how the business maintains that information, as discussed above.
Biometric data exempted from requests to know
- Prior version of regs: N/A.
- Modified regs (§ 999.313): Prohibits delivery in response to a request to know of unique biometric data generated from measurements or technical analysis of human characteristics.
- Implications: Providing this information to an unauthorized person would not only violate the CCPA regulations, but may trigger the obligation to notify affected California residents and supply the basis for private right of action and statutory damages under the CCPA.
One-step deletion permitted; two-step deletion optional
- Prior version of regs: A business is required to provide a two-step process for online requests for deletion where the consumer first submits the request to delete and then is separately asked to confirm their request.
- Modified regs (§ 999.312): The two-step process is now optional – a business need not confirm a deletion request before fulfilling it.
- Implications: Businesses will welcome having the right but not the obligation to complete a two-step confirmation process before fulfilling a request to delete.
Businesses that cannot verify requests to delete must offer the individual a sales opt-out
- Prior version of regs: When a business denies a request to delete because it cannot verify the requester’s identity, it must treat the request as an opt-out request (which does not require verification).
- Modified regs (§ 999.313): When a business denies a request to delete because it cannot verify the requester’s identity, and if the business also sells personal information, then it must ask if the consumer wishes to opt-out of the sale of their personal information.
- Implications: Businesses are spared the considerable complexity and consumer confusion that may well have resulted from the obligation to assume that certain requests to delete are requests to opt-out. However, asking the consumer if they wish to opt-out of sales in this context may cause confusion in its own right.
Requests to opt-out do not need to be communicated to all third parties to whom personal information was sold
- Prior version of regs: After a business receives an opt-out request, it must inform all third parties to whom it has sold the consumer’s personal information within 90 days preceding the request.
- Modified regs (§ 999.315): That requirement was eliminated. Instead, if a business sells a consumer’s personal information between the time it received the opt-out request and the time it actually complied with the request, it must inform the third party of the opt-out and instruct them to not sell the consumer’s information.
- Implications: While the scope of third parties that must be notified is presumably reduced in most cases, businesses continue to face the considerable challenge of implementing mechanisms to monitor the timing and implementation of opt-out requests, tracking the relevant third parties and delivering the required notifications to them.
Updated CCPA service provider obligations
The modified proposed regulations endorse some of the activities commonly performed by service providers, add restrictions on service provider’s activities and now address engaging subcontractors.
- Prior version of regs: A service provider cannot use personal information obtained from one business for the purpose of providing services to another entity. But it may combine personal information received to detect data security incidents or protect against fraudulent or illegal activity.
- Modified regs (§ 999.314): A service provider’s retention, use or disclosure of personal information is limited to:
- performing the services identified in its agreement with the business;
- retaining another service provider as a subcontractor, so long as the subcontractor meets all of the requirements to be a CCPA service provider;
- building or improving the service provider’s services, so long as it does not include creating or adding to household or consumer profiles, or cleaning or augmenting data from another source;
- detecting security incidents or protecting against fraudulent or illegal activity; and
- the purposes in Cal. Civ. Code § 1798.145(a)(1)-(4):
- complying with other laws;
- complying with legal obligations;
- cooperating with law enforcement; and
- exercising or defending legal claims.
- Implications:
- This change will come as a relief to B2B service providers, many of whom rely on the ability to process data for these reasons to improve their products and operate their businesses. This change will also give service providers leverage to resist contractual requirements seeking to prohibit some of these activities in the name of CCPA compliance.
- On the other hand, qualifying as a service provider will be more difficult for B2B companies seeking to leverage personal information received from one B2B customer to augment databases used to benefit other B2B customers, except for the purposes enumerated in this requirement.
- It is unclear how broadly “augmenting data from another source” will be interpreted. Does this mean that a service provider is prohibited from combining personal information from multiple sources in order to run machine learning/AI against the data set to provide its services?
Additional recordkeeping requirements
- Prior version of regs: Businesses that annually collect or sell the personal information of 4 million consumers must make specific annual disclosures.
- Modified regs (§ 999.317):
- A business must implement reasonable security for the records it keeps regarding consumer requests.
- Businesses that annually collect the personal information of 10 million consumers must still make their specific annual disclosures but now must do so by July 1 of every year. Additionally, businesses gain some flexibility on the annual disclosure, such as being permitted to use the number of requests it received from all individuals rather than requests received from consumers.