On Friday, California Attorney General Xavier Becerra released proposed updates to the formerly-released draft regulations implementing the California Consumer Privacy Act (CCPA). The modifications reflect the Attorney General’s response to public comments issued in response to the draft regulations and arguably represent a rollback of key provisions previously proposed.
The modifications impose a number of changes to the regulations. Of immediate note to companies are the following:
The modifications clarify that it would be acceptable (and thus, not a “sale”) for a service provider to use a business’s personal information to build or improve the quality of the service provider’s services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source. The modifications also require the service provider to stop selling data on behalf of a business when a consumer has opted out of the business’s sale of their personal information. This clarification arguably restricts an interpretation that using personal information to build or augment profiles, or to clean or augment personal information, are acceptable “business purposes” between a business and a service provider.
The modifications no longer require a third party that purchases personal information to contact the consumer directly to provide notice and an opt out, or to contact the source and confirm that the source provided the required notice and obtain signed attestations.
Loyalty Programs/Not Discrimination
If a consumer informs the business that she would like to remain in a loyalty program but otherwise have the business delete their information, it is lawful under the CCPA for the business to deny the deletion request as to the information necessary to maintain the enrollment in and benefits from the loyalty program. The modifications specifically provide that a business’s denial of a consumer’s request to know, request to delete, or request to opt-out for reasons permitted by the CCPA or the regulations are not discriminatory.
Personal Information (Actual, Not Hypothetical)
The modifications reinforce that whether information is “personal information” depends on how the business maintains the information, noting, for example, “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.” In other words, if data collected technically could be considered personal information under the CCPA definition, but the business does not and cannot reasonably link that data to any particular consumer or household, that data would not be personal information.
Notice at Point of Collection
The modifications clarify that a business may not use personal information for purposes that are materially different from those disclosed in the notice at collection, unless the business directly notifies the consumer of the new use and obtains explicit consent.
- The categories of personal information collected;
- The categories of sources from which it was collected;
- The business or commercial purpose for collecting or selling personal information;
- The categories of third parties with whom the business shares personal information;
- The categories of personal information the business sold in the past 12 months and, for each category, the categories of third parties to whom they sold it; and
- The categories of personal information disclosed for business purpose in the past 12 months and, for each category, the categories of third parties to whom they disclosed it.
Consumer Rights Requests
The modifications would update how a business responds to consumer rights requests as follows:
- Online-Only Businesses
If they have a direct relationship with a consumer, the modified regulations confirm that an online-only business need only provide an email address for submitting requests to know.
- Timing: A business has 10 business days to confirm receipt of a request, and 45 calendar days to respond. If the business cannot verify the consumer’s identity within the 45 days, the business may deny the request. In other words, the clock does not run indefinitely if the consumer has not verified his or her identity during the initial 45-day period.
- “Right to Know” Search Exceptions: A business does not need to search for personal information in response to a request if the business does not maintain the personal information in a searchable format, maintains it only for legal and compliance purposes, does not sell the information or use it for any commercial purpose, and describes in its response to the consumer the categories of information it holds that it did not search but which may contain the information. This provides some flexibility to avoid expensive searches for personal information, such as call recording or video footage collected by companies for security or legal compliance purposes.
- “Right to Know” Production Exceptions: The modifications struck the express exception preventing a business from providing specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of the personal information, the consumer’s account with the business, or the security of the business’s systems or networks. Instead, the modifications more generally state that a business may avoid producing specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or based an exception to the CCPA, but must inform the requestor and explain the basis for the denial, unless prohibited from doing so by law.
- Deletion Denial/Opt Out Notice: If the business denies a deletion request, it also must ask the consumer if she wants to opt out of the sale of her personal information (even if the consumer has not made the opt-out request), and include a link to the opt out.
- Deletion Compliance: Two-step confirmation of deletion requests is no longer required. In fulfilling a deletion request, the business does not need to specify the manner in which it deleted the personal information.
- No Fee for Verification: A business cannot require a consumer to pay a fee for the verification of a request to know or request to delete.
- Online-Only Businesses
Do Not Sell Button
The modifications provide additional information about the voluntary use of the opt-out button. When the opt-out button is used, it should be the same size as other buttons on the webpage, such as:
A business has 15 business days to comply with an opt-out request. Significantly, the modifications provide that businesses will not need to notify third parties to whom they sold the consumers data within 90 days. Instead, this obligation is limited to circumstances when the business sold personal information to third parties between the date of the opt-out request and the date of compliance. For sales made during this limited period, the business shall direct the third party purchasers not to further sell the data. In addition, the opt-out method must be easy for consumers to execute and require minimal steps to allow the consumer to opt-out. “A business shall not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.”
User-Enabled Privacy Controls
A privacy control developed in accordance with the regulations must clearly communicate that a consumer intends to opt out of the sale of her personal information. The privacy control must require that the consumer affirmatively select her choice to opt out and not be designed with pre-selected settings. If a global privacy control conflicts with a consumer’s existing business-specific privacy setting or participation in a business’s financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.
The modifications clarify that a household means those who reside at the same address, share a common device or the same service provided by a business, and are identified by the business as sharing the same group account or unique identifier. In terms of responding to “household” rights requests, if a consumer has a password-protected account with a business that collects personal information about a household, the business may process requests to know and delete relating to household information through the business’s existing business practices and in compliance with the regulations. If a member of a household is a minor under the age of 13, a business must obtain verifiable parental consent before complying with a request to access specific pieces of information for the household or the deletion of household personal information pursuant to CCPA-mandated parental consent.
Employee Privacy Notice
Under the revised regulations, employee privacy notices do not need to contain links to the Do Not Sell option.
The deadline to submit written comments to the proposed modifications is February 24, 2020. Our firm will continue to review the draft regulations as we work with clients to develop practical guidance on complying with the CCPA. If you have questions on how the regulations may impact your business, or if you would like assistance in submitting a written comment, please contact Alysa Hutnik, Aaron Burstein, Katie Townley, or Carmen Hinebaugh.