CCPA-California-Consumer-Privacy-ActOn February 7, 2020, the California Attorney General (AG) announced changes to the California Consumer Privacy Act of 2018 (CCPA) proposed regulations. The AG updated its announcement on February 10, 2020, to indicate that an additional provision was being modified. The modifications include changes to the “Right to Opt Out,” the permissible uses of data by service providers and the mandatory content of CCPA notices. The deadline for submitting comments on the modified draft of the proposed CCPA regulations is Tuesday, February 25, 2020, at 5 p.m. (PST).

As discussed herein, the Tuesday, February 25, 2020, 5 p.m. timetable indicates that the final rules may be in force before the July 1, 2020, deadline set by the CCPA. Organizations currently working toward CCPA compliance should expect the AG to commence investigative activity as soon as the rulemaking process concludes.

What Has Changed?

The modifications contain a number of changes (largely business-friendly). The changes are in response to comments received on the initial draft of the proposed regulations and in order to clarify or conform the text to existing law (including various modifications to the CCPA that were enacted during 2019).

Significant changes being proposed include:

  • Concept of “Personal Information” – The modifications clarify that evaluating whether data constitutes “personal information” is based on whether the business links, or could reasonably link, the data to a particular consumer or household. For example, the modifications state that a business that operates a website that collects internet protocol (IP) addresses from visitors need not consider the IP address to be personal information where the business does not associate that data with a particular consumer and could not “reasonably” do so. This seems to indicate an intention to apply a more subjective analysis that focuses on whether the business could identify or link the data to a particular person, rather than whether the data is reasonably linkable to a particular person in general.
  • Additional Service Provider Rights – In addition to performing services specified in a contract, service providers are permitted to process personal information for the following purposes:
    • To retain and employ subcontractors that meet the CCPA definition of “service providers”
    • For internal use by the service provider, to build or improve the quality of its services, provided that this does not include “building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source”
    • To detect security incidents or protect against fraudulent or illegal activity
    • To comply with federal or state law or investigations
  • Privacy Policy and Notice Requirements – The modifications relax some of the formal requirements around CCPA privacy policies and notices at collection and clarifies others. For example, the modifications relax the requirements for “notice at collection,” mandating businesses to disclose the categories of personal data collected and purpose for which it is used generally (as opposed to a granular disclosure of how each category of personal data is used), and clarify that employees must be provided a “notice at collection.” For the privacy policy, however, the modifications reinforce the requirement to state with granularity for each category of personal information (a) whether each category was shared for a business purpose, (b) whether each category was sold, and (c) the categories of third parties to whom the category of personal information was disclosed. Businesses no longer need to state in their CCPA privacy policies the sources of personal information they have collected.
  • Sale Notification – The modifications eliminate the requirement that if a business receives a request to opt out, it must notify all third parties to which it sold the consumer’s personal information within the 90 days preceding the request. However, if a business sells personal information after a consumer submits a request to opt-out, but before the business has complied with the request (i.e., within the15-business-day window), the business must notify those third parties and direct them not to sell the consumer’s personal information.
  • Opt-Out – The modifications to provisions related to privacy settings (e.g., DNT signals) specifically require that opt-out requests be easy for consumers to execute and not be designed to subvert or impair the consumer’s decision to opt-out. The modifications specify that privacy controls shall require the consumer to “affirmatively select their choice to opt-out” and not be designed “with any pre-selected settings.” Additionally, the rules expressly require that the signal to opt-out be “clearly communicated.” This seems to suggest that, for example, browsers that enable “do not track” by default may not need to be honored if they do not sufficiently reflect an “affirmative” selection by the consumer. The modifications also clarify that if a global privacy control conflicts with the business-specific privacy settings, the business is required to honor the global privacy controls generally, but may choose to notify the consumer of the conflict to seek clarification about the consumer’s preference. Additionally, the approved design for the opt-out button has been included.
  • Data Brokers – Businesses are expressly relieved of any obligation to provide notices at collection if they have registered with the AG as a data broker and comply with certain requirements in their registration submissions. The modifications do not clarify, however, the requirements for businesses that are not data brokers but still indirectly collect data (e.g., by purchasing marketing lists.)
  • Obligation to Search for Personal Information – In response to a “Right to Know” request, businesses are expressly allowed not to search for personal information if all of the following conditions are met:
    • The information is not kept in a “searchable or reasonably accessible” manner
    • The information is maintained solely for legal or compliance purposes
    • The business does not sell the personal information and does not use the personal information for any commercial purpose
    • The business’s response describes the categories of records that may contain personal information but were not searched because it meets these conditions
  • Biometric Data – Unique biometric data is added to the list of data categories that businesses must not disclose in response to a “Right to Know” request.
  • Mobile Applications – The modifications add many specific references to the obligations of businesses that collect data through mobile applications, including an obligation to provide a link to the notice prior to downloading and “just-in-time” notices. These requirements align with the recommendations that the AG published in 2013 for the mobile ecosystem.
  • Other relevant changes – Additional guidance is provided on how to calculate the value of personal information, the time periods to respond to individual rights requests, accessibility requirements and how businesses should verify requests to access or delete household information.

What Will Happen Next?

The AG is currently accepting written comments on the proposed changes and documents relied on in the rulemaking. Comments must be submitted to the AG no later than 5 p.m. on Tuesday, February 25, 2020, by email to privacyregulations@doj.ca.gov, or by regular mail at the following address:

Lisa B. Kim
Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013

The AG will review and respond to all timely received comments pertinent to the changes proposed. In order to finalize the rules, the AG will prepare and submit the final rulemaking record to the Office of Administrative Law (OAL) for approval. This record will include the Final Statement of Reasons, in which the AG will summarize and respond to the public comments received. The OAL will then have 30 working days to determine whether the record satisfies procedural requirements under California law. If the requirements are met, the regulations will be adopted as final and filed with the California Secretary of State.

Given the California AG’s timetable, the regulations may come into force as early as May 2020. Companies defined as businesses, service providers and data brokers under the CCPA should, therefore move promptly to evaluate any changes that may be required to their privacy policies, notices, consumer rights response procedures, service provider contracts, and other CCPA documentation and practices under the modifications to the proposed regulations.

How We Can Help

Our CCPA team can provide detailed advice on how the proposed CCPA regulations, as modified, will impact your company, and can assist with the preparation of comments on the modified draft.