By Susan Kohn Ross and Timothy Carter
On March 11, 2020, the California Attorney General (CA AG) issued additional revisions to the proposed regulations implementing the California Consumer Privacy Act (CCPA). The CA AG published a redline against the earlier proposed regulations highlighting the latest changes. A copy can be found here. The latest modified draft regulations are subject to a public comment period which ends on March 27, 2020, at 5:00 p.m. (PDT). Information about where to submit comments can be found at the end of this Alert.
While many of the latest changes consist of technical corrections or clarifications, there are some significant modifications, all are effective on July 1, 2020. Below, we summarized the key changes:
Removal of the Opt Out / Do Not Sell Button
The last revision to the regulations proposed standard form opt out buttons intended for industry adoption (depicted below).
The color and appearance of the proposed button led to criticism by some commenters who raised potential usability issues. As a result, the CA AG’s office has removed all references to these buttons in the latest revisions.
The CA AG added language which requires a business to identify the categories of sources from which personal information is collected and the business/commercial purpose for collecting or selling that personal information. The added provisions require the information “be described in a manner that provides consumers a meaningful understanding” of what is collected and why. See 11 CCR § 999.308(c)(1)(e)-(f).
Guidance Regarding CCPA Definition of Personal Information
The CA AG removed guidance concerning the interpretation of “personal information” under the CCPA. Notably, this provision provided quite a bit of clarification about when information, including an IP address, would be considered personal information under the CCPA. No new or replacement provision was added.
Notice of Collection Exemptions
Denial of Deletion Request
Where a business that sells personal information denies a deletion request, that business will now be required to ask the consumer if they want to opt out of the sale of their personal information.
The CA AG revised exemptions to the general rule that a service provider cannot retain, use, or disclose personal information obtained in the course of providing services. These new exemptions significantly curtail the ability of a service provider to use personal information to perform services generally, and now require instead that the service provider limit the use of personal information “on behalf of the business that provided the personal information.” 11 CCR § 999.314(c)(1). The CA AG also revised a provision which would have permitted a service provider to use personal information for internal purposes, such as to build or improve the quality of its services. In these revisions, the CA AG made clear this exemption does not permit a service provider to build or modify consumer profiles to use in providing services to another business or to correct or augment data acquired from another source. 11 CCR § 999.314(c)(3).
Definition of a Financial Incentive
The CA AG has also revised the definition of a financial incentive to concern a program, benefit or other offering that relates to the collection, retention, or sale of personal information. Previously, a financial incentive was a program, benefit, or other offering provided as compensation for the disclosure, deletion, or sale of personal information. See 11 CCR § 999.301(j).
Disclosure of Sensitive Data in Responding to Requests to Know
The CA AG has proposed that where a business collects sensitive data and withholds that data in responding to a request to know what information the business is holding about a consumer, that business must now provide a description of the information with sufficient particularity. See 11 CCR § 999.313(c)(4). The example given is the business need not disclosure the actual fingerprint image, but instead could say it collects “unique biometric data including a fingerprint scan.”
If you wish to file comments, they can be sent via email to PrivacyRegulations@doj.ca.gov or by mail to Lisa B. Kim, Privacy Regulations Coordinator, California Attorney General, 300 S. Spring St, First Floor, Los Angeles, CA 90013. As noted above, the deadline is March 27, 2020, at 5:00 p.m. (PST).
What these changes tell us is to be prepared – more revisions are possible, but whatever their final content, they become effective on July 1, 2020. Are you ready?