Published on Feb 13, 2020 The California Attorney General published on February 7, 2020 (and subsequently updated on February 10, 2020) revisions to its proposed regulations for the California Consumer Privacy Act (“CCPA”). While the modifications to the proposed regulations (hereinafter “revised regulations”) could be perceived as an added layer of complexity, a careful review of the redline changes issued by the Office of the Attorney General reveals both clarifications and limitations that should facilitate compliance with the CCPA. Seven key modifications to the regulations are spotlighted below.
1. Limiting the Scope of “Personal Information”
The CCPA defines “personal information” broadly to include information that could be reasonably identified with a consumer or a consumer’s “household.”
[1] The CCPA reinforced this broad construction by including “internet protocol address” in the definition of personal information, which allows CCPA protections to extend beyond a particular consumer to any individuals who “reside at the same address” and use an electronic device with the consumer’s same IP address.
[2] The revised regulations place a reasonable limitation on the scope of that provision by, among other things, restricting the definition of “household” to “a person or group of people who . . . are identified by the business as sharing the same group account or unique identifier.”
[3] They also circumscribe the breadth of using a consumer’s IP address to define personal information. An IP address will not be considered personal information if the regulated business “does not link the IP address to any particular consumer or household.”
2. Clearer Detail on the Notices Regulated Businesses Must Provide Consumers
[4] The CCPA identified various notices that regulated businesses must provide to consumers in disparate code sections and the originally proposed regulations. To facilitate compliance with the notice requirements, the revised regulations summarily identify in one location the four consumer notice requirements.
[5] Those notices include a privacy policy, collection of personal information, sale of personal information, and a financial incentive program.
3. Clarification on Rules relating to Collection of Employment-Related Information
The revised regulations acknowledge the impact of AB 25, which delayed the requirement that regulated businesses comply with certain employment-related provisions of the CCPA until January 1, 2021.
[6] Once those provisions are effective in January 2021 (assuming they are not further modified in the meantime), the revised regulations clarify that regulated businesses need not provide employees with the “Do Not Sell My Personal Information” or “Do Not Sell My Info” web link designed for consumers. Instead, the CCPA will apply directly to employees and businesses can then provide employees with a paper copy or a web link to “privacy policies for job applicants, employees, or contractors.”
4. Businesses Must Make the Opt-Out Process “Easy”
[7] The CCPA obligates regulated businesses to notify consumers that they sell consumers’ personal information to third parties and that consumers can prevent the sale of personal information by exercising their “opt-out” rights.
[8] In addition to requiring that businesses notify consumers of their opt-out rights in clear and straightforward wording without “technical or legal jargon,”
[9] the revised regulations mandate that the opt-out process be “easy” for consumers to navigate.
[10] This means that businesses may not create a process that is either calculated or has the effect of making it difficult for consumers to exercise their opt-out rights.
5. Specific Direction on the Use of the Opt-Out Button
[11] While the originally proposed regulations offered businesses the option to use an “opt-out button or logo . . . in addition to posting the notice of right to opt-out,” the revised regulations provide specific direction on the use of an opt-out button.
[12] In particular, the opt-out button must look as follows:
[13] In addition, the opt-out button “shall be approximately the same size as other buttons on the business’s webpage” and must be coupled with the following wording as formatted below:
[14] The modified regulations additionally note that businesses are forbidden from selling personal information collected while the business did not have an opt-out notice posted, absent affirmative opt-in from the consumer.
6. Clarification on the Obligation to Respond to Requests to Know
[15] The CCPA provides consumers with a right to know information about the collection, use, disclosure, and sale of personal information by regulated businesses.
[16] While regulated businesses must provide consumers with responses to their requests for such information, the revised regulations clarify that businesses need not perform a search for a particular consumer’s personal information if that information is not kept “in a searchable or reasonably accessible format,” is maintained only for “legal or compliance purposes,” and is not sold or otherwise used for “any commercial purpose.”
[17] Regulated businesses must delineate the foregoing points in their responses to consumers and explain that those conditions made it unnecessary to perform a search for the requested personal information.
7. Regulated Businesses Must Have “Reasonable Security Procedures and Practices” in Maintaining Records
[18] Regulated businesses must keep consumer requests for information and their corresponding responses to those requests for two years.
[19] The revised regulations now mandate that businesses have “reasonable security procedures and practices” relating to the retention of those records.
The CCPA Going Forward
[20] Beyond the seven changes delineated above, there are several other modifications that the California Attorney General has made to the proposed regulations. Given that the regulations will “
operationalize the CCPA and provide clarity and specificity to assist in the implementation of the law,” regulated businesses should review, understand, and be prepared to act on the regulations once they are finalized this summer.
As these changes to the proposed regulations demonstrate, the final version of the CCPA remains elusive. Until the rule-making process is complete, compliance with the CCPA will remain a moving target. Moreover, California lawmakers may continue to tinker with aspects of the law or even propose new amendments creating additional obligations for regulated businesses. For questions on best practices regarding compliance and enforcement,
please contact Driven, Inc.’s expert consultants who are available to provide informed guidance on the issues.
[1] Cal. Civ. Code § 1798.140(o)(1).
[2] Cal. Civ. Code § 1798.140(o)(1)(A); CCPA Proposed Regulations, §999.301(k) (Feb. 10, 2020).
[3] CCPA Proposed Regulations, §999.301(k) (Feb. 10, 2020).
[4] CCPA Proposed Regulations, §999.302(a) (Feb. 10, 2020).
[5] CCPA Proposed Regulations, §999.304 (Feb. 10, 2020).
[6] CCPA Proposed Regulations, §999.305(f) (Feb. 10, 2020).
[7] CCPA Proposed Regulations, §999.305(e) (Feb. 10, 2020).
[8] Cal. Civ. Code §§1798.120, 1798.135.
[9] CCPA Proposed Regulations, §999.306(a)(2) (Feb. 10, 2020).
[10] CCPA Proposed Regulations, §999.315(c) (Feb. 10, 2020).
[11] Id.
[12] CCPA Proposed Regulations, §999.306(f) (Feb. 10, 2020).
[13] CCPA Proposed Regulations, §999.306(f)(1) (Feb. 10, 2020).
[14] CCPA Proposed Regulations, §999.306(f)(2) (Feb. 10, 2020).
[15] CCPA Proposed Regulations, §999.306(e) (Feb. 10, 2020).
[16] See Cal. Civ. Code §1798.100, et seq.
[17] CCPA Proposed Regulations, §999.313(c)(3)(a-c) (Feb. 10, 2020).
[18] CCPA Proposed Regulations, §999.313(c)(3)(d) (Feb. 10, 2020).
[19] CCPA Proposed Regulations, §999.317(b) (Feb. 10, 2020).
[20] Id.
