California Releases “Redlines” to CCPA Regulation
On Friday, California’s Attorney General released proposed modifications to the formerly-released draft regulations implementing the California Consumer Privacy Act (CCPA). The modifications take into consideration feedback received during the 45-day comment period that ended in December.
Although the law has been in effect since January 1, 2020 the Attorney General has stated that it will not start bringing enforcement actions until July 1, 2020. The purpose of the updated regulation is to provide businesses with practical information they can use to operationalize the law between now and then.
Provided below are some of the main takeaways:
Defining “Personal Information”: The modifications clarify that evaluating whether data constitutes “personal information” is based on whether the business links, or could reasonably link, the data to a particular consumer or household. For example, the modifications state that a business that operates a website that collects intellectual property (IP) addresses from visitors need not consider the IP address to be personal information where the business does not associate that data with a particular consumer and could not “reasonably” do so.
Additional Service Provider Rights: A service provider shall not retain, use, or disclose personal information obtained in the course of providing services except:
– To perform the services specified in the written contract with the business that provided the personal information;
– To retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and these regulations;
– For internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source;
– To detect data security incidents, or protect against fraudulent or illegal activity; or
– For the purposes enumerated in Civil Code section 1798.145, subsections (a)(1) through (a)(4).
Sale Notification: The modifications eliminate the requirement that if a business receives a request to opt out, it must notify all third parties to which it sold the consumer’s personal information within the 90 days preceding the request. However, if a business sells personal information after a consumer submits a request to opt-out, but before the business has complied with the request (i.e., within the 15-business-day window), the business must notify those third parties and direct them not to sell the consumer’s personal information.
Opt-Out – The modifications to provisions related to privacy settings (e.g., DNT signals) specifically require that opt-out requests be easy for consumers to execute and not be designed to subvert or impair the consumer’s decision to opt-out. The modifications specify that privacy controls shall require the consumer to “affirmatively select their choice to opt-out” and not be designed “with any pre-selected settings.” Additionally, when the opt-out button is used, it shall appear to the left of the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link, as demonstrated below, and shall be approximately the same size as other buttons on the business’s webpage.
Responding to Requests to Know: In response to a “Right to Know” request, businesses are expressly not required to search for personal information if all of the following conditions are met:
– The business does not maintain the personal information in a searchable or reasonably accessible format;
– The business maintains the personal information solely for legal or compliance purposes;
– The business does not sell the personal information and does not use it for any commercial purpose; and
– The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.
Mobile Applications: The modifications add many specific references to the obligations of businesses that collect data through mobile applications, including an obligation to provide a link to the notice prior to downloading and “just-in-time” notices containing a summary of the categories of personal information being collected and a link to the full notice at collection.
The Attorney General is currently accepting written comments on the proposed changes and documents relied on in the rulemaking. Comments must be submitted no later than 5 p.m. on Tuesday, February 25, 2020. To read the complete redlined regulation, click here.