Last year we wrote about the California attorney general’s initial guidance on implementation and enforcement requirements for the California Consumer Privacy Act (“CCPA”). Now, over a month since the CCPA went into effect, California Attorney General Xavier Becerra proposed modifications (the “Modifications”) to the initial proposed regulations (the “Initial Regulations”) that were published in early October 2019. The Modifications are the Attorney General’s response to public comments of the Initial Regulations that were submitted during the written comment period. While these changes are not final, they shed light on how the AG’s office expects businesses to plan, operate, and respond to consumer requests.
§ 999.301 Definitions. The changes to this section help clarify and tighten up the definitions of a few important terms.
- “Household.” This term was previously defined as a group of people living in the same dwelling, is now clarified to mean a person or group of people who:
-
- reside at the same address;
- share a common device or service; and
- share the same group account or identifier.
- “Personal Information.” The Modifications gave further guidance as to whether information was personal information. Whether information is personal information depends on how the business maintains the data. The Modifications gave an example that IP addresses alone, without the ability to reasonably link the data to a person, are not personal information. The IP addresses must be maintained in a way that the business would be able to link the information to a particular consumer or household.
§ 999.305 Notice. The Initial Regulations required notice at collection to be visible or accessible where the consumer will see the notice before personal information is collected. The Modifications clarify that the notice must be “readily available” before personal information is collected from the consumer. The Modifications provide a few new examples:
-
- if the information is being collected from a mobile application, the notice may be linked on the download page;
- if the information is being collected over a telephone call or in person, the notice can be provided orally; and
- if a mobile app collects personal information that a consumer would not reasonably expect from that application, the mobile app must provide a “just-in-time” notice, such as a pop-up window, that summarizes the categories of information being collected and a link to the full notice.
Websites on which such notice is posted should meet accessibility standards, such as those found in WCAG 2.1. Additionally, the Initial Regulations prohibited a business from using personal information for any other purpose than what was disclosed in the notice at the point of collection. The Modifications gave a little clarity and flexibility to businesses by prohibiting the use of personal information for any purpose that is materially different than what is outlined in its notice at the point of collection.
Lastly, if a business is registered as a data broker with the Attorney General, the business does not need to provide notice at collection if the business includes a link, in its registration submission, to its online privacy policy detailing how a consumer can request to opt-out.
§ 999.313 Requests to Know and Delete.
Requests to Know. The Initial Regulations required businesses to initially acknowledge a request within 10 days and respond to a request within 45 days or 90 days if the business needed more time. This has now been modified to 10 business days and 45 and 90 calendar days, respectively. Additionally, the Modifications struck the provision that prohibited a business from providing specific pieces of personal information if there was an unreasonable risk to the security of the personal information. This has been refined to state that a “business is not required to search for personal information if all of the following conditions are met:
-
- The business does not maintain the personal information in a searchable or reasonably accessible format;
- The business maintains the personal information solely for legal or compliance purposes;
- The business does not sell the personal information and does not use it for any commercial purpose; and
- The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.”
Responding to Requests to Delete. If there has been a request to delete, and the business is unable to verify the consumer, the business is not required to treat that request as a request to opt-out of the sale of the personal information, which was required by the Initial Regulations. Instead, the Modifications require that the business ask the consumer if they would like to opt-out of the sale of their personal information and include a link to the notice of right to opt-out.
§ 999.314 Service Providers. The changes to this section affect how service providers can use the data they collect on behalf of a business and how they should respond to consumer requests. A service provider is not to retain, use, or disclose personal information that it collects while providing its services to a business except:
-
- “To perform the services specified in the written contract with the business that provided the personal information;
- To retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and these regulations;
- For internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source;
- To detect data security incidents, or protect against fraudulent or illegal activity; or
- For the purposes enumerated in Civil Code Section 1798.145, subsections (a) (1) through (a) (4).”
This replaces the Initial Regulations requirement that service providers could not use personal information received during its services for the purpose of providing services to other entities. The five instances listed above now provide service providers a clearer framework of how they can use the personal information they collect while providing their services.
Additionally, if a consumer submits a request to know or delete with a service provider, the service provider must respond on behalf of the business or inform the consumer that it cannot perform the request due to the request being sent to a service provider.
§ 999.315 Requests to Opt-Out. The Modifications add the requirement that a business’s framework for consumers to submit a request to opt-out must be easy for consumers to complete and require minimal steps. The method used by the business to submit these requests must not substantially impair the consumer’s decision to opt-out.
§ 999.317 Training and Record-Keeping. The Initial Regulations required businesses to compile specific metrics when it sold, bought, or shared for business purposes the personal information of 4,000,000 or more consumers. While the metrics that must be shared are the same, the Modifications relaxed the requirement to only businesses that sold, bought, or shared personal information of 10,000,000 or more consumers.
§ 999.323 Verification. A business cannot charge a consumer a fee for the verification of their request to the business, such as requiring a notarized affidavit, unless the business covers the cost of the notarization.
§ 999.326 Authorized Agent. There were slight changes to authorized agent requirements. Businesses may require consumers to provide authorized agents with a written and signed permission to submit a request on their behalf, verify their own identity with the business, and directly confirm with the business that they authorized the agent to act on their behalf. Additionally, the Modifications require authorized agents to implement and maintain reasonable security practices to protect the personal information and prohibits authorized agents from using the consumer’s personal information other than the fulfillment of the request, verification, or fraud prevention.
§ 999.336 Discrimination Practices and Loyalty Programs. The Modifications specify that a business denying a consumer’s request to know, delete, or opt-out is not considered discriminatory if it is for reasons permitted under the CCPA. Loyalty programs are given as an example. If a consumer that is a part of a loyalty program requests their data be deleted, but wishes to remain in the loyalty program, the business may deny the request to delete insofar as to the information that is required to be a part of the loyalty program. If the loyalty program requires an email address and a specific price point that a consumer must reach to qualify, the business is not required to delete the consumers email and spending information.
As we stated earlier, these are not final guidelines, so stand by for more information. At the same time, don’t punish the good for the perfect (or final). Businesses and service providers, alike, should continue to review and revise practices to meet the requirements of applicable law and best practices. Consulting counsel is a valuable step in ensuring you understand which laws apply and finding solutions that balance the legal requirements with your risk tolerance and operational requirements for using personal information.