While the bulk of current conversation and headlines revolve around an ever growing pandemic, California Attorney General, Xavier Becerra, provided us a much needed distraction. A little over a month since the Attorney General released the first set of modifications (the “First Modifications”) to the California Consumer Privacy Act’s (the “CCPA”) initial regulations, he has now released the second set of modifications (the “Second Modifications”) based on written comments received over the 15-day comment period that ended on Feb. 25, 2020. While the Second Modifications are not as voluminous as the First Modifications, there are still some significant changes and clarifications that may affect businesses or service providers and changes that nullify a few of the First Modifications, including some of our discussion points from our discussion of the First Modifications.
§ 999.301 Definitions. Changes to this section clarify what constitutes a Financial Incentive and removes an additional provision that was added in the First Modifications.
- “Financial Incentive.” Originally, a Financial Incentive was a program or other offering, as compensation, for the disclosure, deletion, or sale of personal information. The Second Modifications removed “as compensation” and changed it to be a program or offering, related to the entity’s collection, retention, or sale of personal information. This seems to broaden what could be a Financial Incentive.
- “Personal Information.” The First Modifications gave an example of what can qualify as Personal Information, an IP address that could reasonably be linked to a particular consumer. The Second Modifications removed this example completely without any replacement. The change raises some questions as to the scope of Personal Information and whether we should expect a broader application. The definition of Personal Information under the CCPA already includes information that identifies “or could reasonably be linked” with a particular consumer or household. 1798.140(o)(1).
§ 999.305. Notice at Collection of Personal Information. The previous modifications and initial regulations stated that businesses collecting employment-related information may include a link to their privacy policy in their notice. The Second Modifications add a bit of clarity by now saying that these businesses are not required to provide a link in the notice.
Additionally, the Second Modifications add a new provision that provides if a business does not collect personal information directly from the consumer, the business does not need to provide notice at collection if the business does not sell the personal information. This then implies that even if a business does not directly collect personal information from a consumer, the business may still be required to provide notice at collection if the business plans on selling the personal information.
§ 999.306. Notice of Right to Opt-Out. Strangely, the Second Modifications completely removed the Opt-Out Button/Logo without any alternative. The Attorney General still has time to replace this with an alternative as the statute, §1798.185, requires the establishment of a opt-out logo or button by July 1, 2020.
§ 999.308. Privacy Policy. The Second Modifications add back what the initial regulations first required. Privacy policies must identify the categories of sources that a business collects personal information and identify the business or commercial purpose for the collecting or selling of the personal information. The sources and business or commercial purpose must be described in a manner that gives a consumer a meaningful understanding of what information is being collected and why the information is being collected or sold.
Additionally, a new provision was added to this section that applies to businesses that have actual knowledge that it sells personal information of minors that are 16 years of age or younger. The business will then need to provide, in its privacy policy, a description of the process detailed in Sections 999.330 and 999.331, which require specific opting-in requirements, such as affirmatively authorizing that the consent given was a parent or guardian if the minor is under the age of 13.
§ 999.313. Responding to Requests to Know and Delete. The Second Modifications add clarity to the requirement that businesses must not disclose consumer’s unique biometric data generated from measurements or analysis of human characteristics. The business must respond to a consumer in a way that gives the consumer “sufficient particularity” that it has collected the type of information that was requested. An example given is that a business must respond to a consumer that it collects unique biometric data, including a fingerprint, but cannot disclose the actual fingerprint scan.
§ 999.314. Service Providers. As we stated in our discussion on the First Modifications, examples of how a service provider may use or disclose personal information was detailed in more specificity. The Second Modifications add more clarity by providing that service providers may retain, use, or disclose personal information to process or maintain personal information on behalf of a business that provides such personal information to them or that directed them to collect the personal information.
Other Changes. Section 999.323 now adds that businesses cannot charge a consumer or their authorized agent for verification of a request. Section 999.317 states that information maintained for record-keeping purposes cannot be shared with third parties except as needed to comply with legal obligations.
These are not the final guidelines and the written comment period for this set of modifications ends on March 27, 2020, so please stand by for more information. As there are likely to be more changes in the coming months, as we stated in our previous discussion, business and service providers, alike, should continue to review and revise practices and policies to stay up to date on best practices and to meet the requirements of applicable law. We recommend seeking counsel to navigate these changes and develop a plan.