Skip to main content
Top Button
Countdown to CCPA – Do the California Attorney General’s [REVISED – ROUND TWO] Regulations Affect Yo Countdown to CCPA – Do the California Attorney General’s [REVISED – ROUND TWO] Regulations Affect Yo

Countdown to CCPA – Do the California Attorney General’s [REVISED – ROUND TWO] Regulations Affect Your Company’s Compliance?

On March 11, 2020, the California Office of the Attorney General (OAG) released the second set of modified proposed regulations under the state’s California Consumer Privacy Act (CCPA). This second set of modifications is in response to approximately 100 comments received during the comment period that ended on February 25, 2020.

Our “Countdown to CCPA” client alerts[1] provide a detailed summary of the first round of revised regulations here. This alert summarizes notable revisions from the second set of modified regulations.

How Did We Get Here?

The CCPA was enacted in 2018 and establishes consumer rights to access, delete, and share "personal information" (PI) collected by businesses. The California Attorney General must adopt regulations to further the Act's goals and engage the public broadly in the rulemaking process. Initial proposed regulations were published on October 11, 2019; a 45-day comment period ended December 6, 2019. The first set of modifications to the proposed regulations were released February 10, 2020, with a 15-day comment period. This second set of modifications followed, responding to the approximately 100 comments received, clarifying text, and conforming the proposed regulations to existing law.

The deadline to submit comments is March 27, 2020 at 5:00 p.m. Comments may be sent by mail or email to:

Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013
Email: PrivacyRegulations@doj.ca.gov
 
Modifications: Round Two

Guidance on definition of "personal information"

The proposed regulations center on the concept of consumers' "personal information." The first set of modifications introduced guidance on interpreting the statutory definition of PI that would have exempted IP addresses that a business collects but "does not link … to any particular consumer or household and could not reasonably link … with a particular consumer or household ….” (see former § 999.303). The newest modifications completely eliminate this guidance. Many commentators expressed concern about this potential exemption, particularly because the statute expressly defines “personal information” to include IP addresses (albeit with the qualifier that information is personal information only if it “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household...").[2] Cited concerns included:
 
  • IP addresses permit targeted advertising even if they cannot be tied to a single, identifiable person or household. Consumers should retain opt-out rights, regardless of whether “non-identifying” IP addresses are subject to access or deletion requests;
  • The guidance makes unclear whether other “unique personal identifiers” (such as cookies, beacons, and device identifiers) can also be exempt from the definition of PI under certain circumstances;
  • The guidance does not clarify what it means to “link” an IP address with a particular consumer or household; and
  • The ambiguity afforded by this provision could detract from predictable, uniform application of the law.
While this portion of the proposed regulations has been deleted, the definition of “personal information” still turns on whether information can be reasonably linked, directly or indirectly, with a particular consumer or household. Presumably, eliminating this express “guidance” will not foreclose an argument that IP addresses—and perhaps other “unique personal identifiers” as well—are not “personal information” in every instance.

Article 2. Notice to Consumers

§ 999.305 Notice at Collection of Personal Information

As a general rule, businesses that collect personal information must provide notice to consumers, at the point of collection (a “notice at collection” or “NAC”), describing the categories of PI to be collected and the purposes for which the PI will be used. The original proposed regulations provided an exemption for businesses that do not collect information directly from consumers; the first set of modifications limited this exemption to certain registered data brokers.

These most recent modifications expand the exemption to clarify that a business need not provide an NAC if it does not collect PI directly from the consumer or sell the consumer's PI. A business that collects employment-related information still must comply with notice requirements; however, the second modifications state that the NAC need not provide a link to the business's privacy policy.

*Please note, this employee-information provision becomes inoperative on January 1, 2021, unless the CCPA is amended.* 

§ 999.306 Notice of Right to Opt-Out of Sale of Personal Information

The CCPA provides consumers the right to tell a business who sells their personal information to …. stop. This is known as the right to “opt-out,” and the regulations describe how a business must notify consumers of this right. The CCPA empowers the state Attorney General to develop rules and procedures for a “recognizable and uniform opt-out logo or button … to promote consumer awareness.”[3]

The original proposed regulations and first modifications described a design for the opt-out button/logo, usable in addition to (but not in place of) posting notice of the right to opt out. The new modifications eliminate the supplemental opt-out button/logo as designed, and do not propose an alternative. Commenters had expressed concern about the design, particularly that the “toggle switch” appearance might be misleading. A new design may be forthcoming. To be clear, businesses must still provide notice of opt-out rights: at this point, however, there is no proposed logo or button design to supplement posted notice.

personal-info-button-(1).jpg

§ 999.308 Privacy Policy

The CCPA requires a business to provide consumers with a comprehensive description of its online and offline practices for collecting, using, disclosing, and selling personal information and of consumers’ rights regarding their PI. This is the business’s privacy policy.

The proposed regulations describe the required contents of the privacy policy. Among other things, a privacy policy must explain how the business will collect, disclose, and sell PI.
 
  • The original proposed regulations required the privacy policy to identify categories of PI collected in the last 12 months, and for each, the categories of sources from which the information was collected, the business or commercial purpose for the collection, and the categories of third persons with whom the business shares PI. They also required the privacy policy to state whether the business disclosed or sold PI to third parties for a business or commercial purpose in the last 12 months, and if so, to list the categories of PI.
  • The first modifications eliminated the requirement to provide the categories of sources from which PI was collected, the business or commercial purpose for collection, and the categories of third parties with whom PI was shared. However, they added a requirement to provide the categories of third parties to whom the business disclosed PI for a business purpose, or sold PI, in the last 12 months.
  • The most recent modifications reintroduce certain requirements from the original proposed regulations. The privacy notice must now identify the categories of PI collected in the past 12 months, and for each, the categories of sources from which the PI was collected and the business or commercial purpose for collecting or selling PI. The categories must be described in a way that provides consumers a "meaningful understanding of the information … collected."
*Please note, the collection of employment-related information, including for the purpose of administering employment benefits, is now considered a business purpose.*

Article 3. Business Practices for Handling Consumer Requests

§ 999.313. Responding to Requests to Know and Requests to Delete

The CCPA gives consumers the right to know the categories and specific pieces of PI a business has collected about them and to request that a business delete any PI the business has collected from them. The proposed regulations describe how a business must respond to a consumer's request to know or to delete PI.

The most recent modifications clarify that although a business may not disclose certain PI in response to a request to know,[4] it must inform the consumer "with sufficient particularity" that it has collected the type of information. For example, a business may not disclose an actual fingerprint scan in response to a request to know, but should inform the consumer that it collects “unique biometric data including a fingerprint scan.”[5]

The second modifications also change how a business must respond to a consumer's request to delete PI. The first modifications would have required a business who sells PI to ask the consumer, as part of the response to the request to delete, whether she wanted to opt-out of the sale of her PI (if she had not already made an opt-out request). The most recent modifications require a business who denies a consumer’s request to delete and that sells PI to ask the consumer whether she wanted to opt-out of the sale of her PI (if she had not already made an opt-out request).

§ 999.314. Service Providers

The proposed regulations describe the circumstances under which a business’s service providers may retain, use, or disclose PI they obtain in the course of providing services. The most recent modifications amend one such set of circumstances. The first modifications allowed a service provider to retain, use, or disclose PI to "perform services specified in the written contract with the business that provided the personal information." The current modifications expand this to allow the service provider to retain, use, or disclose PI to "process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information …." They also add the specific requirement that the service provider's retention, use, or disclosure of PI be "in compliance with" the written services contract required by the CCPA.

Under the previous modifications, a service provider could use PI internally to build or improve the quality of its services, provided that the use did not include “building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.” The current modifications eliminate the ambiguous term of “cleaning” and now allow a service provider to use PI internally if the use does not include “building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source.”[6]

§ 999.317. Training; Record-Keeping

A knowledge qualifier now precedes the 10 million metrics reporting threshold. The current modifications state: “[a] business that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes,” the personal information of 10 million or more consumers in a calendar year, must compile certain metrics and disclose them by July 1 of every calendar year. 

Next Steps for Your Business

For the full text of the second set modified regulations, click here.

The deadline for written comments is March 27, 2020. Ice Miller will continue to monitor the OAG’s actions on the CCPA as new developments arise.

Ice Miller has the professionals and experience to help clients develop cybersecurity and privacy programs that comply with the requirements of the CCPA. To speak to an attorney, please contact Kim Metzger or Tiffany Kim with our Data Security and Privacy Team.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances. 
 
[2] Cal. Civ. Code § 1798.140(o)(1)
[3] Cal. Civ. Code § 1798.185(a)(4)(C)
[4] A business may not disclose a consumer’s Social Security number, financial account number, any health insurance or medical identification number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics.
[5] § 999.313(c)(4)
[6] § 999.314(c)(3)
View Full Site View Mobile Optimized