Countdown to CCPA – Do the California Attorney General’s [REVISED] Regulations Affect Your Company’s Compliance?

On February 7, 2020, the California Office of the Attorney General (OAG) released modified regulations of its California Consumer Privacy Act (CCPA). The updated regulations reflect feedback received during a 45-day comment period that ended in December.

For those who are following along with our “Countdown to CCPA” client alerts,[1] we produced a detailed summary of the original proposed regulations here. In similar form, below is a detailed summary of the most notable revisions from the modified regulations.

Definitions

The term “household” is now limited to people who not only (1) reside at the same address, but also (2) share a common device or service provided by a business and (3) are identified by the business as sharing the same group account or unique identifier.[2] The modifications also elaborated on “categories of sources” and “categories of third parties” by providing examples and requiring that each category must be “described with enough particularity to provide consumers with a meaningful understanding of the type of [person, entity or third party.]”[3]

Additionally, the modifications reinforce that whether information constitutes “personal information” depends on how the business maintains the information. For example, if an IP address of a visitor to a website is collected, but that IP address is not and could not reasonably be linked to any consumer or household, then the IP address would not constitute “personal information.”

Article 2. Notice to Consumers

§ 999.305 Notice at Collection of Personal Information

Mobile: Where a business collects personal information through a mobile application (app), it may provide a link to the notice on the app’s download page and within the app, such as through the app’s settings menu. If the mobile app, or mobile device, collects personal information “for a purpose that the consumer would not reasonably expect,” then the business must provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice. A just-in-time notice could be a pop-up window that appears when the consumer opens the app. A “not reasonably expected” example would be a mobile flashlight app collecting geolocation information.

Employee Notice: Businesses collecting employee-related information must comply with notice requirements. There are, however, two exceptions: (1) employee privacy notices do not need to include links to the “Do Not Sell My Info” button; and (2) the notice at collection may include a link to, or paper copy of, a privacy policy specific to employees, contractors or job applicants in lieu of the business’s privacy policy for consumers.

*Please note, this employee-information provision becomes inoperative on January 1, 2021, unless the CCPA is amended.* 

Data Brokers: The modifications no longer require a data broker to contact the consumer directly to provide notice and an opt-out nor to contact the source of the personal information to confirm notice at collection and obtain signed attestations. If a data broker is properly registered with the Attorney General and that registration includes a link to its online privacy policy that provides instructions on how consumers can exercise their right to opt-out, then it does not need to provide notice at collection.

§ 999.306 Notice of Right to Opt-Out of Sale of Personal Information

A business does not need to provide notice of right to opt-out if it (1) does not sell personal information and (2) states in its privacy policy that it does not sell personal information.

Affirmative Authorization: If a business did not have a notice of right to opt-out posted and it collected personal information during that time, it can sell that personal information only if it obtains affirmative authorization of the consumer.

The Opt-Out Button: When the opt-out button is used, it must appear to the left of the “Do Not Sell My Info” link. The modified regulations provide an illustration below:



Additionally, ensure the button is the same size as other buttons on your business webpage. Remember the opt-out button must appear in addition to posting the notice of right to opt-out, and it must link to a webpage or online location containing the notice of right to opt-out.

§ 999.307 Notice of Financial Incentive

Businesses that do not offer a financial incentive or price or service difference related to the disclosure, deletion or sale of personal information are not required to provide a notice of financial incentive.

§ 999.308 Privacy Policy

Right to Know: There is no longer a “list” requirement for the categories of personal information the business collected about consumers in the preceding 12 months coupled with the source, purpose and third-party transfers. Now, businesses simply need to identify the categories of personal information collected and the categories of personal information that have been disclosed for a business purpose or sold to third parties in the preceding 12 months accompanied by the categories of third parties to whom the information was disclosed or sold.

*Please note, the collection of employment-related information, including for the purpose of administering employment benefits, is now considered a business purpose.*

Right to Opt-Out: Within the privacy policy, businesses must state whether they sell personal information, and if so, link to or provide the contents of the notice of right to opt-out.

Article 3. Business Practices for Handling Consumer Requests

§ 999.312. Methods for Submitting Requests to Know and Requests to Delete

Businesses that operate exclusively online and have direct relationships with consumers are no longer required to provide two methods for submitted requests—only an email address to submit a request to know is required.

§ 999.313. Responding to Requests to Know and Requests to Delete

The modifications clarified that businesses must confirm receipt of a request to know or request to delete within 10 business days and provide information about how the business will respond to the request. However, the 45-day period to respond remains as calendar days, beginning on the day the business receives the requests, regardless of time needed to verify the consumer. Additionally, if the business cannot verify the request within the 45-calendar day period, the request must be denied.

Responding to Requests to Know: A business is not required to search for personal information if all of the following conditions are satisfied: (1) the personal information is not in a searchable or reasonably accessible format; (2) the personal information is maintained solely for legal or compliance purposes; (3) the business does not sell personal information and does not use it for any commercial purpose; and (4) the business describes to the consumer the categories of records that may contain personal information that it did not search because conditions (1) - (3) were met.

The modifications add a consumer’s unique biometric data to the list of sensitive information businesses must never disclose in response to a request to know.

Responding to Requests to Delete: A business is no longer required to specify the manner in which it has deleted the personal information of a requesting consumer.

Where a deletion request is unverifiable, businesses no longer need to treat it as an opt-out of sale, but instead are permitted to ask consumers if they would like to opt-out of the sale of the personal information.

§ 999.314. Service Providers

Under the modifications, a service provider is able to use a business’s personal information internally to build or improve the quality of its services, provided the use does not include “building or modifying household or consumer profiles or cleaning or augmenting data acquired from another source.” Unfortunately, the modified regulations fail to define these terms so their meaning is unclear.

When a service provider receives a consumer request, it must either act on behalf of the business or inform the consumer it cannot process the request because it is a service provider.  

§ 999.315. Requests to Opt-Out

The modifications add a requirement that the method for submitting requests to opt-out must be easy to execute and require minimal steps. Businesses must never implement a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.

Businesses have 15 business days to comply with a request to opt-out. The modifications eliminated the need for businesses to notify third parties to whom they have sold personal information within 90 days prior to the receipt of the consumer’s request. Now, if a business sells personal information it must notify the third parties only if it sold a consumer’s personal information after the consumer opted-out but before it complied with that request.

Essentially, if you sell the consumer’s personal information within the 15-business day processing time period, then you must notify the third party that the consumer has exercised his or her right to opt-out and the third party must not sell that consumer’s information.

§ 999.317. Training; Record-Keeping

Now, businesses that buy, sell or use for commercial purposes the personal information of 10 million or more consumers within a single calendar year must compile certain metrics and disclose them by July 1 of every calendar year. By raising the threshold from 4 million to 10 million, the revised regulation should reduce the scope of reporting obligations and allow more flexibility.

The modifications further mandate that businesses must implement and maintain reasonable security procedures and practices in maintaining records of consumer requests and how the business responded to said requests.

Article 4. Verification of Requests

The modifications clarify that businesses cannot require consumers to pay a fee for the verification of their request to know or request to delete, which includes requiring consumers to submit a notarized affidavit to verify their identity. If the business wishes to implement such mechanism, it will have to compensate the consumers for the cost of notarization.

The examples provided in the regulations have been revised to eliminate the use of credit card numbers for verification. Instead, businesses (retailers) should use a transaction amount or item purchased.

Article 6. Non-Discrimination

A business may offer a financial incentive or price or service difference only if it is able to calculate a good-faith estimate of the value of the consumer’s data or can show the financial incentive or price or service difference is reasonably related to the value of the consumer’s data.

The modifications also provide additional illustrative scenarios of these requirements and what constitutes discriminatory or acceptable methods.

Next Steps for Your Business

For the full text of the redlined regulations, click here.

The deadline for written comments has been extended to February 25, 2020. Ice Miller will continue to monitor the OAG’s actions on the CCPA as new developments arise.

Ice Miller has the professionals and experience to help clients develop cybersecurity and privacy programs that comply with the requirements of the CCPA. To speak to an attorney, please contact Nick Merker or Tiffany Kim. Nick Merker is a partner and chair of Ice Miller’s Data Security and Privacy Practice Team. Tiffany Kim is an associate on Ice Miller’s Data Security and Privacy Practice Team.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.