Proposed Modifications to CCPA Regulations—Top Takeaways

by Jeffrey P. Cunard, Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Javier Alvarez-Oviedo, Jeremy C. Beutler, H Jacqueline Brehmer, Christopher S. Ford, and Kate Saba

On Friday evening, February 7, the California Attorney General released a new round of proposed changes to the draft regulations implementing the California Consumer Privacy Act. Some thoughts to help guide interested parties through the AG’s dense 32-page release (PDF: 1.25 MB), which redlines the proposed modifications against the prior draft regulations:

Guidance on “Personal Information”

The draft proposes to clarify the definition of “personal information,” which turns on whether the information can be associated or linked with a particular consumer or household. It then provides an example: “[I]f a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’”

This example seems to respond to business concerns about the breadth of the CCPA’s definition of personal information. Rather than whether particular information could be linked to a particular person or household, businesses collecting data are subject to the CCPA only if they actually make that link or reasonably could do so. Sticking with the AG’s example: IP addresses are, on their face, just number strings. Linking them to a particular consumer or household is not necessarily easy, absent other information in the possession of the business, and could require a subpoena to an Internet service provider. Time will tell how the CCPA will be applied in practice—but it appears that wide swaths of data that is facially anonymous on its own and could not be associated with an individual by a business could be outside the coverage of the CCPA.

Notice at the Point of Collection

The proposed modification provides some additional clarity on how a business should make its notice reasonably accessible. Specifically, for the online collection of personal information, a business should post a link to the notice both on its introductory webpage, as well as on all webpages where personal information is collected. Additionally, a business that uses mobile applications to collect information should include a link to the notice on the mobile application’s download page and within the application in a location like the settings menu.

Privacy Policy

Many covered entities published updated privacy policies on or about the CCPA’s January 1, 2020 effective date. For some, at least, further updating may now be in order:

  • The proposed modified regulations state for the first time that privacy policies (in addition to any other notices at the point of collection) must identify the categories of personal information disclosed for business purposes or sold to a third party, as well as the categories of third parties receiving the information. This proposal may require a business that maintains a notice separate from its privacy policy to revise its privacy policy to include this information.
  • To the extent that a business does not have a reasonable method for verifying the identity of consumers making requests to know, delete, or opt out, the business must explain in its privacy policy why this is the case.

Requests to Know or Delete

The proposal would modify in several key ways the guidelines for submitting and responding to requests to know or delete personal information:

  • Online-only companies that have a direct relationship with consumers need to provide only an email address for the receipt of such requests.
  • Businesses that interact with consumers in person may consider providing various in-person, print, electronic, or telephonic methods for submitting such requests.
  • Businesses must confirm receipt of a request within 10 business days and respond to the request within 45 calendar days. Businesses can provide confirmation in the same manner in which they receive a request. This means that if a consumer makes a request over the phone, the business can confirm receipt during that same phone call. Businesses will not be required to use a two-step process for confirming online requests to delete, and instead can decide whether it is practical to do so.
  • In responding to a verified request to know, the business must provide, for the 12 months preceding the request: (1) the categories of information collected and the sources of that information; (2) the business or commercial purpose for collection; (3) the categories of personal information sold and the categories of third parties buying the information; and (4) the categories of information disclosed for business purposes and the recipients of the information.
  • When a consumer requests deletion but has not opted out of the sale of data, the business is required to ask the consumer if she would like to opt out.

Requests to Opt-Out

The proposed regulations would address for the first time the impact of user-enabled global privacy controls, “such as a browser plugin or privacy setting, device setting, or other mechanism,” as a means of managing consumer opt-outs. A CCPA-compliant privacy control “shall clearly communicate or signal that a consumer intends to opt-out.” When there is a conflict between the privacy control and a business’s financial incentive program, the business shall respect the global privacy control, but may notify the consumer of the conflict.

Service Providers

The proposed modifications would alleviate some of the pressure on the negotiation or renegotiation of service provider agreements by permitting certain types of service provider uses of personal information and by imposing on service providers certain obligations related to consumer requests. The proposed regulation:

  • Allows service providers to retain, use, or disclose personal information in limited circumstances, including for performing services pursuant to a written contract; detecting security incidents, fraud, or other kinds of illegal activity; and notably, improving the quality of their own services. Service providers’ form agreements often contain provisions allowing for these types of uses. Covered entities can now be more comfortable in letting those provisions stand.
  • Clarifies that these uses will not trigger CCPA obligations related to the sale of personal information and, as a result, affords businesses some additional leeway in working with larger vendors, like cloud service providers, that may be unwilling to alter common provisions of their service agreements.
  • Prohibits service providers from selling data on behalf of a business.
  • Imposes obligations on service providers, requiring that they must act on or notify the business of a consumer request to delete personal information.  

Do Not Sell Button

The draft provides the long-awaited visual examples of what compliant “Do Not Sell” buttons might look like on a homepage:

Reporting

Organizations that buy, sell, receive for business or commercial purposes, or share for commercial purposes the personal information of 10 million or more consumers must disclose certain metrics relating to these practices. The disclosure must be made by July 1 each year, and posted on the company’s website or be linked to in the company’s privacy policy.

Verification

When handling requests to know or delete the personal information of a minor under 13 years old, covered entities “must establish, document, and comply with a reasonable method” to validate the parent or guardian’s identity. This is consistent with parental verification requirements under the federal Children’s Online Privacy Protection Act. Where a household does not have a password-protected account with a business, the business is prohibited from complying with household-wide requests for personal information unless household-wide verification standards are met.

Discriminatory Practices

Although the CCPA prohibits discriminating against a customer who takes advantage of rights under the CCPA, the proposed modification to the regulations would allow businesses to offer a financial incentive or a price or service difference to the consumer if “reasonably related to the value of the consumer’s data.” Denial of a request to know, delete, or opt-out is not discriminatory if it is directly linked to the financial incentive, such as providing coupons based on spending amounts via email. The modifications provide illustrative examples of both permitted and prohibited practices.

Accessibility

It was clear from the prior draft regs that CCPA-compliant notices must be accessible to the  disabled. The modifications propose to add “reasonably” before “accessible,” and state that “generally recognized industry standards” of accessibility must be followed—noting as an example the Web Content Accessibility Guidelines of the World Wide Web Consortium.  Compliance with those guidelines would appear to provide a safe harbor for compliance with the disability access requirements of the CCPA.

Information Collected from Employees and Applicants

The modified regulations helpfully provide that when information is collected from employees there is no need to include a “Do Not Sell My Personal Information” link and that the required notice may include a link to, or a paper copy of, a business’s privacy policies for applicants or  employees rather than a link to the consumer privacy policy.

What Next?

For compliance planning purposes, covered businesses may well find it prudent to treat this proposed modification draft of the regs as if they were final. A reasonable guess is that the final regulations will be issued fairly soon and will look like the February 7 draft. The California AG’s office seems to be on a fast track; the comment period for these latest changes is quite short. Comments are due by 5:00 P.M. PST on February 24, 2020, via email to privacyregulations@doj.ca.gov, or by postal mail to:

Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013

Jeffrey P. Cunard, Luke Dembosky, Jeremy Feigelson, Avi Gesser, and Jim Pastore are partners, and Javier Alvarez-Oviedo, Jeremy C. Beutler, H Jacqueline Brehmer, Christopher S. Ford, and Kate Saba are associates, at Debevoise & Plimpton LLP.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.