California AG Modifies Proposed CCPA Regulations
March 6, 2020
The California Attorney General’s Office has modified the draft California Consumer Privacy Act (“CCPA”) regulations that were initially proposed in October 2019. Among other things, the most recent version[1] of the proposed regulations reinforces notice obligations, adds online accessibility requirements, expands service providers’ allowable uses of personal information, relaxes data broker obligations, and provides clarity in responding to consumer rights requests. Nevertheless, the modifications leave certain questions unanswered while raising others, such as the meaning of “doing business” in the state and whether data can evade protection under the statute depending on how it is maintained.
The following is a summary of the most-impactful revisions:
- Interpretation of Personal Information (“PI”): The draft emphasizes that information does not constitute PI simply by falling under one or more “categories” of PI enumerated in the statute. Rather, it must be maintained in a manner whereby it is reasonably capable of association with a consumer or household.
- Accessibility Requirements: Notices and privacy policies must be reasonably accessible to consumers with disabilities. Online documents must follow “generally recognized industry standards,” such as the Web Content Accessibility Guidelines (“WCAG”) 2.1.
- “Material” Qualifiers: Businesses may use PI for purposes other than those disclosed in the notice of collection if the undisclosed purposes are not materially different than those disclosed. Businesses need only disclose the material terms of a financial incentive or price or service difference.
- Data Broker and Service Provider Requirements: Data brokers that registered with the AG do not need to provide a notice of collection if the registration includes a link to the entities’ online privacy policy, which must provide instructions on opting-out of the sale of PI. Businesses that collect PI directly from consumers on behalf of another business may qualify as service providers. Service providers may retain, use, and disclose PI internally to improve service quality. The draft regulations also describe a service provider’s obligations if it receives rights requests.
- Visualization of ‘Do Not Sell’ Button: Businesses are not required to use the opt-out button. Businesses choosing to use the button cannot use it in lieu of the opt-out notice. If businesses do use the button, its form and placement must be as illustrated and described in the draft regulations.
- Privacy Policy Content: Policies do not need to identify the source of PI or the purpose of collecting PI. However, the policy must identify the categories of third parties to whom PI was disclosed or sold. Policies must also include instructions on how a consumer can designate an agent to exercise consumer rights.
- Guidance on Consumer Rights Requests: Businesses operating exclusively online and having a direct relationship with consumers need only provide an email address for receiving consumer requests to know. There is a simplified process for online requests to delete, communications concerning remedies of faulty requests, and “consideration” of a business’ primary method of consumer interaction when developing methods to submit certain rights requests. The draft regulations clarify the amount of time businesses have to respond to requests, expand on the type of information that must be communicated in a response, and provide guidance on when a right to know request does not require businesses to search for information.
- Right to Opt-Out: Businesses are relieved from the obligation to treat deletion requests as do-not-sell requests; however, upon receipt of a deletion request, businesses selling PI must ask consumers if they would like to opt-out of the sale of their information and provide notice of the right. Consumers are able to opt-out of the sale of all PI or the sale of their PI for certain uses. User-enabled web privacy settings must be honored, despite a conflict with “existing business-specific privacy setting” or participation in a financial incentive program, though businesses may request confirmation from the consumer.
- Additional Record-Keeping Obligations: There is a threshold number of consumers whose information is bought, sold, received for a commercial purpose, or shared for a commercial purpose in any given calendar year that triggers additional record-keeping obligations. That number changed from 4 million to 10 million.
- Value of Consumer Data: The calculation of value may consider the value of all data, including data of individuals who are not California residents.
The CCPA went into effect on January 1, 2020, but enforcement is delayed until the adoption of final regulations, or July 1, 2020, whichever comes first.
Click here to view a downloadable PDF of the data security & privacy alert.
[1] The AG’s Office issued two consecutive versions of the proposed modifications. The initial release on February 7, 2020 inadvertently omitted substantive revisions. The AG’s Office issued a corrected version several days later.
This Data Security & Privacy Alert is intended to keep readers current on developments in the law. It is not intended to be legal advice. If you have any questions, please contact Matt Meade at 412.566.6983 or mmeade@eckertseamans.com.