California Moves Closer to Final CCPA Regulations with Significant Update by the Attorney General
Businesses subject to the California Consumer Privacy Act (CCPA) have found themselves in an odd position with respect to their compliance efforts. The CCPA was effective on January 1, 2020 but enforcement will not begin until July 1, 2020. Much of the delay relates to the status of the required implementing regulations. Businesses have been using the draft regulations released by the California attorney general (AG) in October 2019. Last Friday, the California AG released a significant update to the regulations with a further update on Monday to the record-keeping requirements. The updated regulations are not yet final.
The California AG's office is taking comments until February 25 and will finalize the regulations sometime before July. Although businesses remain subject to a law that depends significantly on implementing regulations yet to be finalized, this revision does get us closer to the final compliance picture. These updates provide some significant clarity on a number of issues raised by individuals and businesses during the comment period.
One of the most challenging components of the CCPA is the breadth of the definition of personal information. That definition specifically includes IP addresses. This created a problem for many businesses as websites frequently use IP addresses but not in a manner that is necessarily tied to an individual. The new guidance included an important example that helps clarify when an IP address is personal information. "[I]f a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be 'personal information.’"
Another interesting clarification is in the definition of household. The CCPA is one of the only privacy laws that applies to both individuals and "households." The revised regulations clarify that a household is a group of people that reside at the same address and share a common device or the same service provided by a business and are identified by the business as sharing the same group account or other unique identifier. This is a significant improvement over the prior definition, which was simply defined as people or a group of people occupying a single dwelling.
The proposed regulation provides some additional guidance on Americans with Disabilities Act (ADA) website accessibility for the required CCPA privacy notices. It refers directly to version 2.1 of the Web Content Accessibility Guidelines (WCAG). It is interesting that the California AG chose version 2.1 as many businesses adhere to the older standard of 2.0 but are not yet compliant with 2.1. This could prove challenging for some businesses in getting to full compliance. Of course, we are still waiting to see website specific regulations promulgated under the ADA. Though unofficial, WCAG remains the best standard we have.
One of the most significant changes in the proposed regulations revolves around the contents of privacy notices. A struggle that many businesses have experienced in their privacy notice updates is whether to map to the 11 specific categories of personal information in the CCPA statute. Many businesses have taken the approach that regulators are likely to look favorably on a privacy notice that does use the specific categories. Others, concerned about length of the notice, have taken a more generalized approach with the idea that the specific categories could be referenced in a response to a consumer request to "know" the specific categories of information collected. While the revised regulations do not address this specifically, they do provide some relief on category detail. The prior version stated that the notice must provide "for each category of personal information the business or commercial purposes for which it will be used." This has been replaced with "the business or commercial purposes for which the categories of personal information will be used." In other words, there is no longer a requirement to describe use for each individual category. This means that privacy policies that are a bit more high level as to categories or group different categories together should be compliant under the revised regulations. The regulations also contain some helpful examples of categories of sources and third parties.
The new regulations do expand the requirements for privacy notices a bit, in that notices must appear on all webpages where personal information is collected. Businesses should make sure that any page that collects personal information has a link to the privacy notice somewhere. Mobile apps must include the privacy notice on the download page and within the app.
The initial proposed regulations limited use of personal information for any purpose other than as disclosed in the privacy notice. This is relaxed in the new version. The updated regulations prohibit use that is for a purpose materially different from the purpose disclosed in the privacy notice. It also makes clear that employers do not need to include an opt-out mechanism in their privacy policy for employees and job applicants.
The update includes a number of helpful changes on requests to know and delete. The timing for acknowledging the request is now 10 business days. Two methods for requests to know, including a toll-free number, are required unless the business operates exclusively online. Businesses that operate exclusively online need only provide an email address as opposed to an interactive web form for requests to know. Two request methods are required for requests to delete. Using email addresses for requests to know makes compliance a little easier because no website development is needed. However, we suggest that, if at all the possible, the business use an interactive web form that is on a secure web page as opposed to having consumers send personal information in requests through unencrypted email. This is because, aside from regulatory compliance, there is a private right of action relating to data breach that could be implicated by the methods chosen for exchanging information with consumers. Unauthorized access to personal information sent in a right to know request from a consumer to a business could potentially trigger a lawsuit.
Under the prior version, if a business could not verify a request for deletion, it was required to treat that as an
opt-out of the sale of personal information. The new version allows the business to ask the consumer if they wish to opt-out. It also removes the requirement to say that you "will not" sell information in the future if you do not include an opt-out. The business need only state that it does not sell personal information to third parties. The new regulations change the time requirement to act on opt-out request from 15 days to 15 business days and modify the requirements to notify third parties.
Another helpful update to the consumer request guidance relates to service providers processing on behalf of a business. If the service provider receives a request to know or delete, it can respond on behalf of the business that it cannot act on the request because it is a service provider. The service provider would, however, still need to comply with the request if it came from the business itself or if its agreement with the business required the service provider to take on this obligation. The new version also permits service providers to use personal information to improve their services with some limitations.
While the new version of these regulations should not require significant changes to existing CCPA privacy policies, it does provide clarity on some issues along with relaxing some of the regulations to help ease compliance concerns. Businesses and service providers will still need to review and implement any changes that come about in the final version of the regulations, which we will cover in a future client alert.