Client Alert: California Attorney General Releases Modified CCPA Draft Regulations
On February 7, 2020, California Attorney General Xavier Becerra released proposed modifications (the Modifications) to the previously-released draft regulations implementing the California Consumer Privacy Act (CCPA). The deadline to submit written comments to the proposed Modifications is February 24, 2020.
Contrary to initial suggestions from the Attorney General, the newly-released Modifications add numerous changes to the initial draft regulations. The Attorney General will begin enforcing the CCPA on July 1, 2020.
The Modifications include the following notable changes and clarifications:
The Definition of “Personal Information” and “Household”
Under the Modifications, whether data is considered “personal information” will now depend on how a business maintains that information. For instance, even if certain data collected (e.g., IP address) may technically satisfy the CCPA’s definition of “personal information,” if the business does not and cannot reasonably link that data to any particular consumer or household, that data would not be “personal information.”
The Modifications also clarify that a “household” means those who reside at the same address, share a common device or the same service provided by a business, and are identified by the business as sharing the same group account or unique identifier.
The Relationship Between Loyalty Programs and the Right Not to Be Discriminated Against
When the CCPA first passed, a concern of companies offering loyalty programs was that honoring a deletion request could be considered discriminatory because the consumer would no longer have access to the loyalty program’s benefits once the information was deleted. However, the Modifications suggest that if a consumer requests deletion but informs the business that he or she would like to remain in a loyalty program, the business may deny the deletion request as to the information necessary for participation in the loyalty program.
Service Providers Use of Personal Information Provided By or Obtained on Behalf of a Business
The Modifications state that a service provider may use a business’s personal information to build or improve the quality of the service provider’s services, so long as the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source. This represents a substantial change from the initial draft regulations and could lessen the challenge of establishing your business’s vendors as service providers–a key component in simplifying compliance under the CCPA.
Notice Provided By Third Parties
Third parties that purchase personal information are no longer required to contact the consumer directly to provide notice and an opt-out, or to contact the source and confirm that the source provided the required notice.
Privacy Policy Requirements
The Modifications have added new components which must be disclosed in a business’s privacy policy. For instance, the Modifications require disclosure of the categories of personal information the business sold in the preceding 12 months and, for each category, the categories of third parties to whom they sold it. The Modifications also provide clarity for privacy policy compliance where a business collects personal information from a mobile application.
Responses to Individual Rights Requests
The Modifications add several clarifications surrounding how a business can respond to a consumer request:
- Access Requests: The Modifications provide for more flexibility in responding to right to know requests by specifying that a business is not required to search for personal information in response to a request if the business does not maintain the personal information in a searchable format and other conditions are met.
- Deletion Requests: Businesses are not required to engage in a two-step confirmation process to confirm that a consumer making a request for deletion actually wants his or her information deleted. However, businesses do not need to specify the manner in which Personal Information has been deleted. The Modifications also include new requirements which must be followed in denying a deletion request.
- Household Rights Requests: The Modifications include a roadmap on how to appropriately deal with requests made on behalf of a household. For instance, the Modifications explain how to respond to a household request where the request is made by a minor under the age of 13.
- Opt-out Requests: The Modifications clarify that businesses will not need to notify third parties to whom they sold the consumers data within 90 days. Rather, this obligation is limited to circumstances when the business sold personal information to third parties between the date of the opt-out request and the date of compliance. For sales made during this limited period, the business shall direct the third party purchasers not to further sell the data.
Do Not Sell Button
The Modifications provide additional information about the voluntary use of an opt-out button. When the opt-out button is used, it should be the same size as other buttons on the webpage.
Website Accessibility
The Modifications incorporate the Web Content Accessibility Guidelines version 2.1 of June 5, 2018, from the World Wide Web Consortium (WCAG) for website accessibility compliance.
For assistance updating your privacy policy or for questions regarding the Modifications, the CCPA, or privacy laws in general, please contact John Landolfi, Christopher Ingram, Sarah Boudouris, Chris LaRocco, or your Vorys attorney.