On February 7, 2020,* the California Attorney General issued modifications to his proposed regulations. While many of the modifications are minor, some of them are major and will have a serious impact.
The Attorney General’s office will take comments on the proposed modifications until February 25. After the comment period closes, the AG will send the proposed regulations and its full record of the rulemaking process to California’s Office of Administrative Law (OAL), which has thirty days to approve or disapprove of it. If the process passes OAL review, the regulations will be sent to the Secretary of State for signature.
We will review some of the major changes in this piece. You can click here to see the full redlined text of the proposed modifications.
The most anticipated update to the proposed regulation is the opt-out button.
The CCPA calls on the Attorney General’s office to establish rules for the development and use of a uniform opt-out of sale button for businesses to use on their websites. (Cal. Civ. Code § 1798.185(4)(C)). We now have the AG’s proposal for what that opt-out button should look like — essentially a red background with a white button next to an ‘X’ that appears to the left of text that either reads “Do Not Sell My Personal Information” or “Do Not Sell My Info.” See Proposed Regulation §999.306(f.)
The AG’s proposal also clarifies that companies do not need this button if they clearly state in their privacy notice that they do not sell information. Companies that sell personal information need to state in their notice and they need this button on their websites.
Definition of Personal Information
Companies begged for a change to the expansive definition of Personal Information (PI) under the CCPA, and it looks like the AG listened. The text of the CCPA gives the following definition of PI:
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following . . . [i]dentifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
In the new modified proposed regulation, the AG puts nuance on whether an IP address qualifies as personal information in a section titled “Guidance Regarding the Interpretation of CCPA Definitions.” The proposal limits PI based on whether the business maintains the information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” The IP address is then used for the explanatory example. The proposal states:
For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”
This is an important nuance. It shifts the focus of the definition to the manner of information maintenance–an organization that maintains information in a way that could not connect the UP address to a consumer or household would not have to treat that IP address as PI. If adopted, this nuance could significantly change the way the CCPA is interpreted.
A surprising change in the modified proposed regulations is the new requirement for “just-in-time” notices. Previously, businesses were generally taking the approach that, if they had their privacy notice posted on every webpage, they had met the CCPA requirement.
The text of the statute states that “[a] business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” 1798.100(b).
However, the modified proposed regulation states that notice should be readily available “where consumers will encounter it at or before the point of collection.” In its illustrative examples, the proposal states: When a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection.
For example, if the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the application, which contains the information required by this subsection.
This guidance begins to resemble a GDPR-type approach to notice. Last year, the Spanish soccer league (La Liga) was caught violating the GDPR’s transparency provisions when it turned on its app users’ microphones remotely during soccer matches. La Liga listened in to identify locations where they could hear the games being watched, and it used that information to sue bars for pirating the games. In that type of situation, the new CCPA guidance would suggest that a company would have to have a just-in-time popup notice (likely when the user opened the app) that informed users that their microphones would be remotely accessed and the purpose for the access.
Notice and “Categories”
The AG has expanded the statutory text’s description of “categories of sources.” Under the CCPA, covered companies have to disclose the categories of sources from which they collected personal information upon receipt of a right to know request from a consumer. Under the modified proposal, “categories of sources” means “types or groupings of persons or of entities from which a business collects personal information about consumers, described with enough particularity to provide consumers with a meaningful understanding of the type of person or entity.” The important change here is the language requiring a particularized description. The AG provided examples, including directly from the consumer and from advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers.
The CCPA also has special requirements regarding “categories of third parties.”
In responding to requests to know, covered business must disclose the categories of third parties to whom a consumer’s information was sold or disclosed for business purposes. The new moridifcation explains that categories of third parties “means types or groupings of third parties with whom the business shares personal information, described with enough particularity to provide consumers with a meaningful understanding of the type of third party.” As with the categories of sources, the AG gives illustrative examples including: advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers.
Categories of third parties and sources are even more important in the proposed regulation than in the CCPA text because the AG makes them an integral part of the notice requirements (this change was initially made in the original proposed regs but has been further clarified under the modified version).
Under the modified proposal, privacy notices must not only identify the categories of consumer personal information collected in the preceding 12 months but also describe the categories in a manner that provides consumers a meaningful understanding of the information being collected. Furthermore, the AG’s proposed regulation instructs covered businesses to use their privacy notices to identify the categories of personal information they have sold or disclosed for business or commercial purposes in the preceding 12 months and the categories of third parties to whom each category of PI was sold or disclosed.
The AG has given the first direct, clear guidance on how accessibility requirements will be judged. In the new proposed regulation, he directs covered business to look to the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium to determine whether their notices meet accessibility requirements.
New Exemption for Right to Know Requests
Business will also be pleased by a new exemption that AG’s proposal build into Right to Know requests. The AG’s proposal states that businesses are not required to search for personal information in their systems if all of the following conditions are met:
- The business does not maintain the personal information in a searchable or reasonably accessible format;
- The business maintains the personal information solely for legal or compliance purposes;
- The business does not sell the personal information and does not use it for any commercial purpose; and
- The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.
The AG also expanded the list of information that businesses should never disclose in responding to Right to Know requests. That list now includes: a consumer’s Social Security number, driver’s license number or other government issued identification number, financial account number, any health insurance or medical identification number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics.
These are only some of the the changes the AG has made in the modified proposed regulation. Other modifications relate to deletion requests (if a business cannot verify the identity of a consumer making a request to delete their information, the new proposal requires the company to ask the consumer if they would like to opt out of sale and include either the contents of or a link to the opt-out notice); service providers (if a service provider receives a request to know or a request to delete from a consumer, the service provider shall either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider); and authorized agents (requirements companies can impose are outlined).
We encourage covered businesses to review the modifications in-depth. The practical aspects of CCPA compliance are heavily impacted by the proposed regulation. If you want to submit a comment to the AG, you need to do so by February 24th. You can submit a comment by email to PrivacyRegulations@doj.ca.gov.
*Due to an error that omitted a change to § 999.317(g), the AG re-sent the modification notification on February10, 2020.