In advance of the January 1, 2020 effective date for the CCPA, the Attorney General published Proposed Regulations intended to explain and inform businesses in their compliance. The Proposed Regulations were originally published on October 11, 2019. After a period of public comment, the Attorney General released “Modified Regulations” on February 7, 2020, followed by a short addendum on February 10, 2020. These Modified Regulations, if finalized after the public comment period closes on February 24, 2020, will usher in a host of changes to the implementation of the CCPA.
We noted at least eight changes in the Modified Regulations that could immediately affect business operations:
- Clarification of “Personal Information”: The CCPA defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition, however, the CCPA identifies specific categories of information, e.g., names, IP addresses, email addresses, geolocation data, social security numbers, and states that data within these categories will constitute personal information if they meet the test above. The Modified Regulations would clarify that these enumerated categories are not per se personal information. For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”
- Big Wins for the Ad Services Industry: The clarification of what constitutes “personal information,” above, would confirm that sharing IP addresses and their associated browsing history with ad agencies for the purposes of ad retargeting would not constitute a sale of personal information to the extent such information could not reasonably be linked to a particular consumer or household. In addition, the Modified Regulations provide that service providers would be able to internally use personal information to “build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.”
- Website Accessibility Standards: All CCPA notices would have to meet industry accessibility standards on a level commensurate with the Web Content Accessibility Guidelines (WCAG), version 2.1, (e.g., text alternatives for all audio and video, full functionality of websites via keyboard, webforms accessible across multiple inputs, and user friendly navigation capabilities). Some businesses may already be familiar with WCAG in the context of the Americans with Disabilities Act.
- New Requirements for Financial Incentive Programs: If a business offers financial incentives, price differences, or service differences in relation to the collection of use of a consumer’s data, the business would be required to provide a good-faith estimate of the value of the consumer’s data, and if the business cannot calculate a value or show how the data is reasonably related to the price/service difference, then it would not allowed to provide a financial incentive.
- Respecting Consumer’s Global Privacy Settings: If a business collects personal information from consumers online, the business would have to comply with “global” privacy controls extrinsic to the business’s website (e.g., browser plugins, privacy settings, and even device settings), even if those settings conflict with the consumer’s existing profile on file with the business. However, global privacy controls must require the user to affirmatively opt out, and cannot come with a pre-selected setting (e.g., a default setting that the user has opted out).
- Service Providers: Service providers would be able to act on behalf of the primary business in responding to requests to know and requests to delete. This should prompt principal businesses to re-evaluate the downstream duties of service providers included in their service agreements. For example, a principal business may prefer that its service provider refer all requests back to the business or specify the process to follow if the service provider receives a consumer request. In addition, the permissible uses of personal information collected by service providers are clarified by the Modified Regulations.
- Businesses Operating Exclusively Online: Businesses which operate exclusively online would no longer be required to provide a webform for submission of requests—email alone would be sufficient.
The Modified Regulations would also introduce a large number of additional changes which businesses should be aware of as the Modified Regulations progress through the ratification process. These changes, listed in a very abbreviated form below, may also still impact how most businesses operate:
- Businesses would not be required to search for information in response to a request to know when: (1) the business does not maintain the personal information in a searchable or reasonably accessibly format; (2) the business maintains the personal information solely for legal or compliance purposes; (3) the business does not sell the personal information and does not use it for any commercial purpose; and (4) the business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.
- The two-step process for verification of online requests would become optional and could be done in one step.
- The timeline for confirmation of receipt of requests to know or requests to delete would be changed from 10 days to 10 business days, but the timeline for responding to requests would remain the same (45 calendar days).
- Responding to requests to access or delete household information would have to meet four criteria, including the verification of each individual member of the household.
- “Household” would be completely redefined from “person or group of people occupying a single dwelling” to be defined as a person or group of people who: (1) reside at the same address; (2) share a common device or the same service provided by a business; and (3) are identified by the business as sharing the same group account or unique identifier.
- If a business requires notarized affidavits or declarations (e.g., for verifying requests submitted by non-accountholders), the business would be required to compensate the requestor for the associated cost of notarization.
- To the extent not already clear, there would be a January 1, 2021 sunset provision for notice requirements applicable to employment-related information, and such notices would be required when collecting personal information from employees or applicants.
Because these Proposed Modified Regulations may or may not take effect following the public comment period, stay tuned for future articles. Buchanan’s Cybersecurity team is committed to closely monitoring changes to the CCPA and will continue to provide you with information regarding the most recent developments. Staying apprised of CCPA developments will help your business effectively navigate California’s ever-evolving privacy law landscape.