CCPA Update: Modified (But Not Yet Final) Regulations Released for Comment

The California Attorney General’s office released proposed modifications to the draft California Consumer Privacy Act (CCPA) regulations, which were initially published for public comment on Oct. 11, 2019. The Office of the Attorney General will accept written comments on the proposed changes released last Friday, Feb. 7 (with a minor adjustment again on Monday, Feb. 10), until 5 p.m. PST Monday, Feb. 25.    

Key Takeaways:

• The modifications appear to be more measured, walking back some of the more challenging obligations included in the original draft and addressing many of the concerns raised during the public comment period. 
• The modifications include clarifications to the definitions of household and personal information that will be helpful to companies that have been working through how to address the challenges created by the breadth of the definitions in the statute. 
• Some of the changes may require companies to revise and refine their CCPA compliance programs.  

What's changed?

Highlights from the most noteworthy modifications in the updated draft regulations.

Definitions

• Personal Information. The updated regulations underscore that information is only “personal information” when it is used to identify, relate to, describe, associate with or link, directly or indirectly, with a particular consumer or household. Information, such as IP address, does not automatically constitute personal information if the business does not associate that piece of data to a specific consumer or household.

• Household. The definition of household is narrowed. Household is now defined as a person or group of people who (1) reside at the same address; (2) share a common device or the same service provided by a business; and (3) are identified by the business as sharing the same group account or unique identifier. The previous definition was broader, covering everyone occupying a single dwelling.  Under the updated regulations, a business may decline an access or deletion request unless: 1) the family has a password-protected account with the business; or 2) the business can verify that each member of the household making the request is currently a member of the household.

Under the updated regulations, if a household making a deletion or access request does not have a password-protected account with the business, the business may decline the request if it can’t verify that each member of the household making the request is currently a member of the household. This new exception is in addition to existing exceptions, such as not needing to honor a household deletion or access request if the business can’t verify each household member. 

Privacy Policies and Notices

• Requirement for detailed descriptions. Descriptions of categories (e.g., sources, third parties) should be detailed enough to provide consumers with a meaningful understanding of who the parties are (rather than using vague descriptions like “business partners”). This may be a response to criticism that some privacy policies use such vague language that consumers can’t really understand.
• Granularity requirements have been pared back. The updated regulations require only that the notice at the point of collection includes the business purpose for which “the categories of personal information” will be used, suggesting that the notice no longer needs to separately describe the uses for each category individually. The updated regulations also deleted the requirements that “for each category of personal information collected,” a business must provide the categories of sources from which the information was collected.
• Requirement to disclose verification limitations. The updated regulations require a business that has determined that it has no reasonable method to verify consumers to explain that determination in its privacy policy. This obligation to explain why the business is unable to verify is new.

Deletion Requests 

• Automatic opt-out removed. In the initial version of the regulations, a business that was unable to verify a consumer’s identity for a deletion request would be required to automatically opt that consumer out of sale. Under the update, the opt-out is no longer automatic; instead, the business is required to ask whether the consumer would like to opt out of sale. 
• A business no longer needs to specify in its response to a consumer how the business deleted the personal information (e.g., deletion vs. deidentification vs. aggregation).

Right-to-Know Requests

• New exemptions for inaccessible information. In responding to a right-to-know request, a business is not required to search its records for personal information if each of the following criteria are met: (a) the business doesn’t keep the information in a reasonably accessible format; (b) the business keeps the information only for legal or compliance purposes; (c) the business does not sell the information or use it for any commercial purpose; and (d) the business tells the consumer the categories of records that may contain personal information but which weren’t searched because the information met each of the above criteria.
• No toll-free number required for online-only businesses. Giving effect to an amendment to the statute, the updated regulations specify that a business that operates exclusively online and has a direct relationship with the consumer is required to provide only an email address for submitting right-to-know requests (no toll-free number required).
• The updated regulations removed a provision explicitly prohibiting a business from providing specific pieces of personal information if the disclosure would create a substantial, articulable and unreasonable privacy risk to the consumer. But the updated regulations do provide that a business may avoid providing specific pieces of information due to a conflict with applicable law, or based on an exception to the CCPA, provided that the business informs the consumer and explains the basis for the denial.

Do Not Sell

• Obligations addressing future sales are removed. The updated regulations limit sales-related obligations (such as providing notice of sale and offering a sale opt-out method) to those businesses that currently sell personal information. The updated regulations remove obligations imposed on businesses that “may in the future sell” personal information, meaning that businesses do not need to preemptively begin collecting sale opt-out preferences before making the decision to sell personal information. A business that does not display a notice and opt-out for sales may not sell personal information collected without affirmative consent.

• A business may voluntarily use an opt-out button, in addition to but not in place of posting a sale opt-out notice. The Attorney General’s office also released its proposed opt-out logo, which can be used in addition to—but not in lieu of—the “do not sell my info” notice.

Service Providers

• More flexibility for data use. The updated regulations allow for service providers to use personal information from a business for the service provider’s own internal uses, including to build or improve the quality of its services, so long as that use doesn’t include building or modifying household or consumer profiles or cleaning or augmenting data acquired from another source. This expands a service provider’s ability to use a personal information for non-service provider purposes without triggering a sale, adding to the existing ability to use personal information to detect security incidents or protect against fraud or illegal activity.  

Third Parties and Data Brokers

• The updated regulations state that registered data brokers that don’t have a direct relationship with consumers don’t need to provide a privacy policy link on their site, as long as their California Attorney General data broker registration includes the link to their privacy policy, including instructions on how to opt out of the sale of personal information.  
• Requirement to obtain attestations or contact consumers has been removed. As long as the privacy policy linked in a data broker’s registration contains sale opt-out instructions, a third-party purchaser of data that does not collect directly from consumers no longer has to (1) contact consumers directly to provide privacy disclosures and the opt-out right, or (2) contact the sources of the personal information to obtain signed attestations from the sources describing how consumers were given notice that their personal information would be shared.

Loyalty Programs, Non-Discrimination

• The definition of “price or service difference” is narrowed to apply only to differences in price, rate or quality of goods and services that are related to the disclosure, deletion or sale of personal information. The previous definition was broader and applied to any price or service difference, even those unrelated to the disclosure, deletion or sale of personal information.
• Under the updated regulations, a business may deny a deletion request to any information that is necessary to maintain a consumer’s enrollment in a loyalty program, if the consumer has informed the business that he or she would like to remain in the program but otherwise have their personal information deleted.
• The updated regulations underscore that if a business is unable to calculate a good-faith estimate of the value of the consumer’s information or show that the financial incentive or price or service difference is reasonably related to the value of the consumer’s information, the business cannot offer the financial incentive or price or service difference.

 Mobile Apps

• Just-in-time notice required for unexpected data collection. If an app collects information that the consumer would not reasonably expect, the business must provide a just-in-time notice of that collection (e.g., through a pop-up window) that briefly explains the collection and a link to the full privacy policy.
• The updated regulations clarify that privacy notices and the Do Not Sell option can be provided within the application, such as through the app’s settings menu.

Accessibility

• The updated draft regulations now require that any online notices and privacy policies be reasonably accessible to consumers with disabilities. The updated proposal requires that a business follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1, of June 5, 2018 (WCAG 2.1), from the World Wide Web Consortium. This is significant because most businesses that have taken steps to follow WCAG guidelines generally are more likely to be familiar with the preceding version, WCAG 2.0 of Dec. 11, 2008.

Key Requirements That Were Clarified

Despite significant objections, the requirement to honor privacy controls such as browser signals remains in the regulations. However, the new version states that any privacy control developed by a business to receive sale opt-out requests shall require that the consumer affirmatively select their choice (i.e., no pre-selected settings). This is a win for the industry concerned about pre-selected privacy options that would lead to widespread opt-outs. Businesses can also notify a consumer when their privacy controls conflict with the consumer’s business-specific privacy settings, and give the consumer the option to limit the opt-out.

What’s Next? 

These regulations are subject to change following the comment period. If you have any questions about the regulations or would like to discuss the submission of comments, please reach out to a member of Loeb’s Privacy team.