CCPA Whiplash – Second Modification of the Regulations Pulls Back Business-Friendly Revisions

The California Office of the Attorney General (OAG) released the second round of proposed modifications to the draft California Consumer Privacy Act (CCPA) regulations, published for public comment on Oct. 11, 2019. The Attorney General will accept written comments on the proposed changes released on March 11 no later than 5 p.m. on March 27 by email to PrivacyRegulations@doj.ca.gov, or by mail.   

Key Takeaways:

• While the first modification of the draft regulations appeared to be more measured, this second modification appears to respond to public advocate concerns that the OAG was too accommodating in softening of some business obligations.
• The guidance on interpreting the definition of personal information has been removed, suggesting that IP addresses alone may be considered personal information.
• The draft removes the requirement that consumers must affirmatively select browser-based opt-out signals. While the signal must communicate specifically that the user intends to opt-out of sale, browsers can now pre-select or default consumers to opt-out of sales.  

What changed? Highlights from the most noteworthy modifications in the updated draft regulations

Definitions

• Removes the Guidance on Personal Information. The first modification to the regulations, issued in February, underscored that information is only “personal information” when used to identify, relate to, describe, associate with or link—directly or indirectly—with a particular consumer or household. This revision specifically noted that information such as IP address does not automatically constitute personal information if the business does not associate that piece of data with a specific consumer or household.  This second modification to the regulations removes that language. That said, its addition in the first modification may suggest that the OAG does not view an IP address as personal information if it’s not tied to a specific consumer or household. Still, businesses no longer have the comfort of having that clarification in writing. 

Privacy Policies and Notices

• Updates to the granularity requirements. While the first modification of the regulations deleted the requirement that a company disclose by category the purposes for which data is collected, the sources of the data, and the third parties with which personal information is shared, this second modification clarifies that obligation. A policy must still disclose the categories of sources and purposes for which personal information will be used; however, those categories can be listed generally, rather than by category of personal information.
• Clarification for businesses that don’t collect personal information directly from consumers. This second modification of the regulations provides at least one helpful clarification: Businesses that don’t collect personal information from consumers do not have to give the notice at collection to consumers as long as they do not sell consumers’ personal information. Data brokers are still permitted to provide their notice via a privacy policy link included with their registration submission. This clarification appears to acknowledge that not every company that does not collect data directly from consumers is a data broker.

Do Not Sell

• The Proposed Opt-Out Button is Gone. The CCPA states that a business may voluntarily use an opt-out button in addition to, but not in place of, posting an opt-out-of-sale notice, and charges the OAG with proposing the button or logo. The proposed button in the second modified regulations was generally panned and is deleted in this second modification to the regulations.    

Right-to-Know Requests

• Additional clarifications on disclosures. The first modification of the regulations added “unique biometric data” to the list of personal information a business should not disclose in response to a right-to-know request. This second modification clarifies that the business should inform the consumer that it has collected this information, without providing the specific piece of data. As an example, “we collect fingerprint scans” would be a response to a right-to-know request, but the business would not disclose the actual fingerprints. The same principle applies to the disclosure of other sensitive information.

Deletion Requests 

• Clarification of the updates to the automatic opt-out. Under the initial version of the regulations, a business that is unable to verify a consumer’s identity for a deletion request is required to opt that consumer out of sale automatically. The first modification removed that automatic opt-out, allowing businesses to ask whether the consumer would like to opt out of sale. Now, under this second modification of the regulations, a business is required to ask consumers whether they would like to opt out of sale only if the consumers have not already opted-out. 

Service Providers

• Clarifications made to the flexible data uses. This second modification of the regulations provides some minor clarifications on the additional flexibility previously given to service providers under the February modifications. The previous changes clarified that a service provider could use personal information for internal purposes, as long as that information is not used to create profiles. Most notably, this version clarifies that a service provider is prohibited from creating profiles only if they are intended for use in providing services to another business.   

Requests to Opt Out of Sales

• Concessions made on browser signals rolled back. While the first modification of the regulations retained the requirement to honor browser-based signals, it required those signals to communicate the consumer’s intention to opt out of sale (rather than just sending a “do not track” signal). It required consumers to affirmatively select the choice to opt-out. This second modification removes the requirement for an affirmative selection, allowing browsers to preset an opt-out selection and default consumers to opt out of sales.  This change represents a significant loss for businesses that will have to comply with browser signals, as it takes away a hard-fought-for concession. 

Key Requirements That Were Clarified

In another helpful clarification, the second modification of the regulations adds a qualification to the reporting threshold. Now, a business that knows or reasonably should know that it collects the personal information of 10 million California residents per year (up from 4 million) is covered by the requirement to report on responses to consumer requests. This raising of the bar for reporting may be a concession to midsize businesses that were concerned that they might inadvertently or unknowingly cross the size threshold for this obligation. 

What’s Next?

The second modification of the regulations remains subject to a comment period. This may be the last chance to advocate for changes before the regulations are finalized. If you have any questions about the regulations or would like to discuss the submission of comments, please reach out to a member of Loeb’s Privacy team.