PH Privacy

Proposed Rules: California Releases Much Anticipated Revisions to CCPA Regulations

February 19, 2020

Behnam Dayanim, Jacqueline Cooney and Daniel Julian

The California Attorney General has issued long-awaited modified proposed regulations (“Proposed Rules”) implementing the California Consumer Privacy Act of 2018 (“CCPA”) on February 7 and February 10, 2020, which contain a number of material modifications to the previously released October 2019 draft regulations. These are not yet final. They remain subject to a public comment period. The deadline to submit written comments on the Proposed Rules is February 25, 2020, at 5:00 pm (PST).
The Attorney General’s office helpfully has made available a redlined version of the Proposed Rules.  Here are some highlights.

1. Notices

The Proposed Rules provide additional clarity concerning the various CCPA notice requirements.

• Mobile App: The Proposed Rules provide that a business may satisfy the “notice at collection” requirement for mobile apps by allowing the business to alert consumers through a link to the notice (a) on the mobile apps’ download page, and (b) in the mobile app itself (accessible though the settings function).

• Just-In-Time: Newly introduced in the Proposed Rules is the “just-in-time” notice requirement for mobile apps, mandating that a business collecting personal information from a consumer via mobile device must provide ‘just-in-time” notice of the collection of any personal information “for a purpose that the consumer would not reasonably expect.”  It remains unclear whether full disclosures of all data points and purposes in the initial notice of collection provided to a consumer may appropriately set consumer expectations such that additional, subsequent, ‘just-in-time’ notices may not be required.

• Accessibility: A point of much debate in the prior draft regulations, the requirement that businesses make their CCPA notice accessible to consumers with disabilities receives welcome clarification in the Proposed Rules. To satisfy the new requirements businesses must ensure their notices are “reasonably accessible” by adhering to generally recognized industry standards for accessibility.  For online notices, the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide [Web] Consortium will be recognized as the standard. The Revised requirements for accessibility may impact the manner by which businesses format and present their notices, and should be reviewed carefully to ensure appropriate modifications are in place.

• Do-Not-Sell: The revised rules also provide guidance on the design, size and location of the “Do Not Sell My Personal Information” button that is required for businesses that “sell” personal information within the meaning of the statute.  The button must be similar in size to “other buttons on the business’s webpage,” and the “button” must be located to the left of the hyperlink containing the words “Do Not Sell my Personal Information” or Do Not Sell My Info.” The Proposed Rules also clarify that a business is prohibited from selling any personal information collected prior to providing the consumer notice of the right to Opt-Out, unless explicit affirmative authorization is obtained.

• Employment Notices: Although Assembly Bill 25 adopted a one-year moratorium excluding employees, contractors and job applicants from the scope of many of the CCPA’s requirements, businesses must still provide notice at collection to all such persons. The Proposed Rules clarify the requirements of employers by providing that (1) companies may maintain privacy notices specific to employees or applicants and separate from their general consumer facing privacy policy, and; (2) employment-related notices may be provided via “link’ or “paper copy” (i.e., via an online job application or as part of on-boarding paperwork, respectively). Additionally, employment-related notices need not include a Do Not Sell My Information section.

• Data Broker Requirements: The Proposed Rules state that companies registered with the Attorney General as data brokers need not provide notice at collection so long as the data broker ensures that its “California data broker registration informs consumers about how to submit Opt-Out requests.”

1. Consumer Requests

The Proposed Rules provide additional clarity in regard to the management of consumer requests for access, deletion and opt-out with respect to their personal information.

• Timing: The Proposed Rules clarify the timeframes for acknowledging and responding to consumer requests for access, deletion or opt-out. The rules clarify that the respective 10- and 15-day timeframes are business (not calendar) days. Conversely, the 45-day timeframe for responding to requests for access, or requesting an additional 45 day extension, are calculated as calendar days.

• Household Information: Addressing another point of consternation with the October 2019 draft regulations, the Proposed Rules clarify that if a household does not have a password-protected account with a business, then that business shall not comply with either a request for access or deletion unless all of the following criteria are met: (1) all consumers of the household jointly submit the request, (2) each consumer’s identity is verified, and (3) each consumer is verified as being a current member of the household. Where a household maintains a password protected account with the business, then “existing business practices” may be followed in processing the access request to the extent they are compliant with the Proposed Rules.

• Access

• Identity Verification: With an eye toward the risks of disclosing personal information, the Proposed Rules propose three significant changes concerning the management of access requests from consumers. First, the Proposed Rules direct a business to “deny a request to know… if it cannot verify the identity of the requestor.”  Second, the rules have expanded the list of types of data that companies may not disclose in response to a request to include “unique biometric data generated from measurements,” and “technical analysis of human characteristics.”  Finally, the Proposed Rules make clear that a business cannot require the consumer to “pay a fee” for identify verification.  In practice this mean that a business may not require a consumer to provide a “notarized affidavit” as part of the affidavit process unless the business will “compensate the consumer for the cost of the notarization.”

• Access Request Scope Change: The Proposed Rules appear to further limit the scope of access requests by carving out certain conditions under which a business is not required to search for personal information – namely, if: (1) the personal information is not maintained in a searchable or reasonably accessible format; (2) the personal information is maintained by the business for “legal and compliance” purposes only, (3) the business does not sell  or use the personal information for any commercial purposes, and (4) the business describes to the consumer the categories of records that could contain personal information that it did not search because it met the aforementioned conditions.

• Deletion

• Two-Step Deletion Requirement: The Proposed Rules no longer require a two-step confirmation process for processing deletion requests submitted by consumers; however, businesses still may choose to require such a process.

• Unverified Deletion: A business is no longer required to convert an unverified deletion request into a request for opt-out. In a shift from the 2019 draft regulations, the Proposed Rules require only that a business notify the consumer that the request for deletion has been denied, but that they may still exercise their right to opt-out.

• Record of Deletion: The Proposed Rules address an outstanding concerns of businesses by permitting the retention of a record of deletion requests made by consumes. The record of deletion is limited in scope and may be retained to ensure that “the consumer’s personal information remains deleted from the business’s records.”

1. Service Providers

• Scope of Permitted Actives: In addressing ambiguity concerning the scope of service providers’ permitted use of personal information provided by a business, the Proposed Rules entirely rewrite § 999.314(c) to outline a specific list of permitted uses, including:

• Performance of the services specified in the written contract with the business;

• allowing a service provider to subcontract and share personal information, for so long as the subcontractor adheres to the requirements for a service provider under the CCPA;

• for internal research and development, including the building or improvement of the quality of services provided;

• to detect security incidents, or protect against fraudulent or illegal activity; and

• compliance with regulatory requirements, requests from law enforcement, and to exercise or defend legal claims.

1. Financial Incentives

• Value of Consumer Data: The October 2019 draft regulations provided that where a business offers financial incentive for personal information, such as in a rewards program, it must be able to calculate a good-faith estimate of the value of the data. The Proposed Rules further clarify the Attorney General’s approach to the topic by maintaining that where a business is unable to “calculate a good-faith estimate of the value of the consumer’s data …, that business shall not offer the financial incentive.” Further, the Proposed Rules assuage some concerns from businesses with respect to the management of deletion requests from rewards members, by excluding data necessary for continued participation in the program from the deletion request for so long as the consumer “informs the business that they want to continue to participate in the loyalty program.”

1. Definitions

• Personal Identifiers: The Proposed Rules provide that the classification of information as “personal information” depends on whether the information is maintained in a manner allowing for the identification of a particular consumer or household. Notably, the Proposed Rules call attention to IP addresses as an example, explaining that where “a business collects the IP addresses of visitors to its website but does not link the IP addresses to particular consumers or households, and could not reasonably link the IP addresses to particular consumers or households, then the IP addresses would not be considered ‘personal information.’”