Updated Proposed Rules: California Attorney General Releases Revised Set of CCPA Regulations
By Behnam Dayanim, Jacqueline Cooney, and Daniel Julian
The California Attorney General has issued a second set of updates to the Proposed Rules implementing the California Consumer Privacy Act of 2018 (“CCPA”) on March 11, 2020. This latest draft incorporates some of the updates from the
The Attorney General’s office helpfully has made available a
Privacy Notice Requirements: The updated Proposed Rules provide additional guidance concerning the disclosures required by a business’ online privacy notice. A business must identify “the categories of sources from which the personal information is collected” as well as “the business or commercial purpose for collecting or selling personal information.”
Knowledge of Minors: The updated Proposed Rules require businesses that have actual knowledge of their collection of the personal information of minors under 16 years of age to provide additional disclosures in their privacy notices.
Notice at Collection: In clarifying an omission from the previously released draft, the updated Proposed Rules now state that a “business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.”
Employment Notices: A business collecting employment-related information is not required to provide a link to any privacy policies (either online privacy policies or employee privacy policies).
Notice of Opt-Out of Sale of Personal Information Logo: The standardized logo for managing opt-out requests for the sale of personal information, introduced in the February Proposed Rules, has been removed.
Access Requests: The expanded list of categories of information that may not be disclosed in response to an access request, including Social Security Number, government IDs, financial account information, and biometric information, remains in place. However, businesses are now required to inform the consumer with sufficient particularity of the types of information collected. As an example, the updated Proposed Rules provide that where fingerprint data is collected a business may respond to an access request stating that “unique biometric data including a fingerprint scan” is collected and processed, but may not provide the actual fingerprint data.
Information About a Consumer: The updated Proposed Rules clarify that a service provider may collect information “about a consumer” on behalf of a business where the information is not collected directly from the consumer.
Profiling: In clarifying the scope of acceptable uses of personal information by a service provider, the updated Proposed Rules clarify that personal information may be used for internal purposes, such as building or improving services. However a service provider may not use personal information to build or modify profiles for use “in providing services to another business” or for “correcting” information acquired from other sources.
Personal Information: In a notable shift from the February draft, the updated Proposed Rules entirely remove section 999.302 which provided guidance concerning when data constitute “personal information” under the CCPA. Aspreviously reportedby Paul Hastings, the earlier guidance provided that the classification of data as “personal information” would be based on how a business maintains the data – i.e., data would not be classified as “personal information” if the business did not, and could not, reasonably link it to a particular consumer or household. The reason or intended import of the omission is not clear, nor explained.