PH Privacy
Updated Proposed Rules: California Attorney General Releases Revised Set of CCPA Regulations
March 13, 2020
Behnam Dayanim, Jacqueline Cooney, and Daniel Julian
Untitled Document
The California Attorney General has issued a second set of updates to the Proposed Rules implementing the California Consumer Privacy Act of 2018 (“CCPA”) on March 11, 2020. This latest draft incorporates some of the updates from the earlier draft published on February 10, and adds new revisions incorporating feedback gathered during a 15-day comment period. The Attorney General’s office has stated that it will accept written comments on the updated Proposed Rules until 5:00 p.m. (PST) on March 27, 2020. Notably,the additional comment period will delay publication of final Rules and shorten the timeframe businesses have to achieve compliance before the July 1, 2020, enforcement date.
The Attorney General’s office helpfully has made available a redlined version of the new Proposed Rules. Here are some highlights.
Notices
Privacy Notice Requirements: The updated Proposed Rules provide additional guidance concerning the disclosures required by a business’ online privacy notice. A business must identify “the categories of sources from which the personal information is collected” as well as “the business or commercial purpose for collecting or selling personal information.”
Knowledge of Minors: The updated Proposed Rules require businesses that have actual knowledge of their collection of the personal information of minors under 16 years of age to provide additional disclosures in their privacy notices.
Notice at Collection: In clarifying an omission from the previously released draft, the updated Proposed Rules now state that a “business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.”
Employment Notices: A business collecting employment-related information is not required to provide a link to any privacy policies (either online privacy policies or employee privacy policies).
Notice of Opt-Out of Sale of Personal Information Logo: The standardized logo for managing opt-out requests for the sale of personal information, introduced in the February Proposed Rules, has been removed.
Consumer Requests
Access Requests: The expanded list of categories of information that may not be disclosed in response to an access request, including Social Security Number, government IDs, financial account information, and biometric information, remains in place. However, businesses are now required to inform the consumer with sufficient particularity of the types of information collected. As an example, the updated Proposed Rules provide that where fingerprint data is collected a business may respond to an access request stating that “unique biometric data including a fingerprint scan” is collected and processed, but may not provide the actual fingerprint data.
Service Providers:
Information About a Consumer: The updated Proposed Rules clarify that a service provider may collect information “about a consumer” on behalf of a business where the information is not collected directly from the consumer.
Profiling: In clarifying the scope of acceptable uses of personal information by a service provider, the updated Proposed Rules clarify that personal information may be used for internal purposes, such as building or improving services. However a service provider may not use personal information to build or modify profiles for use “in providing services to another business” or for “correcting” information acquired from other sources.
Definitions:
Personal Information: In a notable shift from the February draft, the updated Proposed Rules entirely remove section 999.302 which provided guidance concerning when data constitute “personal information” under the CCPA. As previously reported by Paul Hastings, the earlier guidance provided that the classification of data as “personal information” would be based on how a business maintains the data – i.e., data would not be classified as “personal information” if the business did not, and could not, reasonably link it to a particular consumer or household. The reason or intended import of the omission is not clear, nor explained.