California AG Further Revises Modified CCPA Regulations

California AG Further Revises Modified CCPA Regulations

Blog WilmerHale Privacy and Cybersecurity Law

On March 12, 2020, the California Attorney General (“California AG”) released a second set of modified regulations (“Second Set of Modifications”) for the California Consumer Privacy Act (“CCPA”) that further revise the modified regulations released by the California AG on February 10, 2020 (“First Set of Modifications,” which we analyzed here). This is the third complete version of the CCPA regulations released by the California AG, with the first version being released on October 11, 2019 (that we summarized here).

Comments to the Second Set of Modifications are due no later than 5:00 p.m. PST on March 27, 2020.

Below are highlights of major changes from the Second Set of Modifications compared to the First Set of Modifications:

  • The definition of a “financial incentive” is further revised to mean “a program, benefit, or other offering, including payments to consumers, related to as compensation, for the collection, retention disclosure, deletion, or sale of personal information.” 11 CCR § 999.301(j).
  • The guidance from the First Set of Modifications regarding how “personal information” should be interpreted was eliminated.
    • The First Set of Modifications clarified that whether information meets the definition of “personal information” under the CCPA depends on whether it “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
    • The First Set of Modifications also provided an example of a business that collects IP addresses without associating the IP addresses with a particular consumer. According to the First Set of Modifications, the business in that context was not collecting “personal information” as defined under the CCPA.
    • The Second Set of Modifications eliminate this guidance regarding personal information. It may not affect how the California AG will interpret the CCPA (since the fact that information must relate to a particular consumer or household in order to be considered “personal information” under the CCPA comes from the text of the law itself and not the draft regulations). Businesses, however, can no longer rely on this particular example regarding an IP address when determining whether the information they process qualifies as personal information under the CCPA.
  • The Second Set of Modifications clarify that a “business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.” 11 CCR § 999.305(d).
  • The opt-out button crafted by the California AG in the First Set of Modifications that businesses could use on their homepage to link to their right to opt-out of sale notice is eliminated in the Second Set of Modifications.
  • The privacy policy requirements are further revised. Businesses would be required to include the sources from which personal information is collected, as well as the business or commercial purpose for collecting personal information. 11 CCR §§ 999.308(c)(1)(e)-(f). These requirements were included in the original version of CCPA regulations released by the California AG on October 11, 2019 but were removed in the First Set of Modifications.
    • Additionally, with regard to the privacy policy, if a business has actual knowledge that it sells personal information of minors under the age of 16, it must now include a description of that process. 11 CCR § 999.308(c)(9).
  • A business would still be prohibited from disclosing sensitive information (a consumer’s social security number, driver’s license number, financial account number, health insurance or medical information, an account password, security questions and answers, or unique biometric information) upon receiving a request to know from a consumer. However, per the Second Set of Modifications, a business would be required to inform the consumer with sufficient particularity that it has collected that type of information. “For example, a business shall respond that it collects ‘unique biometric data including a fingerprint scan’ without disclosing the actual fingerprint scan data.” 11 CCR § 999.313(c)(4).
  • In terms of service providers, the Second Set of Modifications clarify that a service provider may collect information directly from a consumer or about a consumer and still be considered a service provider under the law. 11 CCR § 999.314(b).
  • With regard to calculating the value of consumer data (for the purposes of offering a financial incentive), the Second Set of Modifications clarify that a business may consider the value to the business of the data of all natural persons in the United States, not just California residents.

As a reminder, the California AG can begin enforcing the CCPA on July 1, 2020. Our Cybersecurity and Privacy Group is happy to answer any questions your company may have on how to come continue to work towards CCPA compliance in this still-uncertain environment.