On February 7, 2020, California Attorney General Xavier Becerra (the California AG) proposed revisions to the regulations implementing the California Consumer Privacy Act (CCPA) that his office had first proposed on October 10, 2019. The California AG released a further revised version of the regulations a few days later on February 10 due to an inadvertent omission. Along with the new proposed regulations, the California AG also released documentation that his office relied on in reaching the revisions. Comments are due by February 25, and it is not clear when the California Attorney General’s Office will release final CCPA regulations, as the enforcement deadline looms on July 1, a mere 18 weeks from now. Meanwhile, the advertising industry has formally requested a delay in the enforcement date given that the new regulations are still not final.
The new proposed regulations purport to clarify ambiguities from the previous version of the regulations and to address unanswered questions in the CCPA itself. Like the previous version of the regulations, the new version of the regulations also imposes additional obligations on businesses that are not found in the text of the CCPA itself. Below is a list of the major highlights of the new proposed regulations:
- Clarify that information must relate to a particular consumer in order to meet the definition of “personal information” under the CCPA. This means that businesses that collect information without associating it to particular consumers (e.g., website analytics providers that collect IP addresses as part of providing their service) are not collecting personal information as that term is defined under the law. See 11 CCR § 999.302.
- Add an obligation for businesses that collect personal information through mobile applications. The regulations state that “[w]hen a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection,” and provide an example of a flashlight app that also collects geolocation information as a business needing to comply with this requirement. The regulations do not provide any additional guidance as to what type of collection would fail to meet a consumer’s reasonable expectations. See 11 CCR § 999.305(a)(4).
- Treat global privacy controls as consumers’ requests to opt out of the sale of personal information. See 11 CCR § 999.315(d).
- Specify how service providers can use the information they obtain from businesses in the course of providing their services. Acceptable uses include hiring subcontractors to assist with the services (provided that they also meet the CCPA’s requirements for a service provider) and to prevent fraudulent or illegal activity. See 11 CCR § 999.314(c).
- Clarify the definition of “household” and revise the requirements as to when a business may respond to a request to know specific pieces of information or a request to delete as it pertains to household information. 11 CCR § 999.318(a).
- Provide additional examples as to how a business can provide a financial incentive or a price or service difference without running afoul of the CCPA’s prohibition against nondiscrimination. See 11 CCR § 999.336(d).
- Impose affirmative obligations on authorized agents that make CCPA requests on behalf of consumers. 11 CCR §§ 999.326(d)-(e).
- Change the obligation for businesses that must compile metrics regarding how they respond to CCPA requests from those that buy, receive for the business’s commercial purposes, sell, or share for commercial purposes the personal information of 4,000,000 consumers to 10,000,000 consumers. 11 CCR § 999.317(g).
The rest of this client alert identifies key takeaways from each of the six substantive Articles by which the regulations are organized.
For background on the CCPA and our assessment of the previous version of the draft regulations, please read our client alert on the prior version of the California AG’s proposed CCPA regulations.
Key Takeaways From Each Article of the New Draft Regulations
Article 1: General Provisions (Including Definitions)
- Perhaps the most significant change in this Article is the addition of the section titled “Guidance Regarding the Interpretation of CCPA Definitions.”
- This section clarifies that information is considered “personal information” under the CCPA only if it “identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 11 CCR § 999.302.
- The section provides an example of a business that collects IP addresses of visitors to its website but does not link those IP addresses to particular consumers or households and could not reasonably link those IP addresses to particular consumers or households. As such, that business is not collecting “personal information” under the CCPA. Id.
- This is a welcome clarification for website analytics providers, many of which collect IP addresses, cookies and other website information in order to provide their services but do not necessarily associate this information with particular consumers or households.
- Notable new definitions in the new version of the proposed regulations include:
- “Employment benefits,” which mean retirement, health, or other benefit programs, services or products to which consumers or their beneficiaries receive access through the consumer’s employer;
- “Employment-related information,” which means personal information that is collected by the business about a natural person for the reasons identified in Civil Code Section 1798.145, subdivision (h)(1). The collection of employment-related information, including for the purpose of administering employment benefits, shall be considered a business purpose;
- “Signed,” which means that the written attestation, declaration or permission has either been physically signed or provided electronically per the Uniform Electronic Transactions Act, Civil Code Section 1633.7 et seq; and
- “Value of the consumer’s data,” which means the value provided to the business by the consumer’s data as calculated under 11 CCR § 999.337.
- The new proposed regulations narrow the definition of “household” from “a person or group of people occupying a single dwelling” to “a person or group of people who (1) reside at the same address, (2) share a common device or the same service provided by a business; and (3) are identified by the business as sharing the same group account or unique identifier.” 11 CCR § 999.301(k).
Article 2: Notice to Consumers
- The revised version of Article 2 adds a section that provides an overview of the required notices that states when each one is required.
- The four required notices under the CCPA are:
- Notice at Collection of Personal Information;
- Notice of the Right to Opt-Out of Sale of Personal Information;
- Notice of Financial Incentive; and
- The new proposed regulations state that all four notices must be reasonably accessible to consumers with disabilities. For notices provided online, businesses must follow “generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium . . . .”
- Regarding mobile apps, the new proposed regulations clarify that a business can provide notice at collection by providing a link to the notice on the mobile app’s download page and within the app, such as within the app’s settings page. 11 CCR § 999.305(a)(3)(b).
- The new proposed regulations add a requirement for mobile apps, stating that “[w]hen a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection.” 11 CCR § 999.305(a)(4).
- For example, if a business offers a flashlight app and that flashlight app collects geolocation information, that business shall provide a just-in-time notice, such as through a pop-up window when a consumer opens the app. Id. (This is drawn from the Federal Trade Commission’s GOLDENSHORES TECHNOLOGIES, LLC matter from 2014).
- This also suggests that notices at the point of collection need not be “just in time” in other scenarios.
- The new proposed regulations take into account the CCPA amendments signed into law in October 2019 and their effect on the notice-at-collection requirement.
- Regarding employment-related information, the new proposed regulations account for AB 25, which creates for CCPA requirements as they pertain to employment-related information a sunset provision until January 1, 2020, except that it still requires businesses to provide notice at collection. 11 CCR § 999.305(e).
- The new proposed regulations:
- Confirm that the notice at collection of employment-related information does not need to include a “Do Not Sell My Personal Information” link; and
- The new proposed regulations:
- In terms of notice of the right to opt out of sale, the new proposed regulations add a requirement stating that “[a] business shall not sell the personal information it collected during the time the business did not have notice of right to opt-out notice posted unless it obtains the affirmative authorization of the consumer.” 11 CCR § 999.306(e).
- It is unclear whether this requirement applies to information that was collected before the CCPA went into effect.
- The new proposed regulations also include a picture of an opt-out button that businesses may use to alert consumers as to how they may opt out of the sale of their personal information. 11 CCR § 999.306(f).
- In terms of the notice of financial incentive, the new proposed regulations confirm that a business that does not offer a financial incentive or price or service difference related to the disclosure, deletion or sale of personal information is not required to provide a notice of financial incentive. 11 CCR § 999.307(a)(1).
Article 3: Responding to Requests to Know and Requests to Delete
- The new proposed regulations essentially create an exception for businesses responding to a request to know from a consumer. They state that, upon receiving a request to know, a business is not required to search for personal information if all of the following conditions are met:
- The business does not maintain the personal information in a searchable or readily accessible format;
- The business maintains the personal information solely for legal or compliance purposes;
- The business does not sell the personal information and does not use it for any commercial purpose; and
- The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions listed above. 11 CCR § 999.313(c)(3).
- The new proposed regulations require that when a consumer submits to a business a request to delete and the business cannot verify the identity of the consumer, the business must provide the consumer with the option to opt out of the sale of his or her personal information as part of its response to the consumer regarding the request to delete (to the extent applicable). 11 CCR § 999.313(d)(1).
- Regarding service providers, the new proposed regulations state that a service provider shall not retain, use or disclose personal information obtained in the course of providing services except:
- To perform the services specified in the written contract with the business that provided the personal information;
- To retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and these regulations;
- This is a helpful clarification from the California AG because neither the CCPA nor the previous version of the draft regulations accounted for how subcontractors should be treated.
- For internal use by the service provider to build or improve the quality of the services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source;
- To detect security incidents or protect against fraudulent or illegal activity; or
- For the purposes enumerated in Sections 1798.145(a)(1)-(a)(4), which are:
- Complying with federal, state or local laws;
- Complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state or local authorities.
- Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider or third party reasonably and in good faith believes may violate federal, state or local law; and
- Exercise or defend legal claims. 11 CCR § 999.314(c).
- In terms of the right to opt out of sale and its relationship to global privacy controls (such as a browser plugin or privacy setting), the new proposed regulations state that:
- Any privacy control that is developed in accordance with the CCPA regulations shall clearly communicate or signal that a consumer intends to opt out of the sale of personal information through an affirmative choice made by the consumer; and
- If a global privacy control conflicts with a consumer’s existing business-specific privacy setting or the consumer’s participation in a business’s financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and provide the consumer the choice to confirm the business-specific privacy setting. 11 CCR § 999.315(d).
- For requests to access or delete household information, the new proposed regulations state that when a household does not have a password-protected account with a business, the business shall not comply with a request to know specific pieces of information or a request to delete household information unless the following conditions are met:
- All consumers of the household jointly request access to specific pieces of information for the household or the deletion of personal information;
- The business individually verifies all the members of the household subject to the verification requirements set forth in the regulations; and
- The business verifies that each member making the request is currently a member of the household. 11 CCR § 999.318(a).
- For members of a household that are under the age of 13, a business must obtain verifiable parental consent before complying with a request to know specific pieces of information about the household or a request to delete household personal information. 11 CCR § 999.318(c).
- Regarding regard-keeping requirements, the new proposed regulations change the obligation for businesses that must compile metrics regarding how they respond to CCPA requests from those that buy, receive for the business’s commercial purposes, sell, or share for commercial purposes the personal information of 4,000,000 consumers to 10,000,000 consumers. 11 CCR 999.317(g).
Article 4: Verification of Requests
- As a general rule, the new proposed regulations state that a business shall not require a consumer to pay a fee for the verification of his or her request to know or request to delete. 11 CCR § 999.323(d).
- For example, a business may not require a consumer to provide a notarized affidavit to verify his or her identity unless the business compensates the consumer for the costs of notarization. Id.
- The new draft regulations impose new affirmative use restrictions and security requirements on authorized agents who make CCPA requests on behalf of consumers. Under the regulations:
- An authorized agent shall implement and maintain reasonable security procedures and practices to protect the consumer’s information (11 CCR § 999.326(d)); and
- An authorized agent shall not use a consumer’s personal information, or any information collected from or about the consumer, for any purpose other than to fulfill the consumer’s requests, for verification or for fraud prevention. 11 CCR § 999.326(e).
Article 5: Special Rules Regarding Minors
Regarding authorization for minors under the age of 13, the new proposed regulations require businesses to “establish, document, and comply with a reasonable method . . . for determining whether a person submitting a request to know or a request to delete the personal information of a child under the age of 13 is the parent or guardian of that child.” 11 CCR § 999.330(c).
Article 6: Non-Discrimination
- The new proposed regulations reiterate that a business may offer a financial incentive or price or service difference if it is reasonably related to the value of the consumer’s data. However, the new proposed regulations state that “[i]f a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference.” 11 CCR § 999.336(b).
- The new proposed regulations provide three additional examples of how a business can offer a financial incentive or a price or service difference without running afoul of the CCPA’s prohibition against nondiscrimination. See 11 CCR § 999.336(d).
- The new proposed regulations clarify that a business may consider the value of the data of all natural persons and not just consumers. 11 CCR § 999.337(b).
- This allows businesses to take into consideration the value of non-California resident data.
WilmerHale’s Cybersecurity and Privacy Group will continue tracking and reporting on the progress of these regulations.