A more detailed summary, including new practical CCPA examples, can be found in our blog posts.
On February 10, 2020, California's Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations were summarized in our previous Alert.
The deadline for providing comments on the modified proposed regulations is February 25, 2020. This Alert summarizes some of the most significant proposed changes to the regulations. A more detailed summary, including new practical CCPA examples, can be found in our blog posts regarding changes to: (1) definitions and consumer notice requirements; (2) requirements for consumer requests and verification; and (3) requirements for service providers, authorized agents, minors, nondiscrimination and calculating the value of consumer data.
Personal Information Clarification
The modified regulations add a new section titled "Guidance Regarding the Interpretation of CCPA Definitions." This guidance clarifies that what is considered "personal information" depends on the manner in which the information is maintained by a business. For example, although IP addresses are explicitly included as examples of personal information in the CCPA, if the IP address is never linked to any particular consumer or household, then the guidance clarifies that the IP address is likely not personal information. The same may be true for certain cookies, particularly session cookies, depending on how the information is collected and maintained.
Household Definition Clarification
The modified regulations clarify and narrow the definition of "household." Under the prior version of the proposed regulations, this was defined as anyone occupying a single dwelling. Now, a household includes those individuals who not only live at the same address, but who must also share a common device or service and be identified by the business as sharing the same account or unique identifier.
The modified regulations amended the methods of submitting consumer requests to track the statutory amendments signed into law after the publication of the first proposed regulations.
- A business that operates exclusively online and has a direct relationship with the consumer is only required to provide an email for submitting requests. All other businesses are required to provide only two methods, one of which should take into account the primary method through which the business interacts with the consumer. The language requiring retailers with websites to offer a third method for submission has been removed.
- Businesses now have more time to send a confirmation to consumers and to comply with a request to opt out. The modified regulations allow for 10 business days (rather than calendar days) for confirming receipt of a request to know or request to delete. The confirmation may be given in the same manner in which the request was received. For example, if the request is made by phone, it can be confirmed during the call. Compliance with a request to opt out must occur as soon as feasibly possible, but no later than 15 business days (rather than calendar days) from the date the business received the request. For consumer requests to delete personal information, businesses may, but are no longer required to, use a two-step process. The initial time period for responding to a consumer request to know or request to delete is still 45 calendar days with an additional 45 calendar day extension available. The timing for when a business can deny an unverified consumer is now set as 45 calendar days.
- Broad language that would have allowed a business to deny a consumer request if it creates "a substantial, articulable, and unreasonable risk to the security" of the personal information, consumer account or business systems has been removed. Instead, businesses are not required to search archive records that are not readily searchable and are kept solely for legal or compliance purposes.
The modified regulations remove language from the prior version that would have prohibited a service provider from using personal information received from a person or entity it services or from a consumer's direct interaction with the service provider for the purpose of providing services to another person or entity. Instead, the modified regulations provide that a service provider may only use and disclose personal information for specified limited purposes, including as necessary to retain another service provider as a subcontractor and for its own internal purposes to build or improve the quality of its services, so long as that use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source. Service providers are still also permitted to use personal information to perform the services under the contract, for detecting security incidents and fraudulent or illegal activity, and as otherwise required by law.
Employee Disclosure Requirements
The modified regulations address the partial employee exemption and disclosure requirements related to the same.
"Just-In-Time" Notice for Mobile Devices
The modified regulations add a just-in-time notice requirement for personal information collected from a mobile device that a consumer would not "reasonably expect" to be collected in connection with an app. For example, if the business offers a flashlight app and the app collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the app, which contains the required information.
Businesses must now follow generally recognized industry standards to ensure that all CCPA-required notices are reasonably accessible to consumers with disabilities. Additionally, notices must be provided in the languages in which the business generally provides information to consumers in California, as opposed to generally.
For More Information
If you have any questions about this Alert, please contact Michelle Hon Donovan, Sandra A. Jeskie, Brandi A. Taylor, Anjali Kulkarni, one of the attorneys in our California Consumer Privacy Act Group or the attorney with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.