As we reported here the California Attorney General released proposed regulations pursuant to the California Consumer Privacy Act (CCPA) on October 10, 2019. These proposed regulations were modified on February 7 and again on February 10, 2020. These modifications, which followed additional hearings and comments, would effect several important changes and clarifications.
- Clarification of “Personal Information.” A new section 999.302 provides guidance for interpreting the CCPA definition of “personal information.” A helpful example is provided for IP addresses, indicating that IP addresses are not personal information if collected by a business through its website where the business could not reasonably link the IP address with a particular consumer or household.
- provide more specificity as to delivery, including for use with mobile apps and devices such as a new “just-in-time notice” to address the collection of personal information for a purpose that would not be reasonably expected; and
- limit to registered data brokers the originally proposed relief from the requirement for notice at collection in the context of information collected indirectly (i.e., not directly from consumers).
- Exceptions to Right to Know. The modifications also create exceptions from the obligation to search for information in response to the exercise of the right to know where the business:
- does not have the information in a searchable or readily accessible format;
- maintains the information solely for legal or compliance purposes;
- does not sell the information and does not use it for any commercial purpose; and
- describes to the consumer the categories or records that may contain the requested information that it did not search because of one of the foregoing reasons.
Certain biometric data was also excepted from the required response to the exercise of a right to know.
- Relief for Offline Businesses. The modifications include some relief for business that interact with consumers in person, including the change from a requirement to provide at least one method to submit requests in person to a requirement to “consider” providing an in-person method such as a printed form, a tablet or portal to submit online, or a toll-free telephone number.
- Clarifications for Responses to Consumer Requests. Additional guidance is provided for addressing rights to know and rights to delete for businesses that interact with consumers online, by telephone or in person, and back down on the original proposal to require a two-step process for online requests to delete. In addition, the modifications provide that a business can deny a request if it cannot verify the consumer within 45 days. Category by category disclosures must be provided in response to requests to know. In response to a request to delete, the business must ask the consumer if he or she would like to opt out of sales of personal information, if the consumer has not already made the opt-out request.
- Amplification of Restrictions on Service Providers. The modifications further amplify the restrictions on a service provider’s ability to retain and use data. Importantly, internal use by the service provider to build or improve the quality of its services (other than for profiling) or cleaning or augmenting data from another source is permitted.
- Clarifications for the Opt-Out Right. The modifications provide further guidance on the offering and response to opt-out requests, including guidance for resolving conflicts with other consumer settings or a financial incentive program.
- Further Guidance Concerning Household Information. The modifications provide further guidance where a business receives a request to access or delete household information, including for verification.
- Verification Clarification. Guidance is provided for the verification process, including for verifying a consumer using a mobile app.
- Non-Discrimination. The modifications clarify that a financial incentive may not be offered unless the business can show a reasonable relation to the value of the consumer’s data. Additional, helpful illustrations are also offered.
We will continue to track and report on further developments concerning the CCPA and its implications for businesses.