California AG proposes another draft of modifications to California Consumer Privacy Act

The California Attorney General (AG) has proposed yet another round of modifications to earlier proposed regulations under Chapter 20 of the California Consumer Privacy Act of 2018 (CCPA), which are generally regarded as minimal and technical, with a few noteworthy exceptions.

The new draft of the proposed revisions came in reaction to the roughly 100 comments the AG’s office received regarding the second draft of the proposed regulations submitted to the AG’s office between February 7, 2020, and February 25, 2020. The first set of modifications was issued on February 10, 2020.

The AG’s original proposed regulations were issued last October, with additional modifications to the proposed rules issued in February. The deadline for comments on the new round of draft modifications to the proposed CCPA regulations is Friday, March 27, at 5:00 PM PDT.

According to legal analysts and observers, the latest proposed modifications to the state’s CCPA law suggests final rules could go into effect before, but at least by the July 1, 2020 deadline required under the CCPA.

“Organizations currently working toward CCPA compliance should expect the AG to commence investigative activity as soon as the rulemaking process concludes,” observed Glenn A. Brown, of counsel to Squire Patton Boggs (US) LLP, in The National Law Review last week, noting that “it is unclear why the elimination of the section addressing the format of an ‘opt-out button or logo … was erased, given that the CCPA explicitly requires the AG to ‘establish rules and procedures’ for the ‘development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information’ on or before July 1, 2020.”

Similarly, Brown noted that “elimination of the [privacy controls] provision introduced in the prior round of modifications for privacy controls to ‘require that the consumer affirmatively select their choice to opt-out’ and that they not be designed with any pre-selected settings’” may “suggest that the AG expects business to honor privacy controls regardless of whether the pre-selected settings are privacy-protective or not.”

Finally, Brown said, “The new language also resolves an inconsistency between the description of financial incentives in the statute and the definition of the term in the previous version of the proposed regulations.”

Writing in Covington & Burling’s Inside Privacy, Libbie Canter, Lindsey Tonsager, and Alexandra Scott pointed out that “the February draft restated the statutory standard that whether the information is ‘personal information’ depends on whether it is maintained in a manner that is ‘… reasonably capable of being associated or could be reasonably linked …with a particular consumer or household.’”

“It then gave an example that IP addresses are not personal information if they are not linked or reasonably linkable to a particular consumer or household,” Canter, Tonsager, and Scott added. “The March draft regulations eliminate this provision, apparently because the provision was redundant with the statute. The statute already provides that information is not regulated if it is not maintained in a manner that ‘identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.’”

So just what are the latest proposed modifications to CCPA? Well, for the sake of clarity, we are only addressing those portions of the CCPA that contain the newest alterations highlighted in italics. The full text of the repeatedly modified regulations in the original proposed language is in a single underline. The first set of modifications issued on February 10, 2020, are illustrated in red double underline for proposed additions, and by strikeout for the proposed deletions. The second set of changes – the latest proposed draft issued on March 11 – is illustrated by a green double zigzag underline for proposed additions and by blue double strikeout for proposed deletions. Yes, it sounds complicated, and it is.

Only the newest modifications are addressed in this report. The initial and latest proposed deletions can be found in the latest color-coded draft of the regulations provided by the California AG.

The definition of “Employment benefits” has been changed to mean retirement, health, and other benefit programs, services, or products to which consumers and their dependents or their beneficiaries receive access through the consumer’s employer, while “financial incentive” has been redefined to mean a program, benefit, or other offering, including payments to consumers that is related to the collection, retention or sale of personal information.

“Price or service difference” now means any difference in the price or rate charged for any goods or services to any consumer related to the collection, retention, or sale of personal information, including through the use of discounts, financial payments, or other benefits or penalties; or any difference in the level or quality of any goods or services offered to any consumer related to the collection, retention, or sale of personal information, including the denial of goods or services to the consumer.

Under § 999.305 Notice at Collection of Personal Information, Purpose and General Principles, the language has been changed to read that the purpose of the notice at collection is to provide consumers with only a timely notice at or before the time of collection about the categories of personal information to be collected from them rather than informing them that their personal information is being collected, and eliminating the categories of personal information from the purposes for which the information will be used. The notice at collection shall also be designed and presented to the consumer in a way that is easy to read and understandable to consumers, not just “an average” consumer. The notice shall:

Be reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium, incorporated herein by reference. In other contexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format.

If a business sells personal information, the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” required by section 999.315, subsection (a), the web address for offline notices has been removed, as well as where the webpage to which it links can be found online.

Also added into the new draft is the language that “business that [do] not collect personal information directly from a consumer [do] not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information. Also stricken is a business that does not collect information directly from consumers is considered a data broker registered with the Attorney General as a data broker, and does not need to provide a notice at collection to the consumer if it has included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out.

Also removed from the provision that instructions on how a consumer can submit a request to opt-out need not be provided to the consumer [but rather] before it can sell a consumer’s personal information it shall do either of the following: Contact the consumer directly to provide notice that the business sells personal information about the consumer and provide the consumer with a notice of right to opt-out … or contact the source of the personal information to confirm that the source provided a notice at collection to the consumer in accordance with [the law]and … obtain signed attestations from the source describing how the source gave the notice at collection and including an example of the notice. Attestations shall be retained by the business for at least two years and made available to the consumer upon request.

In providing notice at collection of employment-related information, the new language says it is not required to provide a link to the business’s privacy policy, and removed entirely is the option to include a link to, or paper copy of, a business’s privacy policies for job applicants, employees, or contractors in lieu of a link or web address to the business’s privacy policy for consumers.

Under § 999.306, Notice of Right to Opt-Out of Sale of Personal Information, a business shall not be required to provide in its notice of the right to opt-out a webform interactive form by which the consumer can submit their request to opt-out online.

Under § 999.307, Notice of Financial Incentive, consumers now do not have to be explained in the notice of financial incentive each of the material terms of a financial incentive or price or service difference that a business may offer in exchange for the retention or sale of a consumer’s personal information. Neither does a business that does not offer a financial incentive or price or service difference related to the collection or retention or sale of personal information need to disclose or delete such information, or be required to provide a notice of financial incentive.

Under § 999.308, Privacy Policy, privacy policies shall be designed and presented in a way that is easy to read and understandable to consumers, not “an average” consumer, and the policy now shall identify the categories of sources from which the personal information is collected. The categories shall be described in a manner that provides consumers a meaningful understanding of the information being collected, and identify the business or commercial purpose for collecting or selling personal information. The purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is collected or sold.

Additionally, if a business has actual knowledge that it sells the personal information of minors under 16 years of age, a description of the processes is required.

Under § 999.312, Methods for Submitting Requests to Know and Requests to Delete, a business shall not have to disclose at any time in response to a request to know a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics. The business shall, however, inform the consumer with sufficient particularity that it has collected the type of information. For example, a business shall respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.

In the section, Responding to Requests to Delete, “if the business complies with the consumer’s request, the business shall inform the consumer,” not disclose to the consumer, “that it will maintain a record of the request pursuant to the law that a business may retain a record of the request for the purpose of ensuring that the consumer’s personal information remains deleted from the business’s records.”

Additionally, new language states that if a business that denies a consumer’s request to delete sells personal information and the consumer has not already made a request to opt-out, the business shall ask the consumer if they would like to opt out of the sale of their personal information and shall include either the contents of, or a link to, the notice of right to opt-out in accordance with section 999.306.

Stricken in the new draft is the requirement that in responding to a request to delete, a business may present the consumer with the choice to delete select portions of their personal information only if a global option to delete all personal information is also offered, and more prominently presented than the other choices. The business shall still use a two-step confirmation process where the consumer confirms their selection as required by section 999.312(d).

Under § 999.314, Service Providers, the following has been added to the new draft proposal: To process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA.

Removed is the requirement to perform the services specified in the written contract with the business that provided the personal information.

Information maintained for recordkeeping purposes shall not be used for any other purpose except as reasonably necessary for the business to review and modify its processes for compliance with the CCPA and these regulations. Information maintained for recordkeeping purposes shall not be shared with any third party, but added is, except as necessary to comply with a legal obligation.

A business must also now be required to know or reasonably should know that it, alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 10,000,000 or more consumers in a calendar year …”

A business shall also now not require the consumer or the consumer’s authorized agent to pay a fee for the verification of their request to know or request to delete. For example, a business may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization.

Regarding minors under 13 years old, when a business receives an affirmative authorization pursuant to the appropriate subsection of the law, the business shall inform the parent or guardian of the right to opt-out, but not at a later date, and of the process for doing so on behalf of their child pursuant to the law.

Lastly for the purpose of calculating the value of consumer data, a business may consider the value to the business of the data of all natural persons in the United States and not just consumers, but stricken from the language is that a business may not consider the value of the data of all natural persons to the business.

Article Topics

biometrics  |  California  |  CCPA  |  data protection  |  legislation  |  privacy  |  United States