Late Friday, the California Attorney General’s Office (“CAG”) released substantial modifications to the draft California Consumer Privacy Act (“CCPA”) regulations it proposed last October. Although several changes consist of minor clarifications or enhancements to readability, others will have a profound impact on businesses working to comply with the CCPA. Notable changes include:
- Personal Information. Further clarifies that information is not personal information (“PI”) if the business cannot reasonably associate it with a consumer or household. This includes an IP address if the business has no way to link it to a consumer or household.
- Point of Collection Disclosures. Only exempts registered data brokers from the requirement to provide point of collection disclosures when collecting PI from a source other than the consumer. By implication, all other businesses must arguably provide point of collection disclosures when they indirectly collect PI. The updated regulations also require just-in-time notice when a mobile app collects unexpected PI. The illustrative example cited by the CAG is when a flashlight app collects geolocation information.
- CCPA Request Methods. Eliminates the requirement to allow consumers to submit right to know and deletion requests online. All but a very limited subset of businesses must still provide consumers with two request methods, calibrated to the way the business primarily interacts with customers. The two-step process for online deletion requests is now optional instead of mandatory.
- Fulfilling Right to Know and Deletion Requests. Provides several clarifications on how businesses must or may process right to know and deletion requests. The clarifications cover topics such as the timeline for confirmation notices, situations where the business cannot verify the consumer’s identity, archived and back-up systems, and restrictions on providing biometric data. The updated regulations also prohibit businesses from charging fees or requiring notarization as part of the verification process.
- Processing Opt-Out Requests. Extends the maximum timeline for honoring requests to 15 business days. Significantly limits the situations where businesses must notify third parties after receiving opt-out requests. Requires consumers to sign an authorization form to allow an agent to submit a request on their behalf.
- Requests to Opt-In after Opting Out. Acknowledges that a consumer may request a transaction that requires the sale of her PI after she made an opt-out request. In such situations, the business may inform the consumer she must opt into the sale to proceed with the requested transaction.
- Household Information and Requests. Narrows the definition of “household” to require more than just occupying a single dwelling. Clarifies the requirements for processing right to know requests for households, including different rules depending on whether the household has a password protected account with the business.
- Service Providers. Clarifies the purposes for which service providers may use consumers’ PI on behalf of a business. Prohibits a service provider from selling PI on behalf of a business that received an applicable opt-out request (note: the rules do not expressly limit this to situations where the business provides notice of the opt-out).
These modifications are subject to public comment and potential further revision by the CAG. Interested parties must submit comments before 5:00 PM PST February 24, 2020.
Nick is a Partner at M&S where he leads the firm’s Compliance practice areas. He brings more than a decade of experience helping clients understand and comply with federal and state privacy, advertising, and telemarketing laws and regulations.