On March 11, 2020, the California Attorney General (“AG”) published a second round of modifications to the proposed regulations under the California Consumer Privacy Act of 2018 (“CCPA”). The AG initially published the proposed regulations in October 2019 and then published modifications to such proposed regulations in February 2020. The deadline for submitting comments on this draft of modifications to the proposed CCPA regulations is Friday, March 27, 2020, at 5:00 p.m. PDT.
The March 27, 2020, 5:00 p.m. timetable indicates that the final rules may be in force before the July 1, 2020, deadline set by the CCPA. Organizations currently working toward CCPA compliance should expect the AG to commence investigative activity as soon as the rulemaking process concludes.
What Has Changed?
The modifications are generally minor and technical, with a few exceptions. The modifications were made in response to approximately 100 comments received on the second draft of the proposed regulations that were submitted to the AG’s office between February 7, 2020 and February 25, 2020.
The most recent modifications to the proposed regulations include the following:
-
Clarifying the Definition of “Financial Incentive”- clarification that a “financial incentive” includes payments or offerings to consumers that are “related to the collection, retention, or sale of personal information”. This wording is clearer than the previous draft of the regulations, which described a financial incentive as payments or offerings to consumers “as compensation, for the disclosure, deletion, or sale of personal information”. The new language also resolves an inconsistency between the description of financial incentives in the statute and the definition of the term in the previous version of the proposed regulations.
-
Deletion of Interpretive Guidance on Definition of “Personal Information”- deletion of Section 302, which had proposed a more subjective test for determining when information is “personal information” for CCPA purposes. The deleted text had helpfully provided that what information is to be considered “personal information” for a given business depends on how such business maintains the information in question. The regulations now are more in line with other robust data privacy regimes such as the EU’s General Data Protection Regulation.
-
Personal Information Collected Indirectly- clarification that businesses who collect personal information from sources other than the consumer do not have to provide a notice at collection to the consumers to whom the personal information relates, unless the business sells such personal information. In that case, the business will presumably need to provide a notice at collection to such consumers prior to selling the personal information, though this requirement is no longer explicitly reflected in the proposed regulations. This revision leaves businesses that are not data brokers but that sell personal information collected indirectly with a challenging obligation.
-
Notice at Collection for Employees and Contractors- the notice at collection for employees and contractors is no longer required to include a link to the business’s privacy policy.
-
Privacy Policy Disclosures- re-introduction of a requirement for businesses to include in their privacy policy the categories of sources from which the business collects personal information and the business or commercial purpose(s) for collecting or selling personal information. This information does not need to be broken out for each category of personal information collected. This revision resolves an inconsistency between the statute and previous versions of the proposed regulations and aligns the disclosures in the privacy policy with the disclosures required when a consumer exercises the “right to know”.
-
Sale of Personal Information of Minors- introduction of a new requirement that if a business has actual knowledge that it sells the personal information of minors under 16 years of age, a description of the process for opting in to (and subsequently opting out of) such sales must be included in the business’s privacy policy.
-
Sensitive Personal Information- introduction of a new requirement to disclose in response to consumers seeking to know what personal information a business has about them, whether it has collected certain types of sensitive personal information (Social Security numbers, driver’s license numbers and financial account numbers, etc.) without actually disclosing the personal information itself. For example, a business must disclose that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
-
Opt-Out Rights- introduction of a requirement that a business that denies a consumer’s request to delete and that sells personal information to ask the consumer if they would like to opt out of the sale of their personal information if the consumer has not already exercised such right. Under the previous version of the proposed regulations, this obligation only arose when a business could not verify the consumer’s identity; in this version, the business has the obligation when the request is denied for whatever reason, including the various statutory bases for denying such a request.
-
Opt-out button- elimination of the section addressing the format of an “opt-out button or logo.” It is unclear why the section was erased, given that the CCPA explicitly requires the AG to “establish rules and procedures” for the “development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information” on or before July 1, 2020.
-
Privacy controls- elimination of the provision introduced in the prior round of modifications for privacy controls to “require that the consumer affirmatively select their choice to opt-out” and that they not be “designed with any pre-selected settings.” The deletion of these provisions suggests that the AG expects business to honor privacy controls regardless of whether the pre-selected settings are privacy protective or not.
Some other interesting revisions include clarifications to the proposed regulations regarding service providers and record keeping.
What Will Happen Next?
The AG is currently accepting written comments on the proposed changes and documents relied on in the rulemaking. Comments must be submitted to the AG no later than 5:00 p.m. PDT on Friday, March 27, 2020, by email to privacyregulations@doj.ca.gov, or by regular mail at the following address:
Lisa B. Kim
Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013
The AG will review and respond to all timely received comments pertinent to the changes proposed. In order to finalize the rules, the AG will prepare and submit the final rulemaking record to the Office of Administrative Law (OAL) for approval. This record will include the Final Statement of Reasons, in which the AG will summarize and respond to the public comments received. The OAL will then have 30 working days to determine whether the record satisfies procedural requirements under California law. If the requirements are met, the regulations will be adopted as final and filed with the California Secretary of State.
Given the California AG’s timetable, the regulations may come into force as early as May 2020. Companies defined as businesses, service providers and data brokers under the CCPA should, therefore move promptly to evaluate any changes that may be required to their privacy policies, notices, consumer rights response procedures, service provider contracts, and other CCPA documentation and practices under the modifications to the proposed regulations.