California Attorney General Xavier Becerra recently released proposed modifications to his initial California Consumer Privacy Act (CCPA) regulation adjustments. While the CCPA became effective January 1, the attorney general (AG) still has until July 1 to finalize these regulations and may not bring an enforcement action until that time. However, the time is now for companies doing business in California to become compliant – especially given the AG’s caution that this delay does not create a “safe harbor,” and businesses should strive for earlier compliance.
Overall, businesses can expect the final regulations to look similar to the current draft, so it’s in everyone’s best interest to quickly take steps toward compliance and avoid scrambling come July 1. Here are five of the most important modifications to address and adjust based on the latest version of the AG’s CCPA regulations:
-
Interpretation of “Personal Information” (§ 999.312(a)). The AG clarified that whether information is considered “personal information” depends on whether the business maintains the information in a manner that links or could reasonably be linked to a particular consumer or household. In making this clarification, the AG provided the example of internet protocol (IP) addresses. IP addresses will not be considered “personal information” for purposes of the CCPA, so long as the business does not link the IP addresses that they collect with an individual consumer or household.
This guidance is likely related to concerns that the use of website analytic services might constitute a “sale” of personal information under the CCPA, due to the fact that the analytics provider analyzes website usage through IP addresses and other non-personal identifiers. Given this example, collected information that is kept and used in a way that is not associated with personal data or linked to an individual consumer or household now likely falls outside of the scope of the CCPA’s broad definition of “personal information” and would not require a do-not-sell, opt-out notice.
-
Privacy Policy Requirements (§ 999.308). In the revised regulations, the AG did away with the requirement that a privacy policy identify the source and commercial purpose for each category of personal information that the business had collected from consumers in the preceding 12 months. This change will likely shorten and simplify CCPA-compliant privacy policies. However, the privacy policy must still identify the categories of third parties with whom the business shares or sells personal information.
-
Notice at Collection of Personal Information (§ 999.305). In addition to making a full privacy policy available, a business must also provide a more limited notice at the time personal data is collected. For websites, this notice at collection is usually just a link to the full privacy policy on all web pages where personal information is collected. The revised regulations make several minor modifications to the requirements for the notice at collection. The regulations now provide that if a business collects personal information over the phone or in person, it may orally give the notice at collection. In addition, when a business collects personal information through a mobile application, a business may now provide a link to the notice on the mobile application’s download page and within the application, such as in the settings menu. But, if a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, the business must provide a “just-in-time” notice with a summary of the personal information being collected and a link to the full notice at collection. For example, a flashlight app that also collects geolocation information must present a compliant notice upon launch, because a consumer would not reasonably expect a flashlight to collect location data.
-
Web Accessibility (§ 999.305(a)(2)(d)). The initial regulations only required that a business provide information on how a consumer with a disability may access a privacy notice in an alternative format. In the revised regulations, notices provided online must follow generally recognized industry standards, such as the World Wide Consortium’s Web Content Accessibility Guidelines, version 2.1 (WCAG 2.1). The AG’s use of “such as” would imply that WCAG 2.1 is merely one example of an “industry standard.” However, unless further clarification on the issue is released, the safe bet is to stick with the AG’s example of what he considers an industry standard. In situations where notice is not provided on a website, a business should provide information on how a consumer with a disability may access the notice in an alternative format.
-
Collecting Employment-Related Information (§ 999.305(e)). As currently drafted, the CCPA covers the collection of personal information from consumers and customers as well as employees and job applicants – although certain provisions of the CCPA are waived with respect to employee-related information until January 1, 2021. A business will usually have different processes with respect to these two categories of information and will use and disclose the collected information for different purposes.
Accordingly, the revised regulations clarify that the notice at collection for employment-related information may include a link to (or a paper copy of) the business’ privacy policy for employees, in lieu of a link to its privacy policy for consumers. A business’ employment-related privacy policy does not need to include a link or web address titled “Do Not Sell My Personal Information.”
A redline of the regulations with all of the modifications can be found here. The AG permitted comments to be submitted on the revised regulations, and will provide a summary and response once all comments are processed.
Given the approaching July 1 deadline, future major changes to the current version of the regulations are unlikely. Due to the process for adopting and approving the regulations, the AG must adopt the final regulation and submit them to the Office of Administrative Law by April 16. Any major changes to the regulations would require a new 45-day notice, which is not feasible to meet this mid-April deadline.