On Friday, Feb. 7, the California Attorney General (AG) published revised draft regulations for the California Consumer Privacy Act (CCPA). Quickly thereafter, the AG released yet another version of the regulations on Monday, Feb. 10 with a statement that Friday’s version had accidently omitted revisions. The public now has until Feb. 25, 2020 to submit comments on the updated draft regulations. Despite previous statements by the AG that he did not anticipate many changes to the draft regulations, the updated draft regulations have significant and meaningful changes.
Here are the seven most impactful areas of change:
1. Notice at collection vs. privacy policy
The updated draft regulations have clarified that a notice at the time of collection is different than a privacy policy. A business must provide a notice at the time of collection if it collects personal information directly from a consumer. The notice must inform the consumer of what personal information is collected and how the business will use it. Whereas a privacy policy describes the businesses’ practices regarding the collection, use, sharing, and selling of personal information. The updated draft regulations still allow businesses to use a privacy policy as the notice at the time of collection by linking to the applicable section in the privacy policy.
2. Privacy policy requirements
The updated draft regulations no longer require privacy policies to include the sources of personal information. Additionally, privacy policies no longer have to identify on a per-category basis how the business will use the personal information. If a business has sold personal information, then it must provide the categories of third parties to whom it sold for each category of personal information.
3. Consumer requests
The updated draft regulations have clarified that businesses do not need to maintain three methods for receiving consumer requests. Online-only businesses only need an email address for receiving requests to know and delete. All other businesses must provide two methods to receive requests, but a business only needs to consider having one method reflect the way in which it primarily interacts with consumers. Therefore, the draft regulations no longer mandate in-person methods for receiving requests.
Businesses now have longer to confirm receipt of a request to know or delete as the regulations extended the deadline from 10 days to 10 business days. The draft regulations also extended the timeline to comply with a request to opt-out from 15 days to 15 business days. Additionally, businesses may now deny a request to know or delete if the request cannot be verified within 45 days. If a business cannot verify a request to delete, it no longer must treat the unverified request as a request to opt-out. The updated draft regulations provide further exceptions for complying with a request to know when the business does not maintain personal information in a reasonably accessible or searchable format and the information is used solely for legal or compliance purposes.
4. Selling information collected from a third party
Businesses that collect and sell personal information from third parties (i.e., that do not collect information directly from consumers) no longer have to either notify the consumer of the right to opt-out or receive an attestation from the third party. Rather, if the business is a registered data broker that has submitted a link to its online privacy policy with instructions on how to opt-out, then it does not have to provide a notice at the time of collection.
5. Service providers
Service providers may now use their customers’ personal information for additional purposes without inadvertently becoming a third party. Specifically, a service provider may use customer personal information for retaining a subcontractor, improving their services, complying with law or legal obligations, and defending or pursing legal claims. The updated draft regulations no longer require service providers to fulfill requests from consumers. Instead, service providers may simply inform the requesting consumer that it cannot fulfill the request.
6. Accessibility guidelines
The updated draft regulations require all online notices and privacy policies for CCPA to follow the Web Content Accessibility Guidelines version 2.1 from the World Wide Web Consortium. This new requirement is to address accessibility for consumers with disabilities.
7. Opt-out button
Businesses may now include the following opt-out button to the left of the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link.
Moving forward with CCPA compliance
While some of the changes are positive for businesses, the unexpected shift means that many businesses will need to re-evaluate some aspects of compliance. For example, many privacy policies that were already posted contain information which is now unnecessary under the updated draft regulations. The unfortunate reality is that businesses who heeded the AG’s warnings that they should start compliance on Jan. 1, 2020 have spent time, money, and effort for requirements that no longer exists. Given that the updated regulations are still in draft form, businesses now face a choice on when to update compliance documents: now or only after final regulations are published. California has provided a prime example of why requiring compliance with a law prior to releasing final regulations can lead to frustration and confusion.