The California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020. In October 2019, the California Attorney General (“CA AG”) published proposed regulations. In the lead up to January 1, 2020, the CA AG repeatedly made the point that those subject to the CCPA should plan for compliance with its broad principals by the first of the year, while admitting enforcement would not start until the regulations were final, meaning July 1, 2020. As part of this process, the CA AG advised he did not expect there to be significant changes to the regulations between October and July. However, upon receiving comments to those October proposed regulations, he changed his mind and on February 7, 2020 revised regulations were issued. A subsequent notice on February 10, 2020 corrected the earlier publication, which omitted certain updates.
To be clear, some of the changes were long awaited (such as what the “Do Not Sell My Personal Data” button looks like), while others were unexpected (such as the change to the training requirement by raising the level of records from four million to ten million). This Alert will summarize the key proposed changes.
Privacy Policy
The first such change is to clarify there is a distinction between the requirement to give notice that personal information is being collected and having a privacy policy. The notice requirement being a compliant notice be given that personal information is being collected and it appears at or near the place of collection and the intended uses of that data are included. Whereas, a privacy policy is defined as a “statement that a business shall make available to consumers describing the business’s practices, both online and offline, regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their own personal information.” Companies may, of course, use a link from the collection notice to the privacy policy to provide any needed notice details, but if doing so, the link should be to the relevant section(s) and not the privacy policy generally.
Notice of Collection
The new regulations go on to make the point that personal information (herein either “PI” or “data”) is a matter of context. Using the illustration of an IP address, and noting that whether or not its retention qualifies as personal information “depends on whether the business maintains the information in a matter that ‘identifies, relates to, describes, is reasonably capable of being associated with or could be reasonably linked, directly or indirectly, with a particular consumer or household.'” If that link does not exist, the IP address is not personal identification, but then best practice would dictate the company make clear what it does and does not associate with the data it retains.
The new regulations go on to reinforce the point the notice of collection should be presented timely, i.e., at or before the point of collection, and makes clear the categories of data being collected and the intended purposes. The regulations now also require accessibility for all consumers by implementation of the World Wide Web Consortium, Web Content Accessibility Guidelines, version 2.1 (June 5, 2018) standard (available here).
There is also an attempt at further clarity regarding where the notice should be presented. For example, if the business collects personal information online, the notice should be on the home page and all other pages where personal information is collected. If the data is collected through a mobile app, the notice should be on the landing or download page and within the app, such as through the user’s settings menu. If the data is collected offline, then print forms and conspicuous signage should be used to direct the consumer to where the notice can be found offline. Lastly, if the information is collected by telephone, the notice may be provided orally.
There is also the caution that when data is collected by a mobile app that is not “reasonably expect[ed],” a just-in-time link to a notice with a summary of the categories of personal information being collected and a link to the full notice is to be provided. The illustration used is a flashlight app that collects geo-location data.
Helpful to business is a broader definition of when a business may use personal information. Now the standard is the business may use the personal data so long as that use is not “materially different” from the uses disclosed in the collection notice. If the intended use is “materially” different, then notice must be given and explicit consent received from the consumer. Helpful to data brokers is a change that allows them to register with the CA AG as a data broker and eliminates the need to provide collection notices but only if the data broker provided a link to its online privacy policy in the registration submission and that policy includes clear instructions as to how to opt-out.
Do Not Sell Logo
Then, finally, we now know what the logo should look like if a company does sell personal information and provides the opt-out process now required.
The mandate now is the opt-out button or logo may be used in addition to any posting about the right to pot-out, but not in lieu of such notice. If used, the button or logo is to appear to the left of the text as above. The text itself should be in “approximately the same size as other buttons on the business’s webpage.” Of course, if the company does not sell personal information, this is not required. At the same time, companies that do sell data and do not use this button/logo, may find themselves with lots of complaints about how clear they are being regarding how consumers opt-out.
Employment Data
The revised regulations are also helpful to employers. First, there are two new definitions:
“Employment benefits” means retirement, health, and other benefit programs, services, or products to which consumers or their beneficiaries receive access through the consumer’s employer.
“Employment-related information” means personal information that is collected by the business about a natural person [for use with job applicants, employees, owners, directors, officers, medical staff or contractors; emergency contact details; and to administer benefits]. The collection of employment-related information, including for the purpose of administering employment benefits, shall be considered a business purpose.
The new regulations then clarify that notice of collection of employment-related information does not need to include any Do Not Sell linkage. Further, the notice of collection may link to the company’s privacy policy for job applicants, employees or contractors in lieu of the privacy policy for consumers. The new regulations also make clear that the use of employment related data is considered a business use, so it is not a sale, but the obligation to notify employees about what is collected and how it is used remains. This provision becomes inoperative, as before, on January 1, 2021, meaning at that point, all the obligations companies have towards consumers will also apply in the employment context.
Requests to Know/Delete
Another change which helps business is the revision about how requests to know/delete are to be dealt with. First, if the company operates exclusively online and so has a direct relationship with the consumer from whom the PI is collected, it need only provide an email address for submitting requests. All other businesses are to provide two or more methods for submitting such requests, with one being a toll-free number.
Companies may (not “shall”) use a two-step process for online requests, so it is no longer a requirement for the consumer to submit the request and separately confirm deletion is requested. There is also clarification the response deadlines are business not calendar days. Plus, if the business cannot verify the identity of the requestor within 45 days, the request may be denied. Further, if a request is received, the business is not required to search for personal information if: the business does not maintain the data in searchable or reasonably accessible format, it maintains the data for legal or compliance purposes only, it does not sell the data or use it for commercial purposes, and the business describes to the consumer the categories of records that may contain personal data which it did not search because it meets the other conditions stated.
Further unique biometrics were added to the list of data to not disclose, along with if the business cannot verify the identity of the requestor it is no longer required to inform the requestor of the denial if prohibited by law from doing so.
The response to any request has been revised so it now must include: 1) the categories of personal information collected about the consumer in the preceding 12 months; 2) the categories of sources from which the data was collected; 3) the purposes for which the data was collected or sold; 4) the categories of third parties with whom the data was shared; and 5) the categories of data sold or disclosed in the prior 12 months, and for each such category, the categories of third parties to whom that particular category of data was sold or disclosed.
When it comes to deletions, if the consumer data is on backup or archived systems, the request to delete may be delayed until that system is restored to an active one or is next accessed or used for a sale, disclosure or commercial purpose. Businesses are also now permitted to retain a record of the consumer’s request for deletion, provided the request was complied with, so as to insure the data remains deleted. Businesses are now also permitted to notify the consumer if deletion is not possible due to a conflict with state or federal law.
Opt-Out
Just as with other methods of consumer notices to the business, the opt-out process is to be easy to understand and straightforward to execute. Minimal steps should be required. If the consumer has global privacy settings which conflict with device settings, the business is to honor the global settings, but may notify the consumer accordingly. Any opt-out technology is to be neutral, meaning no default to opt-in or out is permitted.
If a consumer has opted out, and attempts to use a product or service that requires an opt-in, the business is to honor the existing global setting, but may notify the consumer the product or service requires opt-in and provide instructions for the consumer to be able to do so.
Recordkeeping
There are some additional changes on this topic also worthy of note. The first is, as mentioned above, training is required only once the personal information about 10,000,000 consumer is maintained in a 12 month period.
A company is to maintain a record of consumer requests and how the business has responded for at least 24 months. Such records are to be maintained in a ticket or log format to include the date and nature of the request, manner in which the request was made, date and nature of the response, and the basis for denial in whole or in part. Information maintained for recordkeeping purposes is not to be shared with third parties.
Households
The definition of a household has been refined to mean “a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.” If a common user name and password is used by various members of the same household, then any request, such as for deletion or knowledge, needs to be joined by all members of the household. That could end up meaning also confirming that any information about one user may need to be validated in terms of whether or not that person is still a member of the household! To comply with this change, businesses can be expected to insist that each user have their own user name and password.
Companies that have already implemented their CCPA compliance program and website/mobile app notices are now faced with deciding whether to update now or wait for further changes. Many will choose to wait since these February revisions are subject to further input, with the comment period closing on February 25, 2020.
A copy of the revisions to the regulations in red-lined format can be found here: CCPA February 2020 Regulatory Changes. If you wish to file comments, they can be sent via email to PrivacyRegulations@doj.ca.gov or by mail to Lisa B. Kim, Privacy Regulations Coordinator, California Attorney General, 300 S. Spring St, First Floor, Los Angeles, CA 90013.