On February 7, 2020, California’s Office of the Attorney General (CalAG) released modified California Consumer Privacy Act (CCPA) draft regulations, revising the initial draft regulations released in October 2019. The CalAG subsequently issued a further revised draft on February 10, 2020. While the explicit changes and practical ramifications are many, below we briefly summarize notable modifications, which help illustrate the impacts of the proposed changes relative to the October version and what may be on the horizon. The deadline to submit written comments on the revised draft regulations is February 25, 2020.
- Fewer Businesses Subject to Reporting Obligations. The prior proposed regulations sought to impose additional record-keeping and disclosure obligations on a business “that alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers.” In the newly-proposed regulations, those obligations are limited to apply to “a business that alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 10,000,000 or more consumers in a calendar year.”
- Clarification on the Definition of “Personal Information.” The revised regulations take a welcome step toward acknowledging the practical unworkability of the CCPA’s amorphous definition of “personal information” by clarifying that it excludes certain data that is not maintained in a manner that allows it to be linked or related to a particular consumer or household. For example, the regulations provide that when a business collects IP addresses from visitors to its website, but the business does not and could not reasonably link that information to any particular consumer or household, then it is not “personal information” under the CCPA. We expect this clarification could potentially have wide-ranging implications, but more importantly, provide guidance and flexibility to covered businesses and service providers. Further, the modifications clarify that “a business shall not use a consumer’s personal information for a purpose materially different than those disclosed in the notice at collection,” unless the business “directly notif[ies] the consumer of this new use and obtain[s] explicit consent from the consumer to use it for this new purpose.”
- Service Providers. The modifications clarify that it would be acceptable (and thus, not a “sale”) for a service provider to use a business’s personal information “to build or improve the quality of [the service provider’s] services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.” The modifications also require the service provider to stop selling data on behalf of a business when a consumer has opted out of the business’s sale of their personal information. These clarifications could impact interpretations of what use cases could be acceptable “business purposes.”
- Deletion Requirements. The revised regulations provide businesses with additional guidance about handling requests for deletion of personal information. In particular, the revised regulations change how businesses would be required to handle unverified requests to delete and what businesses should tell requesters when completing deletion requests. In addition, the regulations provide more detail about when information held on an archive or backup system should be deleted. These changes could have important operational impacts on existing business processes for handling data subject requests.
- Interactive Webform Requirement – Removed. Businesses (online-only or otherwise) would not be required to provide an interactive webform for all consumer data requests. Instead, online-only businesses will need only to provide an email address, and all others must provide at least two methods, one of which must be a toll-free number. However, for requests to opt out of data sales, businesses that are not exclusively offline must still provide an interactive form via their “Do Not Sell My Personal Information” (“DNS”) link on their website/mobile application.
- Mobile App Just-in-Time Notices – New. In what effectively is an elaboration on the existing “notice at collection” mandates, businesses that collect personal information from a mobile device for unexpected purposes must now provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection. Notably, the regulations offer an example that recalls the 2013 Federal Trade Commission settlement over the infamous flashlight app that collected geolocation information.
Why It Matters
As has become familiar to companies impacted by the CCPA and the prior draft regulations, certain provisions leave plenty of room for debate as a result of ambiguous wording. On balance, these proposed revised regulations introduce some practical improvements, but still require a significant amount of consideration in interpreting broad language and applying the newly proposed draft regulations to the practical implications of business operations. Of course, at this late stage in most companies’ readiness efforts, even welcome changes will undoubtedly require a further investment of resources, potential adjustments to existing compliance measures, and careful consideration by legal counsel.
The deadline to submit written comments on the proposed modifications is February 25, 2020. Manatt will continue to review the regulations and provide guidance to help clients develop practical measures to comply with the CCPA. If you have questions on how the proposed revised regulations may impact your business, or if you would like assistance in submitting written comments, please contact Manatt’s Privacy and Data Security team.