Without the fanfare that accompanied the release of the original proposed regulations, California Attorney General Xavier Becerra released modified regulations regarding the California Consumer Protection Act late in the afternoon on February 7. An updated version was released on February 10. The modifications were prepared in response to the extensive feedback received during the comment period, which closed on December 6.
Although many of the changes were non-substantive clarifications, many were not. Like the previous version of the regulations, the new version imposes additional obligations on businesses that are not found in the text of the CCPA itself. Most are pro-consumer, but a number are actually pro-business. Here is a summary of some of the more relevant changes.
Personal information. The modified regulations contain an entirely new section entitled “Guidance Regarding the Interpretation of CCPA Limitations,” which further delineates “personal information” and now provides an example of what would not be considered as such: “If a business collects the IP address of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’” (Emphasis added.) This modification is a nod to website analytics to the extent they use anonymized or aggregate information.
Businesses are now required to describe how they collect personal information about consumers, and to whom they disclose the information, with enough particularity to provide consumers with a “meaningful understanding.” Businesses will have to explicitly list sources of the collected personal information and the categories of third parties with whom they have shared that information during the preceding 12 months.
The definition of “household” personal information has been elaborated from individuals “occupying a single residence,” to those “who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.” Thus, this modification provides substantial clarity to businesses attempting to comply with it.
Required notices/WCAG 2.1. In another entirely new section entitled “Overview of Required Notices,” the Attorney General has made clear that four areas of the CCPA require affirmative written notice: (1) the Privacy Policy, (2) the Notice at Collection, (3) the Right to Opt-Out, and (4) the Financial Incentive Disclosure. As before, these notices must be accessible by individuals with disabilities. The Attorney General has now specifically mandated that businesses “shall follow generally recognized industry standards, such as the Website Content Accessibility Guidelines, version 2.1 of June 2, 2018.” Although a number of courts in cases construing obligations under Title III of the Americans with Disabilities Act have held that the WCAG guidelines are to be the standard, the modified CCPA regulations appear to be one of the few instances in which the guidelines are specifically suggested or required by regulation.
The writing is on the wall for website accessibility, and businesses would be wise to start coding to be compatible with JAWS and NVDA screen readers sooner than later. Indeed, the California Supreme Court has recently held that an ADA website violation is enforceable under the Unruh Civil Rights Act if a person with a visual disability goes onto the site with the intent of transacting business and is deprived of doing so due to access restrictions – regardless of whether the website has a nexus to a brick-and-mortar establishment.
Interestingly, the Privacy Policy no longer needs to disclose the commercial purpose for which each category of information was collected. Rather, it now must identify only (1) the categories of personal information collected in the preceding 12 months, (2) the categories of personal information disclosed or sold to third parties in the preceding 12 months, and (3) for each category of personal information sold or disclosed, the categories of third parties to whom the information was sold or disclosed.
Further clarity to the Notice at Collection has been provided. First, the Notice, which must be supplied at or before the point of collection, now “shall be made readily available” and “may” be in a “conspicuous” link on the “introductory page” and on all web pages where personal information is collected. When personal information is collected from a telephone, the notice “may” be provided orally. Similar provisions are made for the Privacy Policy and Right to Opt-Out.
As to job applicant/employee personal information, the modified regulations have clarified that the Notice at Collection need not contain a link to a Do Not Sell option – at least not until January 1, 2021, when the Assembly Bill 25 sunsets.
Mobile devices. The modified proposed regulations clarify that a business can provide the Privacy Policy and Notice at Collection by supplying a link to the Privacy Policy or Notice on the mobile app’s download page and within the app, such as within the app’s settings menu. Moreover, when a business collects personal information from a consumer’s mobile device for a purpose “the consumer would not reasonably expect,” it must provide a “just-in-time” notice containing a summary of the categories of personal information being collected and a link to the full Notice at Collection.
Requests to know and delete. Interesting changes have been made here. For example, a business that operates exclusively online and has a “direct relationship” with the consumer will be required only to provide an email address for submission of requests to know. All other businesses are to provide two or more ways to submit those requests, including, at a minimum, a toll-free number. If a business interacts with consumers primarily in person, it “shall consider” providing an in-person form, such as a printed form that the consumer can submit directly or by mail. The foregoing replaces the three methods previously required under the original proposed regulations.
The timeframe for responding to requests to know and delete has also been clarified. For example, instead of having to acknowledge receipt of a request within 10 days, a business now has 10 business days. The 45-calendar-day response time, however, remains the same. Notably, a business is not required to search for information that it does not maintain “in a searchable or reasonably accessible format,” that is maintained solely for “legal or compliance purposes,” and that is not sold or used for a commercial purpose, if the business “describes to the consumer the categories of records that may contain personal information that it did not search because it meets the [foregoing conditions].”
Mirroring a trend in other states, biometric data “generated from measurements or technical analysis of human characteristics” has now been added to the categories of personal information that are not to be disclosed.
Service providers and third parties. More granularity has been provided with respect to service providers. Interestingly, a service provider who receives a deletion request will now have the option of making the deletion itself on behalf of the business. Under the prior rules, it could not do so and had to inform the business of the request. Moreover, a third party that purchases personal information is no longer required to contact the consumer directly to provide notice and an opt-out, or to contact the source and confirm that the source provided the required notice and obtain signed attestations.
Requests to opt out of sale. The word “global” has been placed before all references to privacy controls. This makes clear to the business that a consumer’s global choice should override any site-specific selection a consumer has made. In the event of a conflict, however, the business can now contact the consumer to inform him or her of the conflict and allow a choice. There can be no presets, and all acts must be affirmative. An “opt-out” button may now be used in addition to the “Do Not Sell My Personal Information” link. The opt-out method must be easy for consumers to execute and require minimal steps to allow the consumer to opt out. “A business shall not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.”
The Attorney General has also added a new opt-out requirement: if a business sells personal information and the consumer has not already made a request to opt out, the business must now ask the consumer whether he or she would like to opt out of the sale. The business must also include either the contents of, or a link to, the notice of right to opt out in accordance with Section 999.306. Upon receipt of an opt-out request, a business now has 15 business days to comply. In a rather dramatic plus for businesses, a business no longer needs to hunt down and contact third parties to whom they sold the consumer’s data within the 90-day period before the opt-out request. Instead, this obligation is now limited to information sold to third parties between the time of a business’s receipt of an opt-out request and the date of actual compliance.
Loyalty programs/not discrimination. If a consumer informs the business that he or she would like to remain in a loyalty program but otherwise have the business delete the consumer’s information, it is lawful under the CCPA for the business to deny the deletion request as it applies to the information necessary to maintain the enrollment in and benefits from the loyalty program. A business’s denial of a consumer’s request to know, request to delete, or request to opt out for reasons permitted by the CCPA or the regulations will not be discriminatory if the disclosure and valuation mandates of the CCPA and regulations have been adhered to.
Reasonable security procedures. As before, a business must maintain records of consumer requests and how the business responded to such requests for at least 24 months. However, the business must now “implement and maintain reasonable security procedures and practices” in maintaining these records. Moreover, such information shall be maintained only for record-keeping purposes, except to review and modify the business’s compliance procedures. It cannot be shared with any third party. Authorized agents must now also use reasonable security procedures.
Many other tweaks have been made to the proposed regulations, and you will need to carefully review them with your privacy attorney for the specific issues and questions you may have. The Attorney General is currently accepting written comments on the proposed changes and documents relied upon in the rulemaking. Comments must be submitted to the Attorney General no later than 5 p.m. on Tuesday, February 25. Given the Attorney General’s timetable, the regulations may come into force as early as May 2020.