On March 11, 2020, the California Attorney General published its second modification to the California Consumer Privacy Act (CCPA) proposed regulations (“Second Modified Proposed Regs”). The redline includes the Second Modification language in blue and green as well as the first modification edits that were issued on February 10, 2020 (“First Modified Proposed Regs”). Collectively, the First Modified Proposed Regs and the Second Modified Proposed Regs are referred to below as the “Modified Proposed Regs.” The redlined comparison between the originally proposed regulations and the Modified Proposed Regs can be found here. All citations below are to the Modified Proposed Regs posted on March 11, 2020.  In addition to changes to the regulations, the Attorney General added supporting documents and information, which can be found here.

Several comments to the First Modified Proposed Regs were submitted between February 10, 2020 and February 25, 2020. Notably, the consumer advocates expressed concern about the more “business” friendly updates to the proposed regulations. See attached. The Second Modified Proposed Regs appear to respond to some of the concerns expressed by consumer groups.

No matter the impetus for the further edits contained in the Second Modified Regs, it is important for businesses to be aware that the Modified Proposed Regs introduce many changes to the initial proposed regulations released on October 10, 2019. These changes, proposed between February and March 2020, reflect a roadmap detailing the Office of the Attorney General’s thinking regarding enforcement, so they should be reviewed closely. This article highlights ten areas with notable changes for businesses.

  1. Verification. The Modified Proposed Regs provide businesses more guidance and leeway for verifying consumer requests. For example, if a business cannot verify the consumer within the 45-day window to respond to a consumer request, it may simply deny the request. §999.313(b). In fact, a business “shall” deny an unverifiable request for specific pieces of personal information (“PI”). §999.325(f). The Modified Proposed Regs provide two concrete examples of how a business can verify a non-accountholder. A retailer that maintains purchase history information may require the consumer to identify his or her recent purchases, or the dollar amount of his or her most recent purchase. §999.325(e)(1). A reasonable verification method for a business that collects PI via a mobile app may be to ask consumers to provide information that only the person using the mobile app would know or to require a consumer to respond to a notification sent to their device. §999.325(e)(2). For requests submitted by an “authorized agent,” a business can now require the consumer to “directly confirm” with the business that he or she provided the agent signed permission to submit a request on his or her behalf. §999.326(a)(1), (a)(3). In addition, while a business cannot require consumers or their authorized agents to pay a fee in order to verify requests to know or delete, a business may not require a consumer to provide a notarized affidavit to verify his or her identity unless it compensates the consumer for the cost. §999.323(d).
  2. Service Providers. The prohibition against a service provider using PI received from one entity for the purpose of providing services to another entity is deleted, along with the restriction on combining PI except for data security or fraud prevention purposes. §999.314(c). Instead, the Modified Proposed Regs now allow a service provider to use, retain, or disclose PI (1) “[t]o process or maintain PI on behalf of the business that provided the PI, or that directed the service provider to collect the PI, and in compliance with the written contract for services required by the CCPA”; (2) “[t]o retain or employ another service provider as a subcontractor”; or (3) “[f]or internal use by the service provider to build or improve the quality of its services,” provided, however, that the “use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source.” §999.314(c)(1)-(3). That is, a service provider can combine data from multiple sources so long as it does not “build or modify” household or consumer profiles or “correct or augment” the data acquired from a source other than the business that it is servicing. In the ad tech or analytics context, many vendor contracts permit companies to use anonymized or deidentified data to improve the product offering. Care should be taken to ensure that (a) deidentification occurs to the standard articulated in the CCPA which requires technical controls to prevent reidentification of the deidentified data to a consumer; and (b) such product improvements do not involve building or modifying consumer or household profiles or correcting/augmenting data. If a business would like to ensure that it can rely upon the exception to the definition of “sales” for service providers, so as to remove the obligation to post a Do Not Sell link on its website homepages, it should consider updating its service provider agreements that permit use of data to improve the service provider’s services, to include requirements that deidentification will meet CCPA standards and profile enhancements will not occur.
  3. Notices to Consumers. The regulations clarify what notices to consumers are required and what information is required in the notices. There are four types of consumer notices: (1) Privacy policy—applicable to all businesses; (2) Notice at collection—applicable to businesses that collect PI; (3) Notice of right to opt-out—applicable to businesses that sell PI; and (4) Notice of financial incentive—applicable to businesses that offer a financial incentive or price or service difference. §999.304. All four notices must be reasonably accessible to consumers with disabilities. §§999.305(a)(2)(d); 999.306(a)(2)(d); 999.307(a)(2)(d); 999.308(a)(2)(d). For online notices, that means following “generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium.” §999.306(a)(2)(d). For privacy policies and notices at collection, the requirement to disclose information “for each category of PI” is deleted. §§999.305(b)(2), 999.308(d)(1). However with regard to the disclosure or sale of PI, the Modified Proposed Regs added a new statement that, “[f]or each category of PI identified, provide the categories of third parties to whom the information was disclosed or sold.” §999.308(c)(1)(g)(2). The Second Modified Regs also added provisions that require the privacy policy to identify the categories of sources from which PI is collected as well as the business or commercial purpose for collecting or selling information. 999.308(c)(1)(e)-(f). Consequently, the right to know section of the privacy policy now requires the following information: categories of PI collected in the preceding 12 months; categories of PI disclosed for a business purpose or sold to third parties in the preceding 12 months; for each category of PI disclosed for a business purpose or sold, the categories of third parties to whom the PI was disclosed or sold; the sources from which PI is collected, the business or commercial purpose for collecting or selling information and whether the business has actual knowledge that it sells PI of minors under 16 years old. §999.308(c)(1)(d), (c)(1)(g)(3). If the business has actual knowledge that it sells the PI of minors under 16, a description of the processes required by sections 999.330 and 999.331 (i.e., processes for opting-in to the sale of minor PI).
  4. Notice at Collection for:
    1. Businesses That Do Not Collect Personal Information Directly – Data Brokers. The requirement for businesses that do not collect PI directly from consumers to either provide notice to the consumer directly or to contact the source for confirmation and attestation is replaced with a provision that relieves them of the requirement to provide a notice at collection if the business does not sell the consumer’s PI and does not collect PI directly from the consumer. §999.305(d). If a data broker (a) registers with the Attorney General as a data broker and (b) includes in its registration a link to its privacy policy that includes instructions on how a consumer can opt-out, the registered data broker need not provide a notice at collection. Id.
    2. Businesses to Employees. Employers need not include a link to the business’s privacy policy or Do Not Sell links in the Notices at Collection for employees. §999.305(f)(1),(2).
  5. Opt-Out of Sale. The opt-out button that was proposed in the first modification to the regulations at 999.306(e) was deleted in the second modification of the regulations released on March 11, 2020. The deletion may have been in reaction to consumer and industry negative feedback submitted through the written public comment process that concluded on February 25, 2020.  Methods for submitting opt-out requests must be easy to execute with minimal steps to opt-out. §999.315(c). If a business sells PI to any third parties after the consumer submits the opt-out request but before the business complies with the request, it must notify the third parties that the consumer has exercised their right to opt-out and direct them not to sell that consumer’s PI. §999.315(f). A business therefore can look to limit third parties it must notify by not selling to third parties between the opt-out request and response and/or responding sooner than the allowed 15 business days. The Modified Proposed Regs provide specific requirements and guidance, including diagrams, for the opt-out button, which is still optional and would be in addition to, but not in lieu of, posting the notice of right to opt-out. §999.306(f). Also, the requirement to treat an unverifiable request to delete as a request to opt-out is deleted. §999.313(d)(1). Instead, the business is required to ask the consumer if they would like to opt out of the sale of their PI and include either the contents of, or a link to, the opt-out notice. 999.313(d)(7)
  6. Do Not Sell Signals.
  7. The to honor user-enabled controls to opt-out of sale, while not stricken, is narrowed. The user-enabled privacy control must “clearly communicate or signal that a consumer intends to opt out of the sale of PI” 999.315(d)(1). If such a global control conflicts with a consumer’s business-specific privacy setting or participation in the business’s financial incentive program, the business would be permitted to notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program. §999.315(d)(2). Designated Methods. The Modified Proposed Regs expressly provide that businesses that operate exclusively online and have a direct relationship with consumers are only required to provide a designated email address for submitting requests to know. §999.312(a). The requirement that businesses with a website have an interactive webform for submitting requests to know and requests to delete is deleted. Id. However, an interactive form is required for requests to opt-out and the CCPA continues to require businesses with websites to “make the internet website available to consumers to submit requests.” Cal. Civ. Code §1798.130(a)(1)(B); see also 999.315(a). Therefore, as a practical matter, for businesses that already have set up a web portal to handle CCPA requests, it would be best to maintain it. Also, the Modified Proposed Regs strike the requirement that a business with a website that primarily interacts with a consumer at a physical location provide three designated methods for submitting requests. §999.312(c)(2). Instead, if a business interacts with consumers in person, it should consider providing an in-person method, such as a printed form that can be directly submitted or mailed, a tablet or computer on which consumers can complete and submit an online form, or a telephone by which consumers can call the toll-free number. §999.312(c).
  8. Responding to Requests
    1. to Know Specific Pieces of Information. In responding to request to know, a business is notrequired to search for a consumer’s PI if it: (1) does not maintain the PI in searchable or reasonably accessible format; (2) maintains the PI solely for legal or compliance purposes; (3) does not sell the PI and does not use it for any commercial purpose; and (4) describes to the consumer the categories of records that may contain PI that it did not search because it meets the above conditions. §999.313(c)(3). The prohibition against providing specific pieces of PI if the disclosure would create a security risk is deleted. Id. Also, added to the list of information that cannot be disclosed is “unique biometric data generated from measurements or technical analysis of human characteristics.” §999.313(c)(4). That said, a business shall inform the consumer with sufficient particularity that it has collected the type of information. Id.  The example is provided that a business can reveal to a consumer that it has “unique biometric data including a fingerprint scan,” without disclosing the actual fingerprint scan data.
    2. Requests to Delete. To the deletions in 999.313(d)(1) discussed in the opt-out section, companies are left with the simple requirement from the original regulations that they can deny a request to delete if the consumer’s identity cannot be verified and inform the requestor of same.
  9. Financial Incentives/Price or Service Difference. Businesses that offer financial incentives or price or service differences related to the “collection, retention or sale” of PI are required to provide a notice of financial incentive. §§ 999.301(j),(o); 999.307 (a)(1). Financial incentive no longer needs to be “as compensation for” the collection, retention, or sale of PI but instead just “related to” same. 999.301(j). To offer a financial incentive or price or service difference, a business must either provide a good faith estimate of the value of consumer data or show how the financial incentives or price or service difference is reasonably related to the value of the consumer data to the business. 999.336(b). The Modified Proposed Regs add three instructive examples, two involving loyalty programs and one a web pop-up discount. §999.336(d)(2)-(4). Notably, if a consumer makes a deletion request but also wants to continue participating in a loyalty program, a business may deny the request to delete certain PI (e.g., an email address) that is necessary to continue providing the program. 999.336(d)(2). Further, price or service difference is not discriminatory if it is the direct result of federal (as previous) and state law (now). 999.336(g).
  10. Other Modifications:
    • Valuation. For valuation, a business may consider the value “to the business of the data of all natural persons in the United States and not just consumers” instead of “value of the date of all nature persons to the business.” 999.337(b).
    • The Second Modified Proposed Regs deleted 999.302 titled “Guidance Regarding the Interpretation of CCPA Definitions.”  Accordingly, the verbiage indicating that IP addresses (on their own) would not be PI unless capable of being reidentifiable is eliminated in the Modified Proposed Regs.
    • Timing of Responses to Requests. Businesses have 10 businessdays to confirm receipt of request to know or request to delete, and 15 business days to comply with a sale opt-out request. Compare 313(a) with §999.315(f). Businesses have 45 calendar days to respond to requests to know or requests to delete. §999.313(b).
    • Heightened Threshold to Qualify as a Large Data Collector. The special recordkeeping requirement under §999.317(g) now applies to a business that knows or reasonably should know that it, alone or in combination, buys, receives or share PI for commercial purposes, or sell the PI of 10 millionor more consumers in a calendar year.
    • Recordkeeping. Information maintained for recordkeeping purposes may be shared with a third party if necessary to comply with a legal obligation. 999.317(e).
    • Two-Step Confirmation for Deletion Requests is Optional. Providing a two-step confirmation process for online requests to delete is optional, not mandatory. §312(d). But providing a two-step process to confirm opt-in requests after the consumer opted out is still mandatory. §999.316(a).
    • Just-in-Time Notice for Unexpected Collection Purposes. When a business collects consumers’ PI through a mobile app, businesses may provide a link to the notice on the download page and within the app such as in the app’s settings menu. §999.305(a)(3)(b). Just-in-time notice is required for apps that a consumer would not reasonably expect would collect PI. §999.305(a)(4). Businesses may provide a link to the right to opt-out and the privacy policy within the app, such as through the app’s settings menu. §§999.306(b)(1), 999.308(b).