The CCPA Regs: They are a'changing...

California Office of the Attorney General publishes proposed amendments to the CCPA draft regulations. The amendments are open for public comment until 5:00 p.m. on February 24, 2020 .

Key takeaways:

I. Transparency Requirements Added and Revised:

Businesses are required to describe the sources of information and third parties with whom information is shared with enough particularity to provide consumers with a meaningful understanding of the type of person or entity. Sources include types or groupings of persons or of entities from which a business collects personal information about consumers, . Such types may include the consumer directly (for the sources) and, advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers.

Notice at time of collection - The notice at collection needs to be made readily available where consumers will see encounter it at or before the point of collection of any personal information. Examples:

• collection online - conspicuous link to the notice on the introductory page of the business’s website
• collection through a mobile application - on the mobile application’s download page and within the application, such as through the application’s settings menu.
• collection offline - on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post prominent signage directing consumers to where the notice can be found online
• over the telephone or in person - orally

Do not sell notice: A business that collects personal information through a mobile application may provide a link to the notice within the application, such as through the application’s settings menu.

Granular Disclosure by Category: The requirement to list sources and purposes of use by specific category seems to have been removed. However, there is still an obligation to disclose information shared with third parties by specific category.

Notice at collection for Employment: The notice at collection of employment-related information

• does not need to include the link or web address to the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info”.
• may include a link to, or paper copy of, a business’s privacy policies for job applicants, employees, or contractors in lieu of a link or web address to the business’s privacy policy for consumers.

Privacy Notice:

• A mobile application may include a link to the privacy policy in the application’s settings menu.
• When a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection. For example, if the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the application, which contains the information required by this subsection.

II. More Specific Requirements regarding Accessibility:

The proposed regs specify that "reasonably accessible to consumers with disabilities" means, at a minimum, for notices provided online, that the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium, incorporated herein by reference. In other contexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format

III. Clarification of Concepts:

Household: Means a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.

Price or service difference: In order to be relevant for CCPA obligations, needs to be related to the disclosure, deletion, or sale of personal information.

Signed: Means written attestation, declaration, or permission has either been physically signed or provided electronically per the Uniform Electronic Transactions Act, Civil Code section 1633.7 et seq.

Purpose Limitation: The prohibition on using a consumer's information for any purpose other than those specifically listed, which was arguably more onerous than that of GDPR, has been revised to prohibition of using a consumer’s personal information for any purpose other materially different than those disclosed in the notice at collection. This is more in line with the GDPR standard of compatible purpose.

Deletion Requests and Backup: The requirement for deletion from backup files is clarified: If a business stores any personal information on archived or backup systems, it may delay compliance with the consumer’s request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose.

IV. Service Providers:

Uses permitted by Service providers: In addition to the use of the information for the provision of the services, service providers are also allowed to use the information:

• To retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and the regulations;
• For internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source;
• To detect data security incidents, or protect against fraudulent or illegal activity;
• Comply with federal, state, or local laws.
• To comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
• To cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.
• To exercise or defend legal claims.

Response by Service Providers to consumer requests: If a service provider receives a request to know or a request to delete from a consumer, the service provider shall either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider

V. Definition of Personal Information

Question mark regarding IP addresses: "If a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information. Given the fact that a website user can be a CA resident as well, and the fact that the capabilities provided by analytics and cross device tracking technologies commonly implemented by websites, it is will be interesting to understand what was intended with this provision.

VI. Data Brokers

Written Attestation from Sources: The requirement to receive a written attestation from the source of the information regarding notice and consent before reselling information has been removed.

Data brokers are not required to provide a notice at collection if they have registered with the CA OAG as a data broker pursuant to Civil Code section 1798.99.80, et seq. and have has included in their registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out.

VII. Verification:

A business shall not require the consumer to pay a fee for the verification of their request to know or request to delete. For example, a business may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization.

New Examples for Verification:

• A retailer may require that the consumer identify items that they recently purchased from the store or the dollar amount of their most recent purchase
• A business with mobile application may require that the consumer provide information that only the person who used the mobile application may know or by requiring the consumer to respond to a notification sent to their device

A business shall establish, document, and comply with a reasonable method for determining whether a person submitting a request to know or a request to delete the personal information of a child under the age of 13 is the parent or guardian of that child.

VII. Opt out:

Requirements re: Opt Out Button:

• Added a visual for the opt out button
• When the opt-out button is used, it is to appear to the left of the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link, as demonstrated below, and it to be approximately the same size as other buttons on the business’s webpage

Methods for submitting requests to opt-out: The methods a business uses need to be easy for consumers to execute and require minimal steps to allow the consumer to opt-out. A business may not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.

Privacy Controls:

• Any privacy control to signal an opt out developed in accordance with the regulations needs to clearly communicate or signal that a consumer intends to the opt-out of the sale of personal information. The privacy control needs to require that the consumer affirmatively select their choice to opt-out and shall not be designed with any pre-selected settings.
• If a global privacy control conflicts with a consumer’s existing business-specific privacy setting or their participation in a business’s financial incentive program, the business needs to respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program
• Amendment of the requirement for the business to inform re: the opt out. The requirement now reads: If a business sells a consumer’s personal information of a consumer to any third parties after the consumer submits their request but before the business complies with that request, the business needs to notify those third parties request that the consumer has exercised their right to opt-out and direct those third parties not to sell the that consumer’s information.

Opt in after opt out: If a consumer who has opted-out of the sale of their personal information initiates a transaction or attempts to use a product or service that requires the sale of their personal information a business may inform the consumer that the transaction, product, or service requires the sale of their personal information and provide instructions on how the consumer can opt in.

VIII. Consumer Requests Generally:

Methods for Submitting Requests Offline: If the business interacts with consumers in person, the business shall consider providing an in-person method such as a printed form the consumer can directly submit or send by mail, a tablet or computer portal that allows the consumer to complete and submit an online form, or a telephone by which the consumer can call the business’s toll-free number.

Request to Delete: a two step confirmation process is optional and not required

Timing for Response to Requests:

• Initial confirmation: The initial confirmation should be given within 10 business days (not 10 calendar days) and may be given in the same manner in which the request was received. For example, if the request is made over the phone, the confirmation may be given on the phone during the phone call.
• Full response to right to know/delete: Responses to the requests should be provided within 45 calendar days (not business days).
• Response to request to opt out: Responses to a request to opt out should be provided within 15 business days (not 15 calendar days)

Exceptions to the Response to Request to Know:

Information held for legal or compliance: In responding to a request to know, a business is not required to search for personal information if all the following conditions are met:

• The business does not maintain the personal information in a searchable or reasonably accessible format;
• The business maintains the personal information solely for legal or compliance purposes;
• The business does not sell the personal information and does not use it for any commercial purpose; and
• The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.

Sensitive information: unique biometric data generated from measurements or technical analysis of human characteristics was added to the list of items that should not be included in a response.

IX. Household or Device Information

If a household does not have a password-protected account with a business shall not comply with a request to know specific pieces of personal information about the household or a request to deleted household personal information unless all of the following conditions are satisfied:

• All consumers of the household jointly request access to specific pieces of information for the household or the deletion of household personal information
• The business individually verifies all the members of the household subject to the verification requirements set forth in the regs; and
• The business verifies that each member making the request is currently a member of the household.

Where a consumer has a password-protected account with a business that collects personal information about a household, the business may process requests to know and requests to delete relating to household information through the business’s existing business practices and in compliance with these regulations.

X. Discrimination and Financial Incentive:

Discrimination: The proposed regs provide a number of examples of discrimination or non-discrimination. In one example, following a delete request - a retailer may refuse to delete an email that is tied to an incentive b/c it is is necessary for the business to provide the loyalty program requested by the consumer and is reasonably anticipated within the context of the business’s ongoing relationship with them and can continue to provide the incentive after (partially complying) with a delete request. In another, regarding an incentive provided through a pop up on a browser the business may not refuse to delete the consumer's email address and denial of the incentive following a request to delete may be discriminatory.

Financial Incentive: the proposed regs drop the concepts of "typical consumer" and state that "for the purpose of calculating the value of consumer data, a business may consider the value of the data of all natural persons to the business and not just consumers."