California Attorney General Issues Modified CCPA Draft Regulations

On Friday, February 7, the California Attorney General’s office published a modified set of draft regulations under the California Consumer Privacy Act (“CCPA”), available online here. These are not the Attorney General’s final CCPA regulations but rather are a modified set of draft regulations that are subject to a new public comment period. The deadline to submit written comments on the modified CCPA draft regulations is February 25, 2020 at 5:00 pm (PST).

The Attorney General’s office also issued a redlined version of the modified regulations showing how this latest version differs from the original draft regulations, which we reported on in October.

Below, we provide a high-level overview of key revisions in the modified draft regulations:

1. Notices

The modified draft regulations address requirements for CCPA-required notices (i.e. notice at collection, notice of right to opt-out of sale, notice of financial incentive, and privacy policy) in more detail, particularly with regard to Do Not Sell buttons, mobile applications, accessibility, data brokers, and employee notices.

• Do Not Sell Button. The modified draft regulations provide a design for the “Do Not Sell My Personal Information” button, with two alternative versions as follows:
  
  
  
  
  The modified draft regulations further specify that the button must be placed to the left of the “Do Not Sell My Personal Information” (or “Do Not Sell My Info”) link and must be approximately the same size as “other buttons on the business’s webpage.” Additionally, the modified draft regulations prohibit a business from selling any personal information it collected during a period in which it did not have a notice of the right to opt-out posted, unless it obtains the consumer’s affirmative authorization to sell that personal information.
• Mobile applications. The modified draft regulations provide that when a business collects personal information through a mobile application, it may provide the required “notice at collection” by providing a link to the notice on the mobile application’s download page and within the application itself (e.g. through the application’s settings menu). They also require businesses that collect personal information via mobile devices to provide “just-in-time” notices of collection where the business collects personal information “for a purpose that the consumer would not reasonably expect.”

• Accessibility. The initial draft of the regulations required businesses to make their CCPA‑required notices “accessible” to consumers with disabilities, without providing much guidance as to what “accessible” meant in the CCPA context. The modified regulations clarify that businesses posting those notices online must make their notices “reasonably accessible” in accordance with “generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide [Web] Consortium.”
  
  • The Web Content Accessibility Guidelines, version 2.1, require adherent companies to, for example, provide a textual alternative to non-text content, provide a means to navigate a webpage sequentially, and include descriptive titles.  These requirements may affect how businesses draft, format, or otherwise present their CCPA-required notices.  

• Data Brokers. The modified draft also proposes new regulations regarding companies that have registered as data brokers under California’s recently-enacted data broker law, which we reported on in a prior client alert. The modified draft regulations provide that if a data broker has registered with the Attorney General under the data broker law, it does not need to provide a notice at collection to consumers if it has included, in its registration submission, a link to its online privacy policy that includes instructions on how a consumer may submit an opt-out request.

• Employment-Related Notices. The modified draft regulations add a provision regarding the content of an employment-related notice at collection. While an October 2019 amendment to the CCPA provided a one-year moratorium excluding employees from the scope of many of the law’s requirements, businesses still are required to provide a notice at collection that covers employment-related personal information. The modified draft regulations state that, in their employment-related notice at collection, businesses do not need to include a “Do Not Sell My Personal Information” link and may include a link to an employee-focused privacy policy, rather than a consumer-facing privacy policy. Like the October 2019 amendment, this provision will become inoperative on January 1, 2021, unless the CCPA is otherwise amended.

2. Handling Consumer Requests

The modified draft regulations include a number of changes and clarifications concerning how to handle consumer requests, particularly with regard to response timing, searching for personal information in response to a request to know, and “privacy controls.”

• Timing. The initial draft regulations stated that businesses had to confirm receipt of requests to know and requests to delete within 10 days, and “act upon” a request to opt-out within 15 days. The modified draft regulations clarify that these timeframes are envisioned in terms of business, not calendar, days. By contrast, the modified draft regulations provide that the 45-day timeframe to respond to requests to know and requests to delete will be assessed in terms of calendar days.  In addition, the modified draft regulations also make clear that businesses are not expected to merely “act upon” opt-out of sale requests within 15 business days — they are expected to “comply with” such requests within 15 business days.

• Requests to Know. Under the modified draft regulations, a business is not required to search for personal information in response to a request to know if all of the following conditions are met:  (1) the business does not maintain the personal information in a searchable or reasonably accessible format; (2) the business only maintains the personal information for legal or compliance purposes; (3) the business does not sell the personal information or use it for any commercial purpose; and (4) the business describes, to the consumer, the categories of records that could contain personal information that it did not search because it met these conditions.

• Privacy Controls. The modified draft regulations offer greater detail around the use of “global privacy controls . . . that communicate or signal the consumer’s choice to opt out of the sale of their personal information.” Specifically, the modified draft provides that “[a]ny privacy control developed in accordance with these regulations shall clearly communicate or signal that a consumer intends to the opt-out of the sale of personal information. The privacy control shall require that the consumer affirmatively select their choice to opt-out and shall not be designed with any pre-selected settings.”

3. Service Providers

The modified draft regulations delete the prohibition on service providers using the personal information collected from one client to provide a service to another client. They also include a more detailed list outlining permitted uses of personal information by service providers, including:

• to retain another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and the regulations;
• for internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source;
• to detect data security incidents, or protect against fraudulent or illegal activity; and
• comply with laws, cooperate with law enforcement, and exercise or defend legal claims.

These additions offer more clarity about the extent to which a vendor may use personal information for product improvement or other internal purposes, without ceasing to qualify as a “service provider” under the CCPA.

4. Definitions

The modified draft regulations provide significant additional guidance about key definitions, particularly the definitions of “personal information” and “households”:

• Personal Information. The modified draft regulations state that whether information is considered “personal information” depends on whether the information is maintained in a manner that identifies particular consumers or households. They also provide an illustrative example pertaining to IP addresses:  if a business collects the IP addresses of visitors to its website, but does not link the IP addresses to particular consumers or households — and could not reasonably link the IP addresses to particular consumers or households — then the IP addresses would not be considered “personal information.”

• Households. The modified draft regulations clarify the definition of “household” and provide more detailed guidance on responding to requests to access or delete household information. These proposed changes are significant because the CCPA invokes the concept of a “household” without providing much guidance on the meaning of the term or how consumer requests operate in the “household” context.
  
  • The modified draft regulations state that a “household” is a person or group of people who (1) reside at the same address, (2) share a common device or service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier. They also state that a business that receives a CCPA request from a household must verify all members of the household, as well as verify that each individual making the request is a member of the household in question.  
  • The modified draft regulations further provide that if a member of a household is a child under the age of 13, a business must obtain verifiable parental consent before complying with an access or deletion request related to household personal information.

5. Financial Incentives

The modified draft regulations provide additional examples of permissible and impermissible financial incentive programs, including the following summarized examples:

• Example. A business runs a loyalty program that issues coupons via email to customers after the customers have spent a certain amount of money with the business. If a consumer submits a deletion request but also informs the business that he/she would like to remain a part of the loyalty program, the business may deny the deletion request as to the consumer’s email address, as well as the amount the consumer has spent with the business, because that information is necessary for the business to provide the loyalty program as requested by the consumer, and maintaining the information is reasonably anticipated within the context of the business’s ongoing relationship with the consumer.
• Example. A business runs a loyalty program through which consumers receive coupons and discounts when they provide their phone numbers. If the business grants a consumer’s opt-out of sale request but no longer allows the consumer to participate in the loyalty program, this would be discriminatory, unless the business could demonstrate that the coupons and discounts are reasonably related to the value of the consumer’s information to the business.

The modified CCPA draft regulations reflect the Attorney General’s efforts to respond to public input on the prior draft regulations, and to consider additional input before finalizing the regulations. As noted above, companies may submit comments on the modified draft regulations to the Attorney General’s office by February 25, 2020 at 5:00 pm (PST).

For updates and other resources on CCPA, please visit Morrison & Foerster’s CCPA Resource Center.