California Attorney General Publishes Modifications to CCPA Regulations
Privacy & Cybersecurity Update
Date: March 16, 2020
As we have previously reported, compliance with the now-effective California Consumer Privacy Act (CCPA) continues to be a process of shooting at a moving target. Even though the CCPA became effective on January 1, 2020, the California Attorney General has yet to finalize the implementing regulations he was charged with issuing by the state legislature. California Attorney General Xavier Becerra published the initial draft of CCPA regulations in October of 2019. On February 7, 2020 (and then again on February 10, 2020), his office published modifications to the draft regulations. On March 11, the Attorney General published additional modifications to the draft regulations to clarify and conform the proposed regulations to existing law.
Here’s a summary of the critical changes made in this second round of modifications:
- Removal of previous guidance regarding the definition of personal information. The CCPA regulations were initially modified in February to add a section that provided express guidance on how to determine whether certain online identifiers are considered “personal information” for purposes of the CCPA. The proposed March regulations removed that particular guidance entirely.
- Clarification on notice requirement for businesses that don’t interact directly with consumers. The March modifications clarify that a business that does not collect personal information directly from consumers need not provide a notice at the point of collection, as long as the business does not “sell” the consumer’s personal information. Notably, the regulations do not address how such notice would be given in the event a business does sell personal information that it indirectly receives about a consumer.
- Privacy notices when collecting employment information. Although personal information collected and retained in the employment context is largely exempt from the CCPA, it is still subject to the notice at collection requirements (and is subject to the CCPA’s data breach provisions). The February modifications required that a business collecting employment-related information provide in these employee-related notices a copy of, or a link to, the business’s privacy policies. The proposed March regulations removed that requirement.
- Removal of opt-out buttons or logos. The CCPA requires the California Attorney General to provide regulatory guidance on how businesses provide notice of a consumer’s right to “opt out” of the sale of their personal information. In February, the regulations were amended to include an icon illustrating an online opt-out “button” or “logo” that businesses can post on their website to address this issue. The March amendments deleted this much-criticized graphic presentation in its entirety and did not provide any alternative, leaving businesses to return to designing their own website graphics.
- Content of privacy notices. The CCPA regulations contain specific provisions regarding the content that businesses must include within their online privacy policies. The regulations update these requirements to clarify how, and to what extent, a business (i) identifies the categories of sources from which the personal information is collected, (ii) discloses the business or commercial purpose for collecting or selling personal information, and (iii) addresses the “sale” of personal information of minors under 16 years of age.
- Responses to requests to know. The regulations continue to prohibit businesses from disclosing sensitive information like social security numbers or financial account numbers in responses to consumer requests to know. The March regulations updated these requirements to require a business to inform consumers with “sufficient particularity” that the business has collected that type of information. For example, a business must respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
- Service provider requirements. The CCPA generally prohibits services providers from using personal information that it processes on behalf of businesses for its own purposes. The March regulations clarify that service providers may use or disclose such personal information obtained in the course of providing its services (including building consumer profiles for use only by the specific business from which the service provider receives this information), as long as the service provider processes the information (i) on behalf of the business that provided it or that directed the service provider to collect it and (ii) in compliance with the written contract for services required by the CCPA.
- Privacy controls. The CCPA regulations were modified in February to clarify the requirement that user-enabled privacy controls, like browser plugins or privacy settings, must (i) clearly communicate or signal that the consumer intends to opt-out of the sale of personal information, (ii) require the consumer to affirmatively select their choice to opt-out, and (iii) not be designed with any pre-selected setting. The March amendments remove requirements (ii) and (iii), requiring now only that such controls communicate the consumer’s intent clearly.
All written comments regarding this second set of proposed changes must be submitted to the Attorney General’s office by March 27, 2020. Importantly, the Attorney General has not indicated any intention to postpone the July 1, 2020 enforcement deadline, when the regulations will be completed, or whether they will even be completed prior to the deadline. Accordingly, covered businesses should continue to monitor the regulatory drafting process and update or adjust their compliance programs as needed. We continue to follow developments of the CCPA and will be sure to keep you updated.
FOR MORE INFORMATION
For more information, please contact:
Craig A. Foster
Steven G. Stransky
Thomas F. Zych
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.
© 2020 THOMPSON HINE LLP. ALL RIGHTS RESERVED.