In the latest development in the CCPA saga, the California Attorney General has further modified the draft regulations implementing the California Consumer Privacy Act (“CCPA”). His office’s website posted clean and redlined versions of the new regulations (the “March draft regulations”). Below, please find a summary of some of the most notable changes:
- Definition of “Personal Information.” The February draft restated the statutory standard that whether information is “personal information” depends on whether it is maintained in a manner that is “. . . reasonably capable of being associated or could be reasonably linked . . . with a particular consumer or household.” It then gave an example that IP addresses are not personal information if they are not linked or reasonably linkable to a particular consumer or household. The March draft regulations eliminate this provision, apparently because the provision was redundant with the statute. The statute already provides that information is not regulated if it is not maintained in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” The statute also already is clear that businesses do not have to “identify or otherwise link information that is not maintained in a manner that would be considered personal information.”
- Still No Clarification Regarding The Scope of What Constitutes a Sale. The March draft regulations do not explicitly address the scope of CCPA sales. However, they do clarify that service providers may “process or maintain personal information on behalf of the business . . . in compliance with the written contract for services required by the CCPA.” In addition, service providers can use personal information they receive from a business to “build or improve the quality of the service provider’s services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business.”
- Global Privacy Opt-out. The language obligating businesses to honor user-enabled global privacy controls continues to require that the control communicate or signal that a consumer intends to opt-out. The apparently redundant statement that the consumer must affirmatively select to opt out and not have any pre-selected settings has been deleted.
- Financial Incentive Programs Potentially Out of Sync with Statutory Text. The statutory text contemplates financial incentive programs as including payments to consumers as “compensation” for the collection, sale, or deletion of personal information. The March draft regulations appear to contemplate financial incentives being “related to” the collection, retention, or sale of personal information. The substantive provisions and examples of financial incentives in the draft regulations remain largely the same as from the February draft regulations.
- Changes to Transparency Obligations. The March draft regulations clarify that a business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer, if it does not sell the consumer’s personal information. Additionally, under the March draft regulations, privacy policies must include the categories of sources from which personal information is collected, as well as the business or commercial purposes for collecting or selling personal information.
- Access Requests. The March draft regulations still prevent businesses from providing SSNs, financial account numbers, or certain other sensitive data, but they also require businesses to inform a consumer with “sufficient particularly that it has collected [that] type of information.”
Comments on the new regulations are due March 27, 2020 at 5:00 pm.