In the latest development in the CCPA saga, the California Attorney General has further modified the draft regulations implementing the California Consumer Privacy Act (“CCPA”). His office’s website posted clean and redlined versions of the new regulations (the “March draft regulations”). Below, please find a summary of some of the most notable changes:

  1. Definition of “Personal Information.” The February draft restated the statutory standard that whether information is “personal information” depends on whether it is maintained in a manner that is “. . . reasonably capable of being associated or could be reasonably linked . . . with a particular consumer or household.”  It then gave an example that IP addresses are not personal information if they are not linked or reasonably linkable to a particular consumer or household.  The March draft regulations eliminate this provision, apparently because the provision was redundant with the statute. The statute already provides that information is not regulated if it is not maintained in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” The statute also already is clear that businesses do not have to “identify or otherwise link information that is not maintained in a manner that would be considered personal information.”
  2. Still No Clarification Regarding The Scope of What Constitutes a Sale. The March draft regulations do not explicitly address the scope of CCPA sales. However, they do clarify that service providers may “process or maintain personal information on behalf of the business . . . in compliance with the written contract for services required by the CCPA.”  In addition, service providers can use personal information they receive from a business to “build or improve the quality of the service provider’s services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business.”
  3. Global Privacy Opt-out. The language obligating businesses to honor user-enabled global privacy controls continues to require that the control communicate or signal that a consumer intends to opt-out.  The apparently redundant statement that the consumer must affirmatively select to opt out and not have any pre-selected settings has been deleted.
  4. Financial Incentive Programs Potentially Out of Sync with Statutory Text. The statutory text contemplates financial incentive programs as including payments to consumers as “compensation” for the collection, sale, or deletion of personal information. The March draft regulations appear to contemplate financial incentives being “related to” the collection, retention, or sale of personal information. The substantive provisions and examples of financial incentives in the draft regulations remain largely the same as from the February draft regulations.
  5. Changes to Transparency Obligations. The March draft regulations clarify that a business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer, if it does not sell the consumer’s personal information. Additionally, under the March draft regulations, privacy policies must include the categories of sources from which personal information is collected, as well as the business or commercial purposes for collecting or selling personal information.
  6. Access Requests. The March draft regulations still prevent businesses from providing SSNs, financial account numbers, or certain other sensitive data, but they also require businesses to inform a consumer with “sufficient particularly that it has collected [that] type of information.”

Comments on the new regulations are due March 27, 2020 at 5:00 pm.

Print:
EmailTweetLikeLinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.