In the latest development in the CCPA saga, the California Attorney General has further modified the draft regulations implementing the California Consumer Privacy Act (“CCPA”). His office’s website posted clean and redlined versions of the new regulations (the “March draft regulations”). Below, please find a summary of some of the most notable changes:

  1. Definition of “Personal Information.” The February draft restated the statutory standard that whether information is “personal information” depends on whether it is maintained in a manner that is “. . . reasonably capable of being associated or could be reasonably linked . . . with a particular consumer or household.”  It then gave an example that IP addresses are not personal information if they are not linked or reasonably linkable to a particular consumer or household.  The March draft regulations eliminate this provision, apparently because the provision was redundant with the statute. The statute already provides that information is not regulated if it is not maintained in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” The statute also already is clear that businesses do not have to “identify or otherwise link information that is not maintained in a manner that would be considered personal information.”
  2. Still No Clarification Regarding The Scope of What Constitutes a Sale. The March draft regulations do not explicitly address the scope of CCPA sales. However, they do clarify that service providers may “process or maintain personal information on behalf of the business . . . in compliance with the written contract for services required by the CCPA.”  In addition, service providers can use personal information they receive from a business to “build or improve the quality of the service provider’s services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business.”
  3. Global Privacy Opt-out. The language obligating businesses to honor user-enabled global privacy controls continues to require that the control communicate or signal that a consumer intends to opt-out.  The apparently redundant statement that the consumer must affirmatively select to opt out and not have any pre-selected settings has been deleted.
  4. Financial Incentive Programs Potentially Out of Sync with Statutory Text. The statutory text contemplates financial incentive programs as including payments to consumers as “compensation” for the collection, sale, or deletion of personal information. The March draft regulations appear to contemplate financial incentives being “related to” the collection, retention, or sale of personal information. The substantive provisions and examples of financial incentives in the draft regulations remain largely the same as from the February draft regulations.
  5. Changes to Transparency Obligations. The March draft regulations clarify that a business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer, if it does not sell the consumer’s personal information. Additionally, under the March draft regulations, privacy policies must include the categories of sources from which personal information is collected, as well as the business or commercial purposes for collecting or selling personal information.
  6. Access Requests. The March draft regulations still prevent businesses from providing SSNs, financial account numbers, or certain other sensitive data, but they also require businesses to inform a consumer with “sufficient particularly that it has collected [that] type of information.”

Comments on the new regulations are due March 27, 2020 at 5:00 pm.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.