The California Attorney General has released both clean and redlined versions of proposed modifications to the draft implementing regulations for the California Consumer Privacy Act (“CCPA”). Below is a high-level overview of some key changes:
- Service Providers. The modified draft restricts a service provider from processing the personal information it receives from a business except in the following five circumstances: (1) performing services in the contract with the business that provided the personal information, (2) engaging a different service provider as a subcontractor, (3) using the data internally to build or improve the quality of its services (to the extent that use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source); (4) detecting data security incidents or protecting against fraudulent or illegal activity; or (5) processing in accordance with certain exemptions to the CCPA. The draft also eliminates the requirement that service providers that receive requests to exercise rights directly from consumers instruct those consumers to submit their requests to the business, instead permitting (without requiring) service providers to respond directly.
- Obligations around “selling” data. The modified draft fills a placeholder contained in the last draft for an example “do not sell” button (image of the two options in which the button may appear below).
The new draft also eliminates the controversial requirement (which wasn’t in the statute) for a business to pass through opt-out-of-sale requests to all parties to which the business sold a consumer’s personal information in the 90 days before the consumer exercised his or her right. However, the modified draft also contains a new requirement that businesses comply with a consumer’s opt-out request within 15 business days. Furthermore, if the business sells personal information to a third party after the consumer submitted his or her request, but before the business complied with it, the modified draft regulations require the business to notify those third parties of the consumer’s exercise of the opt-out right and direct those third parties not to sell the personal information. The modified draft regulations also allow businesses that do not collect information directly from consumers to include a link to a privacy policy with instructions on how to submit an opt-out request in their registration under the state’s new data broker law. Finally, the modified draft clarifies that any privacy control developed to submit opt-out-of-sale requests must clearly communicate the user’s intent to opt out of sales and shall not be designed with any pre-selected settings. (Importantly, the draft regulations focus on user-enabled privacy settings that control the “sale” of personal information, which are, by definition, distinct from “do not track” settings that control the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party websites or online services.) - Access and Deletion Rights. The modified draft regulations make permissive the previous iteration’s requirement that deletion requests be submitted through a two-step process. They also clarify additional circumstances when a business need not search for information in response to a request to know. The new version incorporates the statutory amendment for when a toll-free telephone number is not necessary and explains that authorized agents must be registered to conduct business in California.
- Mobile. The modified draft regulations also explicitly address mobile technology. For example, if a business provides an application that collects personal information from a consumer’s device in an unexpected manner, the application has to provide just-in-time notice.
- Household. The modified draft regulations also change the requirements around household information. They permit businesses to respond to access and deletion requests related to household information from non-account holding consumers, only if all consumers of the household jointly request access, the business individually verifies them, and the business verifies that each member making the request is a current member of the household. If there’s a child younger than 13 in the household, a business must obtain verifiable parental consent under the regulations before complying with a request.
- Notice. The modified draft regulations specify that online notices must follow generally recognized industry standards to be accessible to consumers with disabilities. They also now more clearly emphasize that businesses have flexibility in the specific formatting of their notices. The new version requires more explicit notices in the employment context.
- Scope of Personal Information. The modified draft regulations explain that whether information is “personal information” depends on whether it is maintained in a manner in which it is reasonably capable of being associated with a particular consumer. The modified draft regulations then explicitly note that if a business collects an IP address but does not link the IP address to a consumer or household, then that IP address is not “personal information” under the statute.
- Minors. The modified draft regulations clarify that a business has to develop documented procedures to collect consent for the sale of minors’ personal information only if the business sells that personal information.