The California Attorney General has released both clean and redlined versions of proposed modifications to the draft implementing regulations for the California Consumer Privacy Act (“CCPA”). Below is a high-level overview of some key changes:
- Service Providers. The modified draft restricts a service provider from processing the personal information it receives from a business except in the following five circumstances: (1) performing services in the contract with the business that provided the personal information, (2) engaging a different service provider as a subcontractor, (3) using the data internally to build or improve the quality of its services (to the extent that use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source); (4) detecting data security incidents or protecting against fraudulent or illegal activity; or (5) processing in accordance with certain exemptions to the CCPA. The draft also eliminates the requirement that service providers that receive requests to exercise rights directly from consumers instruct those consumers to submit their requests to the business, instead permitting (without requiring) service providers to respond directly.
- Obligations around “selling” data. The modified draft fills a placeholder contained in the last draft for an example “do not sell” button (image of the two options in which the button may appear below).
- Access and Deletion Rights. The modified draft regulations make permissive the previous iteration’s requirement that deletion requests be submitted through a two-step process. They also clarify additional circumstances when a business need not search for information in response to a request to know. The new version incorporates the statutory amendment for when a toll-free telephone number is not necessary and explains that authorized agents must be registered to conduct business in California.
- Mobile. The modified draft regulations also explicitly address mobile technology. For example, if a business provides an application that collects personal information from a consumer’s device in an unexpected manner, the application has to provide just-in-time notice.
- Household. The modified draft regulations also change the requirements around household information. They permit businesses to respond to access and deletion requests related to household information from non-account holding consumers, only if all consumers of the household jointly request access, the business individually verifies them, and the business verifies that each member making the request is a current member of the household. If there’s a child younger than 13 in the household, a business must obtain verifiable parental consent under the regulations before complying with a request.
- Notice. The modified draft regulations specify that online notices must follow generally recognized industry standards to be accessible to consumers with disabilities. They also now more clearly emphasize that businesses have flexibility in the specific formatting of their notices. The new version requires more explicit notices in the employment context.
- Scope of Personal Information. The modified draft regulations explain that whether information is “personal information” depends on whether it is maintained in a manner in which it is reasonably capable of being associated with a particular consumer. The modified draft regulations then explicitly note that if a business collects an IP address but does not link the IP address to a consumer or household, then that IP address is not “personal information” under the statute.
- Minors. The modified draft regulations clarify that a business has to develop documented procedures to collect consent for the sale of minors’ personal information only if the business sells that personal information.