On Friday, February 7, 2020, the California Attorney General’s (AG) Office released modified regulations to the California Consumer Privacy Act (CCPA). The modified regulations incorporate amendments to the CCPA signed into law after the AG’s Office promulgated regulations in October 2019. The modified regulations also reflect public comments made during the initial comment period, which concluded in December 2019. Overall, the modified regulations provide helpful clarifications that should lessen compliance burdens for a number of industries. Of note, the modified regulations:
- Limit Definition of Personal Information. The modified regulations clarify that “personal information” does not include information that a business collected but cannot reasonably link to a consumer. For example, “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household” then the IP address would not be “personal information.” This is a particularly important limitation for businesses that don’t have a direct relationship with California consumers but rather only collect personal information via the website.
- Define Reasonable Accessibility. The initial proposed regulations included a new requirement that privacy policies and online notices be reasonably accessible, without offering any definition of the standards. The modified regulations state that reasonable accessibility means compliance with generally recognized industry standards, such as the Web Content Accessibility Guidelines, v2.1 – the prevailing standard used for ensuring compliance with the Americans with Disability Act (ADA) website accessibility requirements.
- Requiring Just–in–Time Notice for Unexpected Data Collection: The modified regulations state, “When a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection. For example, if the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the application, which contains the information required by this subsection.” This requirement aligns with Federal Trade Commission (FTC) guidelines and the 2020 Network Advertising Initiative (NAI) Code of Conduct.
- Removal of Webform Requirement. The modified regulations remove a requirement set forth in the initial proposed regulations requiring businesses to provide two or more methods for consumers to submit consumer access requests, one of which was an interactive webform. The modified regulations permit businesses to meet this requirement by providing a toll-free number and a designated email address.
- Limiting Search Obligations in Response to Right to Know Requests. The modified regulations clarify that a business is not required to search for personal information in response to a right to know request where the business: does not maintain the personal information in a searchable or reasonably accessible form; the business maintains the personal information for legal or compliance purposes; the business does not sell or use the personal information for a commercial purpose; and the business describes to the consumer the categories of records that may contain personal information that the business did not search. This limitation partly addresses the question of whether (and when) right to know requests include access to data held in hard to search, unstructured systems.
- Opt–Out buttons. The modified regulations includes examples of compliant opt-out buttons.
- Streamlining Requirements for Data Brokers. The initial proposed regulations required that a company selling information it had collected indirectly ensure that the first-party business had issued a “notice at collection” to the consumer. The current draft removes this requirement provided these third parties register as data brokers and include a link to their privacy policy, which contains opt-out instructions.
There are other changes to the regulations that have the effect of limiting some of the other compliance burdens for businesses. As expected, however, the modified regulations do not provide additional clarity regarding the meaning of “sale/sell/selling” or define what “reasonable data security” means.
The AG’s Office will accept public comments to the modified regulations until February 24, 2020. The regulations are expected to be finalized in April or May 2020.