Keypoint: The modified proposed regulations make substantial changes to the proposed regulations, including modifying how consumer notices must be drafted and changing some of the requirements for receiving and responding to consumer requests.

On Friday, February 7, 2020, the California Attorney General’s office published a notice of modifications to the text of the proposed regulations regarding the California Consumer Privacy Act (CCPA). The AG’s office also published redline and clean versions of the modified regulations.

The changes modify the proposed regulations published by the Attorney General’s office on October 11, 2019. The changes are the result of four public hearings held in December 2019 and the submission of over 1,700 pages of written comments. The Attorney General’s notice states that the department will accept written comments on the proposed changes until 5:00 p.m. on February 24, 2020.

Based on guidance previously published by the Attorney General’s office, this abbreviated comment period reflects the Attorney General’s determination that the changes are “substantial and sufficiently related,” but not “major,” which would require a new 45-day comment period. Following review of written comments, the Attorney General’s office will publish an updated informative digest and final statement of reasons (with summary and response comments) in addition to the final text of the regulations.

Below is our analysis of the modified regulations.

Analysis

The regulations continue to be separated into seven articles. For purposes of this article, we will discuss Articles 1 through 6 but not Article 7 (Severability). Our discussion herein will focus on what we consider to be the most substantial changes. We will not attempt to discuss every change. Notwithstanding that limitation, as the length of this article demonstrates, there are many notable changes in the modified regulations.

Article 1 – Definitions

The Attorney General modified a number of existing definitions and added new ones to Article 1. Perhaps the most significant change is the addition of § 999.302, which makes a substantial qualification to the term “personal information.” Specifically, the regulation provides that “[w]hether information is ‘personal information’ . . . depends on whether the business maintains information in a manner that ‘identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” The regulation provides the following example: “[I]f a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’”

This qualification is one that has been long sought-after by business advocates who have argued that IP addresses, standing alone, are not personal information. Further, this qualification will likely impact the manner in which the CCPA applies to certain types of cookies.

The modified regulations also add and define “employment benefits” and “employment-related information.” The definition of employment-related information provides that the collection of such information, including for the purpose of administering employment benefits, shall be considered a business purpose. The addition of these two definitions, in connection with modifications to the notice section described below, help clarify how to comply with the employee notice requirement. This was a significant stumbling block to compliance given that the statute and regulations were previously silent on these issues.

Article 2 – Notices to Consumers

The modified regulations add a new § 999.304, which reaffirms that businesses that engage in certain activities must provide the required notices to California residents. Further, the modified regulations specify that online notices must “follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium.”

999.305: Notice at Collection of Personal Information

• Telephone Calls: The modified regulations state that when “a business collects personal information over the telephone or in person, it may provide the notice orally.” Although the regulations still do not provide sufficient guidance on this issue, the absence of any mention of how telephone calls were to be handled in the draft regulations was a glaring omission.
• Just-in-Time Notices: Businesses that collect personal information from a consumer’s mobile device for an unexpected purpose must provide a just-in-time notice. The regulation provides the following example: “If the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice. . . .”
• Change in Use: As originally stated in the proposed regulations, a business could not use personal information for “any purpose other than those disclosed at the notice of collection.” The modified regulations present a more lenient position and state that a business cannot use personal information for “a purpose materially different” than the noticed purpose.
• Contents of Notice: Notices at the point of collection will no longer need to link each category of personal information to the business or commercial purpose.
• Data Brokers: Data brokers registered with the Attorney General’s office will not need to provide a notice at collection if they take certain steps.
• Employee Notices: Businesses will still need to provide a notice at collection to California job applicants and employees, except such notice will not need to include a link or web address for opting out of sales (presumably because that right does not extend to employee information) and “may include a link to, or a paper copy of, a business’s privacy policies for job applicants, employees or contractors in lieu of a link or web address to the business’s privacy policy for consumers” (presumably because linking to those documents makes more sense than linking to a business’s online privacy policy).

999.306: Notice of Right to Opt-Out of Sales

• Contents of Notice: The notice of right to opt-out is no longer required to contain a description of the proof required when a consumer uses an authorized agent to opt out or a link to the business’s privacy policy.
• Consequence of Not Providing an Opt-Out: For any period in which a business does not have an opt-out notice posted, any personal information collected during such time cannot be sold unless the business obtains affirmative authorization. The regulations previously stated that, in such circumstances, a consumer would have been deemed to have opted-out.
• Opt-Out Button: The modified regulations provide an optional opt-out button to be located to the left of the opt-out link (i.e., the button does not replace the need to have the text, “Do Not Sell My Info”).

999.308: Privacy Policy

• Contents of Privacy Policy: Businesses will still need to identify the categories of personal information collected during the prior 12 months, but they will no longer need to link each such category to the categories of sources from which the information was collected, the business or commercial purposes for which the information was collected, and the categories of third parties with whom the business shares the information. Businesses also will not need to state whether they sold or disclosed any personal information to third parties for a business or commercial purpose in the preceding 12 months. However, businesses will still need to identify the categories of personal information, if any, that they disclosed for a business purpose or sold to a third party in the preceding 12 months and, for each category, will now need to identify the categories of third parties to whom the information was disclosed or sold.
• Information of Minors: The modified regulations clarify that a business must state whether it has “actual knowledge” that it sells the information of minors under 16. The prior version did not contain the “actual knowledge” qualification (although many CCPA privacy policies inferred that qualification).

Article 3 – Business Practices for Handling Requests

999.312: Methods for Submitting Requests to Know and Delete

• Email Only Acceptable for Online Businesses: Businesses that operate exclusively online and have a direct relationship with the consumer are only required to provide an email address for submitting requests to know. This change harmonizes the regulations with the September 2019 amendments to the statute.
• Removal of Interactive Webform Requirement: The modified regulations remove the requirement for businesses that operate a website to provide an interactive webform for submitting requests to know. The only mandatory method of receiving requests to know is now a toll-free telephone number and, per the statute as amended, making your website available to consumers to submit requests (which presumably could be linking to an email address). Businesses are still required to use interactive forms for receiving opt-out of sale requests. However, businesses that do not sell personal information could do away with interactive webforms since they are also not required to be provided for requests to delete.
• Confirming Requests to Delete No Longer Mandatory: Businesses will no longer be required to use a two-step process for confirming online requests to delete. The two-step process is now permissive, not mandatory.

999.313: Responding to Requests to Know and Requests to Delete

• Calculating Response Times (Calendar v. Business Days): The modified regulations clarify that businesses have 10 business (not calendar) days to confirm these requests and 45 calendar (not business) days to substantively respond. Further, confirmation may be made in the same manner in which the request was received (e.g., by telephone) and businesses may deny requests if they cannot verify the consumer within the 45-day period.
• New Exemption: Businesses will no longer have to respond to requests to know if (1) the business does not maintain the personal information in a searchable or reasonably accessible format; (2) the information is maintained solely for legal or compliance purposes; (3) the business does not sell the personal information or use it for any commercial purpose; and (4) the business describes to the consumer the categories of records that may contain personal information that it did not search because it meets these conditions.
• Additional Categories of Personal Information that Cannot Be Provided: In response to a request to know specific pieces of personal information, businesses now also cannot produce unique biometric data generated from measurements or technical analysis of human characteristics. The change harmonizes the regulation with the 2019 amendment to California’s breach notification statute, which also added this category.
• Unverifiable Requests to Delete: Businesses will no longer be required to treat unverifiable requests to delete as an opt-out of sales. Rather, businesses that sell personal information will need to offer that choice to the consumer if they cannot verify the request to delete.

999.314: Service Providers

• Permissible Uses of Personal Information by Service Providers: Service providers are now prohibited from retaining, using or disclosing personal information in the course of providing services except (1) to perform the services in the written contract with the business that provided the information; (2) to retain and employ another service provider as a subcontractor, if the subcontractor meets the requirements for being a service provider; (3) to detect security incidents or protect against fraudulent or illegal activity; or (4) to comply with the exceptions set forth in CCPA § 1798.145(a)(1)-(4).
• Responding to Requests to Know and Delete: If a service provider receives a request to know or delete in its capacity as a service provider (as opposed to its capacity as a business) it no longer is required to inform the consumer that it should submit the request directly to the business and provide the consumer with the business’s contact information. Instead, service providers that receive such requests shall either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because it was sent to a service provider.

999.315 Requests to Opt-Out

• 15 Business Days to Comply: The modified regulations clarify that business have 15 business (not calendar) days to comply with opt-out requests.
• Modified Duty to Notify Third Parties: Businesses no longer need to notify all third parties to whom they sold the personal information in the 90 days prior to receiving the request. Instead, if the business sells personal information after receiving a request, but before complying with it, the business shall notify the third parties to whom it sold the personal information and direct them not to further sell the personal information. Further, businesses no longer will be required to notify the consumer when this has been completed.

999.318: Requests to Access or Delete Household Information

This section was almost completely rewritten. For example, businesses will now need to individually verify all members of the household and verify that each member making the request is currently a member of the household.

Article 4 – Verification of Requests

As compared to the modifications made to the other Articles, the modifications made to the verification procedures are modest.

• Businesses Cannot Require Consumers to Pay for Notarization: Businesses are prohibited from requiring consumers to pay a fee to verify their requests to know or delete. The regulations also specifically forbid businesses from requiring consumers to provide a notarized affidavit to verify their identity unless the business compensates the consumer for that cost. Requiring consumers to notarize their requests in order to verify their identity had been a method used by some businesses since January 1, 2020. Its use drew the ire of privacy advocates who argued that it was an unreasonable barrier to making requests.
• Authorized Agent: Businesses may now additionally require the consumer to directly confirm with the business that the consumer provided the authorized agent with written and signed permission to submit the request.

Article 5 – Special Rules Regarding Minors

Businesses will now be required to establish, document, and comply with a reasonable method for determining whether a person submitting a request to know or request to delete the personal information of a child under the age of 13 is the parent or guardian of that child.

Article 6 – Non-Discrimination

Among other changes, the modified regulations delete one of the two examples provided in this section and provide three new examples. The modified regulations also clarify that if a business is unable to calculate a good faith estimate of the value of the consumer’s data or cannot show that the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, it shall not offer the financial incentive or price of service difference.