California AG Updates the Proposed CCPA Regulations: Only a Few More of the Puzzle Pieces Fit
Data Privacy & Security Alert 02/25/20 Linda Emery, Heather Buchta, Elizabeth Wamboldt
The California Attorney General ("AG") recently issued an updated draft of the proposed regulations to the California Consumer Privacy Act (the “CCPA”) which can be found here.
While the revised draft includes some helpful clarifications, questions still abound. The key changes proposed by the California AG include:
Definition of Personal Information. The AG clarified several definitions, the most important of which is the definition of “personal information.” Whether information is considered “personal information” hinges on whether “the business maintains information in a manner that ‘identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household’.” In other words, an IP address is not considered personal information if the business does not link the IP address to any particular consumer or household, or could not reasonably link such information (§999.302).
Notice at Collection. In the updated proposed regulations, the AG indicates that a “notice at collection” is required on all webpages where personal information is collected (§999.305(a)). With regard to mobile apps, one option is to provide a link to the notice on the mobile app’s download page and through the mobile app’s settings menu (§ 999.305(a)(3)(b)). Further, if a mobile app collects personal information for a purpose that the consumer would not reasonably expect, a just-in-time notice is required (§ 999.305(a)(4)). Finally, when a business collects personal information over the telephone or in person, the “notice at collection” may be provided orally.
Do Not Sell My Personal Information. The updated proposed regulations now provide these pictures of a “do not sell my personal information” button (§ 999.306(f)):
The updated proposed regulations also provide an option for a business to obtain affirmative authorization from a consumer to sell personal information in the event the business did not have a notice of the "right to opt-out" posted (§ 999.306(e)).
Clarified Timeframes. The AG's office clarified the timeframes for responses to consumer requests, most importantly by addressing calendar days versus business days.
Methods for Data Subject Requests. The methods for submitting and responding to “requests to know” and “requests to delete” were clarified. For example, a business operating exclusively online is only required to provide an email address for submitting “requests to know” (§ 999.312(a)). Further, a business may confirm receipt of “requests to know” or “requests to delete” in the same method in which the requests were received. Therefore, confirmation can be provided verbally during a phone call if the consumer makes a request over the phone (§ 999.313(a)).
Service Providers. Service providers have express obligations pursuant to the updated proposed regulations. For example, if a service provider receives a “request to know” or a “request to delete” from a consumer, it shall either (a) act on behalf of the business in responding to the request; or (b) inform the consumer that the request cannot be acted upon because the request has been sent to a services provider (§ 999.314(e)).
Although it remains to be seen what additional changes will occur when the CCPA regulations are finalized, businesses should act now to prepare for the finalized regulations. We anticipate the final regulations will be issued prior to the July 1, 2020 enforcement date, but it is unclear how quickly the regulations will be finalized or how many additional iterations we may see prior to that date.
To learn more about how the CCPA and the proposed regulations may affect your business, please contact your Quarles & Brady attorney or