On March 11, 2020, the California Attorney General issued further revisions to the proposed regulations implementing the California Consumer Privacy Act (CCPA).
For context, in passing the CCPA, the legislature directed the California Attorney General to solicit broad public participation and adopt regulations to further the purposes of the CCPA. On October 11, 2019, the California Attorney General issued the first draft of the proposed regulations, imposing obligations on businesses that arguably exceeded the statutory requirements of the CCPA, which were noticed for a 45-day public comment period. On February 10, 2020, after the CCPA had gone into effect and after receiving nearly 1,700 pages of written comments and additional oral comments, the California Attorney General issued a second draft of the proposed regulations, scaling back some of these obligations and adding some helpful clarification. During the subsequent 15-day written public comment period on these proposed changes, approximately 100 written comments spanning 782 pages were submitted.
While this latest version of the proposed regulations is still not final and is subject to another public comment period, some of the changes that are most likely to affect CCPA compliance efforts, ranked from least to most helpful for businesses, include:
- deleting the language that clarifies that a business does not collect “personal information” when it collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household;
- making it more difficult for businesses to recognize a user-enabled global privacy control as a request to opt out of a sale, as this version does not require a user to affirmatively select a choice to opt out of a sale; rather, pre-selected settings may be used;
- specifying that while a business is prohibited from disclosing certain specific pieces of personal information, including among other things, Social Security numbers, drivers license numbers, and biometric data in response to an access request, the business is, however, still required to disclose if it has collected such information;
- deleting the example of the opt-out button that a prior version of the regulations had included as an option that businesses could use in addition to, but not in lieu of, posting the notice of a consumer’s right to opt out of the sale of personal information;
- revising the additional metrics reporting obligations for businesses that buy, sell, receive, or share 10 million or more consumers’ personal information for commercial purposes per year to apply only to businesses who know or reasonably should know that they meet this threshold;
- scaling back the prohibition on a business from sharing personal information kept for CCPA record-keeping purposes with any third party to allow businesses to share such information as necessary to comply with legal obligations;
- requiring privacy policies generally disclose the sources from which businesses collect personal information and purposes for which businesses collect or sell personal information, but not requiring that these disclosures be itemized for each specific category of personal information collected;
- modifying slightly, but potentially significantly, the exception for service providers to retain, use, or disclose personal information for internal use, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business; and
- expanding the exemption from notice at collection requirements for certain registered data brokers to also expressly exempt businesses that indirectly collect personal information about consumers, provided the business does not sell the consumer’s personal information.
The proposed regulations are now in their third public comment period, ending on March 27, 2020, at 5:00 p.m. PST. Given that the California Office of Administrative Law must review and approve the California Attorney General’s rulemaking file before the regulations can be finalized, which must happen by July 1, 2020, this version of the regulations is likely close to final. Accordingly, and as the California Attorney General can begin enforcing the CCPA on July 1, 2020, businesses should implement or update policies and procedures designed to comply with the CCPA and its implementing regulations as soon as possible.
For more information, advice concerning your CCPA compliance efforts, or assistance preparing or submitting a public comment to the California Attorney General, please contact Lydia Parnes, Eddie Holman, Allison Bender, Megan Kayo, or another member of the firm’s privacy and cybersecurity practice.