California Consumer Privacy Act Proposed Rules: Modified to Recognize Business Realities?
On February 7, 2020, the California Attorney General’s Office (AG) announced changes to its proposed regulations to implement the California Consumer Privacy Act (CCPA). As discussed below, many of these revisions reflect greater understanding of business realities. Some others provide more specificity to simplify compliance and increase certainty for businesses, but also present more limits and burdens. The AG is providing a very short window for written comments, setting February 25, 2020, as the submission deadline.
Some of the modifications potentially could eliminate cumbersome compliance requirements, particularly for businesses that do not engage in extensive collection, use and disclosure of consumer information. For instance:
- The AG proposes adding guidance to clarify that whether data constitutes “Personal Information” depends on how a business maintains that information. Even if the data technically meets the CCPA’s definition, it would not be deemed “Personal Information” if the business does not and cannot reasonably link that data to a particular consumer or household. For example, if a business collects the IP address of website visitors but does not and could not reasonably link it to any particular consumer or household, then the IP address is not “Personal Information.”
- A business that purchases Personal Information no longer would have to contact the consumers directly to provide a CCPA privacy notice and the option to opt out from the “sale” (disclosure) of their information, nor obtain a certification from the source of the Personal Information that the required notices had been provided to consumers.
- A business responding to a consumer request to know what Personal Information it holds would not have to conduct a search if it (a) does not maintain the data in a searchable format, (b) maintains the data solely for legal or compliance purposes, (c) does not sell nor use the data for commercial purposes, and (d) describes to the consumer the records that it did not search but might contain Personal Information.
- Service Providers would be permitted to collect Personal Information directly from consumers on behalf of a business. Service Providers also could use and retain Personal Information for certain internal purposes, including to
- build or improve the quality of their services, but not to build or modify consumer or household profiles, or to clean or augment data from other sources;
- protect against data security incidents, fraud or illegal activity; and
- comply with laws and legal process.
The AG also provides other useful modifications to the proposed rules on responding to consumer requests, including that:
- A business that cannot verify a consumer’s identity within 45 calendar days may deny the request.
- If a consumer informs a business that she wants to remain in a loyalty program, the business may deny her deletion request as to information necessary to maintain her enrollment and benefits.
- A business responding to a deletion request need not separately confirm the request nor explain how it deletes Personal Information.
- In responding to a consumer opt-out from the “sale” of Personal Information, the business must direct third parties who had purchased that information between the date of the opt-out request and the date of compliance (which must occur within 15 business days of the request) not to “sell” the data. But it need not notify earlier purchasers of the data.
- While a business must respect the opt-out settings in a consumer’s global privacy control, it may notify the consumer of any conflict with its business-specific privacy settings or with the consumer’s participation in a financial incentive program, to give the consumer the choice to confirm the business-specific privacy settings or the consumer’s participation in the program.
- If a consumer who has opted out initiates a transaction or attempts to use a product or service that requires the “sale” of her Personal Information, the business may so inform the consumer and provide instructions for the consumer to opt in.
In other areas, the AG adds substantially more specificity to the proposed rules. For instance:
- The AG now proposes a specific, uniform “opt-out” red button or toggle switch with a “Do Not Sell My Personal Information” or “Do Not Sell My Info” logo. The button must be approximately the same size as other buttons on the page and must be located on the homepage of websites and on the landing page of, or within, mobile applications. This button must link to an online location that explains the consumer’s right to opt out and how to exercise that right. A business cannot sell Personal Information collected during the time it did not have an opt-out notice posted, unless it obtains the consumer’s affirmative authorization. In addition, a business that denies a deletion request must ask the consumer if she wants to opt out of the sale of her Personal Information and include a link for her to opt out. Privacy notices to employees would not need to include a Do Not Sell link.
- The modified proposal requires that the CCPA policy disclose
- the business’s information collection activities, at the point of collection:
- if in person or over the phone, orally;
- if online, through a conspicuous link on the introductory page of the business’s website and on all webpages where Personal Information is collected; and
- if through a mobile application, through a link on the application’s download page and within the application – including, specifically, a just-in-time notice (e.g., a pop-up window) to inform the consumer of any categories of information being collected for a purpose that the consumer would not reasonably expect.
- for each category of Personal Information, the categories of third parties to whom the business discloses or sells such information; and
- instructions on how a consumer can designate an authorized agent – registered to do business in California – and the agent can make a CCPA request on her behalf.
- the business’s information collection activities, at the point of collection:
- The modified proposal would permit a business to deny a consumer request for a copy of her Personal Information, in whole or in part, based on a conflict with law or an exception under the CCPA. This modification replaces a significantly broader, albeit more ambiguous, provision for a business to deny the request if disclosure would create a substantial, articulable and unreasonable risk to the security of the information, the consumer’s account, or the business’s systems or networks.
- Among other subjects, the AG’s modifications also supplement the proposed rules regarding minors, record-keeping, and verification of CCPA requests (particularly those made by “households” and authorized agents).
These highly prescriptive requirements limit businesses’ discretion, at the same time that they simplify compliance and increase certainty. (The one area in which the modifications provide businesses substantially more discretion is in calculating the value of consumer data to offer financial incentives.) In certain instances, the modifications add language that may raise businesses’ liability exposure. For instance, the provision that, “[a] business shall not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out,” is likely to engender significant litigation regarding the effect of the methods provided by businesses for opt-out.
Although the rulemaking process continues, and the AG will not commence enforcement actions before July 1, 2020, the plaintiffs’ bar is already citing CCPA requirements in privacy litigation. For example, in class action litigation filed recently in federal court in Oakland against the children’s clothing retailer Hanna Andersson and Salesforce.com, its provider of systems to process online transactions, the plaintiff’s complaint expressly alleges that consumers’ CCPA rights were violated. In addition, as discussed in our September 27, 2019, bulletin, a new ballot initiative expected to be on the November 2020 ballot would expand the requirements of the CCPA dramatically and create a new California Privacy Protection Agency to pursue enforcement.
Stroock’s Privacy/CCPA Team will continue to report on the latest developments. Our Team has closely monitored California’s evolving privacy framework since the introduction of the first ballot initiative. Our work ranges from building pragmatic compliance systems for small businesses to defending global industry leaders against government and private actions, including one of the first complaints filed within weeks of the CCPA’s January 1, 2020, effective date. Click here to learn more about Stroock’s Privacy/CCPA capabilities, and click here for a recording of our January 23, 2020, webinar Charging into the New Decade: A Look at California’s Expansive Regulatory Moves.
For More Information:
This article is for general information purposes only. It is not intended as legal advice, and you should not consider it as such.