Amended CCPA Regulations – Key Takeaways
On February 7, 2020, the California Attorney General issued a second draft of the regulations implementing the California Consumer Privacy Act of 2018 (the “CCPA”). Interestingly, while the Attorney General had earlier stated that the final regulations would be substantially the same as the original regulations, the Attorney General has made a number of significant changes.
The amended regulations are a mixed bag. In a number of areas, the regulations as initially proposed went beyond the scope of the CCPA; that has, in a number of cases, been rectified. However, the amended regulations do retain the do-not-sell signal requirement and add restrictions on how service providers handle personal information.
Here are some key takeaways:
- Notice Provisions. The “at collection” notice requirements, which have been problematic for many companies, have been expanded. The amended regulation requires notices on “all webpages where personal information is collected,” as well as both on a mobile app download page “and within the app,” such as through the app’s download page or settings menu. At the same time, the regulation answers a common question – oral notice would be allowed when information is collected in person or over the phone. The amended regulations add a requirement for a “just-in-time” notice for collection of personal information on mobile devices if “the consumer would not reasonably expect” the collection. Compliance with this requirement will be challenging, and companies will need to consider what a consumer would reasonably expect.
- Deletion Requests. The original regulations treated an unverified request to delete as a request to opt-out of sales. The amended regulations allows companies to ask a consumer that has made an unverified request to delete if they would like to opt out of the sale of the personal information. Businesses would also be permitted to retain a record of a deletion request for the purpose of ensuring the consumer’s personal information remains deleted from the business’s records. And the new regulation also provides much-needed guidance regarding the deletion exception for data stored on backup systems; personal information does not need to be deleted unless the data in the backup system is restored to an active system or is accessed or used for a sale, disclosure or commercial purpose.
- Service Providers. A key change proposed by the amended regulations is the treatment of service providers. As amended, service providers could use personal information for their own internal purposes but bar using it to build consumer profiles, “clean” personal data or augment the data with data obtained from another source. Because none of these terms is defined, the ultimate impact of the change unclear. The amended regulations also provide that a service provider that receives a “request to delete” or “request to know” must either act on behalf of the business or inform the consumer they cannot process the request because they are a service provider.
- Incentives. The amended regulation prohibits businesses from offering incentives unless they can calculate a good-faith estimate of the value of consumer data or demonstrate the reasonableness of the financial incentive, price or service difference. The Attorney General also added new examples of discriminatory and non-discriminatory practices; unfortunately, the examples are fairly specific and it is not clear whether they add meaningful clarification. Similarly, businesses have the flexibility to “consider” rather than “use” the methods listed in the regulation for calculating the value of customer data and may consider the value of the data of consumers. It does not, however, clarify the ultimate issue of how a business can realistically calculate the value of customer data.
- Submitting Requests. The amended regulations also eliminate the requirement that businesses with a website must provide an online web form for submitting “requests to know”. Now, businesses that operate exclusively online can comply with the CCPA by maintaining an email address for consumer requests; businesses that are not exclusively online must provide a toll-free number and at least one other method for requests. All businesses should consider the method by which they primarily interact with consumers when choosing the additional method for deletion requests.
The amended regulations make many other changes, including adoption of the FTC’s materiality standard for disclosing uses of personal information; changes to the do-not sell notice; changing the opt-out request process; and a variety of other changes that will need to be incorporated into business operations.
It is not clear whether the amended regulations will become the final regulations. Moreover, the original proponents of the CCPA are collecting signatures for a ballot measure, “The California Privacy Rights and Enforcement Act of 2020.” The ballot measure counters many of the provisions of the CCPA and if passed, would create significant burdens on California businesses. All these factors make privacy compliance in California a continuing challenge.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.