August 11, 2022

Volume XII, Number 223


August 10, 2022

Subscribe to Latest Legal News and Analysis

August 09, 2022

Subscribe to Latest Legal News and Analysis

August 08, 2022

Subscribe to Latest Legal News and Analysis

California Attorney General Proposes Modifications to the Proposed CCPA Regulations

On February 7, 2020, the California Attorney General (AG) announced changes to the California Consumer Privacy Act of 2018 (CCPA) proposed regulations. The AG updated its announcement on February 10, 2020, to indicate that an additional provision was being modified. The modifications include changes to the “Right to Opt Out,” the permissible uses of data by service providers and the mandatory content of CCPA notices. The deadline for submitting comments on the modified draft of the proposed CCPA regulations is Tuesday, February 25, 2020, at 5 p.m. (PST).

As discussed herein, the Tuesday, February 25, 2020, 5 p.m. timetable indicates that the final rules may be in force before the July 1, 2020, deadline set by the CCPA. Organizations currently working toward CCPA compliance should expect the AG to commence enforcement activity as soon as the rulemaking process concludes.

What Has Changed?

The modifications contain a number of changes (largely business-friendly). The changes are in response to comments received on the initial draft of the proposed regulations and in order to clarify or conform the text to existing law (including various modifications to the CCPA that were enacted during 2019).

Significant changes being proposed include:

  • Concept of “Personal Information” – The modifications clarify that evaluating whether data constitutes “personal information” is based on whether the business links, or could reasonably link, the data to a particular consumer or household. For example, the modifications state that a business that operates a website that collects intellectual property (IP) addresses from visitors need not consider the IP address to be personal information where the business does not associate that data with a particular consumer and could not “reasonably” do so. This seems to indicate an intention to apply a more subjective analysis that focuses on whether the business could identify or link the data to a particular person, rather than whether the data is reasonably linkable to a particular person in general.

  • Additional Service Provider Rights – In addition to performing services specified in a contract, service providers are permitted to process personal information for the following purposes:

    • To retain and employ subcontractors that meet the CCPA definition of “service providers”

    • For internal use by the service provider, to build or improve the quality of its services, provided that this does not include “building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source”

    • To detect security incidents or protect against fraudulent or illegal activity

    • To comply with federal or state law or investigations

  • Privacy Policy and Notice Requirements – The modifications relax some of the formal requirements around CCPA privacy policies and notices at collection and clarifies others. For example, the modifications relax the requirements for “notice at collection,” mandating businesses to disclose the categories of personal data collected and purpose for which it is used generally (as opposed to a granular disclosure of how each category of personal data is used), and clarify that employees must be provided a “notice at collection.” For the privacy policy, however, the modifications reinforce the requirement to state with granularity for each category of personal information (a) whether each category was shared for a business purpose, (b) whether each category was sold, and (c) the categories of third parties to whom the category of personal information was disclosed. Businesses no longer need to state in their CCPA privacy policies the sources of personal information they have collected.

  • Sale Notification – The modifications eliminate the requirement that if a business receives a request to opt out, it must notify all third parties to which it sold the consumer’s personal information within the 90 days preceding the request. However, if a business sells personal information after a consumer submits a request to opt-out, but before the business has complied with the request (i.e., within the15-business-day window), the business must notify those third parties and direct them not to sell the consumer’s personal information.

  • Opt-Out – The modifications to provisions related to privacy settings (e.g., DNT signals) specifically require that opt-out requests be easy for consumers to execute and not be designed to subvert or impair the consumer’s decision to opt-out. The modifications specify that privacy controls shall require the consumer to “affirmatively select their choice to opt-out” and not be designed “with any pre-selected settings.” Additionally, the rules expressly require that the signal to opt-out be “clearly communicated.” This seems to suggest that, for example, browsers that enable “do not track” by default may not need to be honored if they do not sufficiently reflect an “affirmative” selection by the consumer. The modifications also clarify that if a global privacy control conflicts with the business-specific privacy settings, the business is required to honor the global privacy controls generally, but may choose to notify the consumer of the conflict to seek clarification about the consumer’s preference. Additionally, the approved design for the opt-out button has been included.

  • Data Brokers – Businesses are expressly relieved of any obligation to provide notices at collection if they have registered with the AG as a data broker and comply with certain requirements in their registration submissions. The modifications do not clarify, however, the requirements for businesses that are not data brokers but still indirectly collect data (e.g., by purchasing marketing lists.)

  • Obligation to Search for Personal Information – In response to a “Right to Know” request, businesses are expressly allowed not to search for personal information if all of the following conditions are met:

    • The information is not kept in a “searchable or reasonably accessible” manner

    • The information is maintained solely for legal or compliance purposes

    • The business does not sell the personal information and does not use the personal information for any commercial purpose

    • The business’s response describes the categories of records that may contain personal information but were not searched because it meets these conditions

  • Biometric Data – Unique biometric data is added to the list of data categories that businesses must not disclose in response to a “Right to Know” request.

  • Mobile Applications – The modifications add many specific references to the obligations of businesses that collect data through mobile applications, including an obligation to provide a link to the notice prior to downloading and “just-in-time” notices. These requirements align with the recommendations that the AG published in 2013 for the mobile ecosystem.

  • Other relevant changes – Additional guidance is provided on how to calculate the value of personal information, the time periods to respond to individual rights requests, accessibility requirements and how businesses should verify requests to access or delete household information.

What Will Happen Next?

The AG is currently accepting written comments on the proposed changes and documents relied on in the rulemaking. Comments must be submitted to the AG no later than 5 p.m. on Tuesday, February 25, 2020, by email to [email protected], or by regular mail at the following address:

Lisa B. Kim
Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013

The AG will review and respond to all timely received comments pertinent to the changes proposed. In order to finalize the rules, the AG will prepare and submit the final rulemaking record to the Office of Administrative Law (OAL) for approval. This record will include the Final Statement of Reasons, in which the AG will summarize and respond to the public comments received. The OAL will then have 30 working days to determine whether the record satisfies procedural requirements under California law. If the requirements are met, the regulations will be adopted as final and filed with the California Secretary of State.

Given the California AG’s timetable, the regulations may come into force as early as May 2020. Companies defined as businesses, service providers and data brokers under the CCPA should, therefore move promptly to evaluate any changes that may be required to their privacy policies, notices, consumer rights response procedures, service provider contracts, and other CCPA documentation and practices under the modifications to the proposed regulations.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 42

About this Author

Glenn Brown Data Privacy & Cybersecurity Attorney Squire Patton Boggs Atlanta., GA
Of Counsel

A senior member of our Data Privacy & Cybersecurity Practice Group, Glenn Brown provides business-oriented advice to clients in numerous industries on data privacy and regulatory compliance matters, including regulatory investigations and examinations. He has experience driving privacy and compliance priorities within organizations and providing strategic counsel regarding privacy, compliance and risk to support the growth and success of the business.

Glenn also has deep experience advising clients regarding compliance with many of the US...

Lydia de la Torre Data Privacy & Cybersecurity Attorney Squire Patton Boggs Palo Alto, CA
Of Counsel

Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other state’s privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.

Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups to mature Fortune 500 companies, in a...

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs,...

Ann J. LaFrance Data Privacy & Cybersecurity Attorney Squire Patton Boggs New York, NY & Washington DC

Ann LaFrance co-chairs the firm’s global Data Privacy & Cybersecurity Practice and is a senior member of the international Communications Practice.

In addition to advising clients on national and cross-border data privacy and cybersecurity matters, Ann has experience counselling clients on a broad range of legal and regulatory issues affecting the provision of internet and digital services, as well as advanced technologies. She has particular expertise advising on issues of concern to technology, media and telecommunications companies and she frequently serves as an adviser to...