February 18, 2020

February 17, 2020

Subscribe to Latest Legal News and Analysis

California Attorney General Proposes Modifications to the Proposed CCPA Regulations

On February 7, 2020, the California Attorney General (AG) announced changes to the California Consumer Privacy Act of 2018 (CCPA) proposed regulations. The AG updated its announcement on February 10, 2020, to indicate that an additional provision was being modified. The modifications include changes to the “Right to Opt Out,” the permissible uses of data by service providers and the mandatory content of CCPA notices. The deadline for submitting comments on the modified draft of the proposed CCPA regulations is Tuesday, February 25, 2020, at 5 p.m. (PST).

As discussed herein, the Tuesday, February 25, 2020, 5 p.m. timetable indicates that the final rules may be in force before the July 1, 2020, deadline set by the CCPA. Organizations currently working toward CCPA compliance should expect the AG to commence enforcement activity as soon as the rulemaking process concludes.

What Has Changed?

The modifications contain a number of changes (largely business-friendly). The changes are in response to comments received on the initial draft of the proposed regulations and in order to clarify or conform the text to existing law (including various modifications to the CCPA that were enacted during 2019).

Significant changes being proposed include:

  • Concept of “Personal Information” – The modifications clarify that evaluating whether data constitutes “personal information” is based on whether the business links, or could reasonably link, the data to a particular consumer or household. For example, the modifications state that a business that operates a website that collects intellectual property (IP) addresses from visitors need not consider the IP address to be personal information where the business does not associate that data with a particular consumer and could not “reasonably” do so. This seems to indicate an intention to apply a more subjective analysis that focuses on whether the business could identify or link the data to a particular person, rather than whether the data is reasonably linkable to a particular person in general.

  • Additional Service Provider Rights – In addition to performing services specified in a contract, service providers are permitted to process personal information for the following purposes:

    • To retain and employ subcontractors that meet the CCPA definition of “service providers”

    • For internal use by the service provider, to build or improve the quality of its services, provided that this does not include “building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source”

    • To detect security incidents or protect against fraudulent or illegal activity

    • To comply with federal or state law or investigations

  • Privacy Policy and Notice Requirements – The modifications relax some of the formal requirements around CCPA privacy policies and notices at collection and clarifies others. For example, the modifications relax the requirements for “notice at collection,” mandating businesses to disclose the categories of personal data collected and purpose for which it is used generally (as opposed to a granular disclosure of how each category of personal data is used), and clarify that employees must be provided a “notice at collection.” For the privacy policy, however, the modifications reinforce the requirement to state with granularity for each category of personal information (a) whether each category was shared for a business purpose, (b) whether each category was sold, and (c) the categories of third parties to whom the category of personal information was disclosed. Businesses no longer need to state in their CCPA privacy policies the sources of personal information they have collected.

  • Sale Notification – The modifications eliminate the requirement that if a business receives a request to opt out, it must notify all third parties to which it sold the consumer’s personal information within the 90 days preceding the request. However, if a business sells personal information after a consumer submits a request to opt-out, but before the business has complied with the request (i.e., within the15-business-day window), the business must notify those third parties and direct them not to sell the consumer’s personal information.

  • Opt-Out – The modifications to provisions related to privacy settings (e.g., DNT signals) specifically require that opt-out requests be easy for consumers to execute and not be designed to subvert or impair the consumer’s decision to opt-out. The modifications specify that privacy controls shall require the consumer to “affirmatively select their choice to opt-out” and not be designed “with any pre-selected settings.” Additionally, the rules expressly require that the signal to opt-out be “clearly communicated.” This seems to suggest that, for example, browsers that enable “do not track” by default may not need to be honored if they do not sufficiently reflect an “affirmative” selection by the consumer. The modifications also clarify that if a global privacy control conflicts with the business-specific privacy settings, the business is required to honor the global privacy controls generally, but may choose to notify the consumer of the conflict to seek clarification about the consumer’s preference. Additionally, the approved design for the opt-out button has been included.

  • Data Brokers – Businesses are expressly relieved of any obligation to provide notices at collection if they have registered with the AG as a data broker and comply with certain requirements in their registration submissions. The modifications do not clarify, however, the requirements for businesses that are not data brokers but still indirectly collect data (e.g., by purchasing marketing lists.)

  • Obligation to Search for Personal Information – In response to a “Right to Know” request, businesses are expressly allowed not to search for personal information if all of the following conditions are met:

    • The information is not kept in a “searchable or reasonably accessible” manner

    • The information is maintained solely for legal or compliance purposes

    • The business does not sell the personal information and does not use the personal information for any commercial purpose

    • The business’s response describes the categories of records that may contain personal information but were not searched because it meets these conditions

  • Biometric Data – Unique biometric data is added to the list of data categories that businesses must not disclose in response to a “Right to Know” request.

  • Mobile Applications – The modifications add many specific references to the obligations of businesses that collect data through mobile applications, including an obligation to provide a link to the notice prior to downloading and “just-in-time” notices. These requirements align with the recommendations that the AG published in 2013 for the mobile ecosystem.

  • Other relevant changes – Additional guidance is provided on how to calculate the value of personal information, the time periods to respond to individual rights requests, accessibility requirements and how businesses should verify requests to access or delete household information.

What Will Happen Next?

The AG is currently accepting written comments on the proposed changes and documents relied on in the rulemaking. Comments must be submitted to the AG no later than 5 p.m. on Tuesday, February 25, 2020, by email to privacyregulations@doj.ca.gov, or by regular mail at the following address:

Lisa B. Kim
Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013

The AG will review and respond to all timely received comments pertinent to the changes proposed. In order to finalize the rules, the AG will prepare and submit the final rulemaking record to the Office of Administrative Law (OAL) for approval. This record will include the Final Statement of Reasons, in which the AG will summarize and respond to the public comments received. The OAL will then have 30 working days to determine whether the record satisfies procedural requirements under California law. If the requirements are met, the regulations will be adopted as final and filed with the California Secretary of State.

Given the California AG’s timetable, the regulations may come into force as early as May 2020. Companies defined as businesses, service providers and data brokers under the CCPA should, therefore move promptly to evaluate any changes that may be required to their privacy policies, notices, consumer rights response procedures, service provider contracts, and other CCPA documentation and practices under the modifications to the proposed regulations.

© Copyright 2020 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Glenn Brown Cybersecurity Attorney Squire Patton Boggs
Of Counsel

A senior member of our Data Privacy & Cybersecurity Practice Group, Glenn Brown provides business-oriented advice to clients in numerous industries on data privacy and regulatory compliance matters, including regulatory investigations and examinations. He has experience driving privacy and compliance priorities within organizations and providing strategic counsel regarding privacy, compliance and risk to support the growth and success of the business.

Glenn also has deep experience advising clients regarding compliance with many of the US...

678 272 3235
Lydia de la Torre Privacy Lawyer Squire Patton Boggs
Of Counsel

Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other state’s privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.

Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups to mature Fortune 500 companies, in a multitude of industries, including e-commerce, fintech and computer hardware. This experience has provided her with a direct understanding of client concerns.

Before joining the firm, Lydia served as co-director of the Santa Clara Law School Data Privacy Certificate Program, where she continues to teach privacy law.

Lydia is a frequently invited speaker on privacy-related topics, such as the freedom of speech implications of privacy laws, ethics and privacy, the application of privacy laws to blockchain technology, financial privacy laws and the CCPA. She is also a prolific writer and has been published in a variety of outlets, from mainstream media to privacy and legal publications. She is the editor of Golden Data, a Medium publication focused on data laws.

Lydia is a member of the California Lawyers Association’s Antitrust and Privacy Section and an adjunct professor at Santa Clara Law School.

650 843 3227
Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs
Partner

Elliot Golding is a member of Squire Patton Boggs' Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He was selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, which recognizes those who “represent the best and the brightest of the data law bar around the world.”

Elliot partners with clients to proactively...

202-457-6407
Ann J. LaFrance, Squire Patton Boggs, Cybersecurity Matters Lawyer, Telecommunications Attorney
Partner

Ann LaFrance co-leads our Data Privacy & Cybersecurity practice. Drawing on more than 20 years of industry experience, Ann advises clients on telecommunications regulation and new media policy, competition law, dispute resolution and European Union ('EU') data protection matters.

44 20 7655 1752