CCPA Draft Regulations v2 and The Uncertainties Continue
On Monday, February 10th, the California Attorney General’s office released an updated version of the proposed regulations, addressing errors in the draft released before the weekend and extending the comment period to February 25 at 5p PST. For those trying to keep track of what the eventual regulations will require, the challenge is greater than the AG’s version control. MediaPRO reported on February 11th in their 2020 State of Privacy and Security Awareness Report that almost two-thirds of U.S. employees are unaware if the CCPA applies to their organization. This presumably translates to confusion at the business level or at least a poor job of those subject to the CCPA communicating this internally.
While the AG’s redline of the updated draft rules demonstrates that a great deal of time and thought (and, ahem, lobbying) have been put into the effort, what would be helpful is if the AG included a detailed explanation of why the changes have been proposed. Some make sense, and some continue to baffle. Onward to some of the most impactful of the proposed changes.
When Is a Household Not a Household? The original definition was that a person or group occupy the same dwelling. This made imminent sense but was impractical absent a common identifier such as a street address. The proposed change largely guts the household aspect of the CCPA because a business would now need to know that: 1) the individuals reside at the same address, 2) they use a common device (smart TV?) or the same service (ISP? AppleTV? Netflix?), and 3) the business identifies these individuals as sharing a group account or a common identifier. The revised definition sharply narrows the impact of the statute’s text, but also corrects for what many perceived as an odd (at best) component of a privacy law centered on individual data.
Common Sense Prevails on Interpretive Guidance: Years ago, Americans were typically confused or skeptical of when the EU held that an IP address (even a dynamic IP address) constituted personal data. This has been used in some US contexts, such as protected health information under HIPAA and recent FTC settlements. But as a rule, most businesses have no ability to determine that an IP address alone relates to an individual. In the latest version of the regulations, the AG emphasizes that personal information depends upon whether the detail “is reasonably capable of being associated with, or could be reasonably linked” to a person or household.
The AG suggests that if a business collects or receives an IP address absent any other linked details then that IP address is not personal information. This will not permit willful ignorance by the business, as the proposed standard is whether the business links the IP address to other details or could reasonably do so. Expanding this example to other data points, a person’s name (say, James Smith) is the ultimate identifier, no? Until you realize that except for a small subset, individual names are surprisingly common.
Service Providers: Service providers should be largely happy with the addition of a simple three lines that proposes the internal use of personal information by a service provider to improve the quality of its services is now permissible. This had been an unreasonable obstacle under the prior version as most service providers use some level of data to improve product and service quality. While there are still some restrictions here, service providers and their business customers no longer have to worry whether a data transfer is a sale simply because the service provider would use the personal information to build or improve the service.
Seeing versus Encountering Means What Exactly? In discussing the delivery of a privacy notice at the collection of personal information, the text now reads “The notice at collection shall be made readily available where consumers will see encounter it at or before the point of collection…”. Does this mean that the privacy notice must be a pop up ala EU ePrivacy hell? “Encounter” suggests something more than a link in the footer of a web page or in a mobile app’s settings. But the remainder of the draft regulations provide no indication that something so dramatic is necessary.
A Flashlight App Can Still Collect Your (Completely Unnecessary) Location Data: Wait, what?! It’s reassuring that the AG’s office has been reading FTC enforcement actions and the revised draft proposes a helpful “When a business collections personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it [the business] shall provide a just-in-time notice…”. After all, the FTC found that there was a great deal of consumer surprise that the app captured user location. The AG suggests a pop-up window to highlight the data collection undoubtedly included with the conspicuous privacy notice but still likely to surprise consumers, because none of us reads privacy notices anyway.
Third Party Collections: The earlier version of the rules included a GDPR-like requirement for those collecting personal information indirectly, such as through an ad network or even through the purchase of marketing lists. Under the earlier draft, the receiving business could either send the consumer whose details were acquired a timely notice along with a sale opt-out or get an attestation for the data provider.
Those details have been deleted and now a business collecting indirectly need not “provide a notice at collection to the consumer” if the business is a registered data broker. So as an incentive to data brokers, registration relieves the obligation to tell a consumer that their details have been acquired. But an unregistered data broker or a regular business purchasing a marketing list appear to have the GDPR-like consumer notification that, hey, we’ve bought your data, here’s our privacy notice, and so on. Curious concession to the much-maligned data broker industry.
Opt-Out Button: As promised, the AG has proposed an opt-out button for Do Not Sell My Personal Info requests. Not being User Experience experts, we find it confusing. The privacy geeks on Twitter exploded over the weekend and generally used impolite words to describe the consumer-friendliness of the graphic. Anyway, you can use your own ‘button,’ but be sure that it is clear to the consumer wishing to opt out.
Two Weeks to Comment: We have provided a link above to the AG’s redline of the new draft rules, and we encourage all to give it a thorough read. The comment period remains open until February 25th and there are proposed changes beyond those that we have recapped here.