CCPA Update: The Ever-Moving Target of the AG’s Draft Regulations
Little more than a month after modifying the draft regulations for the California Consumer Privacy Act (CCPA), the California Attorney General (AG) issued yet another set of modifications on March 11, 2020. The draft regulations were first issued on Oct. 11, 2019 and were later modified on Feb. 10, 2020. Presently, the AG is accepting comments on this third version of the draft regulations until March 27, 2020 at 5 p.m. PT. Given the amount of change between the versions, we recommend that businesses hold off on updating their compliance documents until closer to the July 1, 2020 enforcement date.
WHAT CHANGED THIS TIME?
Some of the more frustrating changes to the draft regulations include requirements that have disappeared and reappeared in the various versions. For example, disclosure requirements, the opt-out button and guidance on what constitutes personal information have all fluctuated through the versions. The following is a brief summary of notable changes in the March 11 draft:
Privacy policies must disclose the source from which personal information is collected. This requirement is not new. The AG first introduced it in the initial draft regulations. However, the requirement was removed in the second version. Now, only one month later, it has returned—although, not quite in the same form as before. This third version of the draft regulations does not require that the disclosure is made on a per category basis (i.e., for each category of personal information collected), as was previously required by the initial draft regulations.
The AG eliminated the opt-out button entirely. While the opt-out button was not mandatory, many saw it as a beacon of consumers’ right to opt out. As such, the long-awaited, highly anticipated button has already gained much attention. Indeed, software vendors have begun selling solutions for it—solutions that are no longer needed.
Responding to access requests
If a business has collected Social Security numbers, biometric information or other sensitive information it cannot disclose pursuant to the regulations, then it must inform the consumer that the business collected such information. Under the second version of the draft regulations, businesses could simply deny the consumer’s request without further explanation.
Entities that do not collect personal information from consumers directly
This latest version of the draft regulations provides some reprieve for some businesses that do not collect personal information directly from consumers. If a business does not collect personal information directly from a consumer and does not sell the personal information, then it does not need to provide notice at collection to consumers.
Guidance regarding the interpretation of CCPA definitions
The updated regulations remove guidance regarding the interpretation of “personal information.” This guidance included an example that IP addresses did not constitute personal information so long as they were not linked to a particular consumer or household. Given how most businesses collect and use IP addresses for marketing purposes (such as through Google Analytics and other similar tools), many businesses interpreted this guidance to mean that an IP address is only personal information if it links directly to a consumer or household. This would mean that businesses could still use certain online tracking technologies without collecting personal information. Alas, businesses may no longer rely on this guidance to conclude that they do not collect personal information when using such tracking technologies.
HOW TO APPROACH CCPA COMPLIANCE AFTER THE MARCH 11 DRAFT
For many businesses—especially larger ones that do not move as nimbly—early efforts to implement the AG’s draft regulations are essential if they are to comply with the regulations in time for the July 1, 2020 enforcement date. At the same time, the AG’s continued modifications disrupt efforts to operationalize the regulations’ requirements. Additionally, the rulemaking process has included major, unexpected shifts, which seem to have not yet met an end.
To date, the AG has issued three versions of the draft regulations. The second and third versions of the regulations saw barely one month between them, and a comment period on the third version is presently underway. Therefore, businesses should wait to make any further compliance changes for CCPA until after the AG publishes the final regulations.