Updates to Compliance Likely Required

On February 10, 2020, the California Attorney General issued the proposed text of modified regulations implementing the California Consumer Privacy Act (CCPA). This draft is a correction of a version that the California Attorney General issued on February 7, 2020. While the California Attorney General previously indicated that major changes to the proposed CCPA regulations were not anticipated, these modifications are likely to have a significant impact on CCPA compliance efforts, particularly regarding privacy notices, agreements between businesses and service providers, and policies on handling consumer requests.

The regulations matter because the California Attorney General has been tasked with establishing procedures to facilitate consumers' CCPA rights and with providing guidance regarding compliance. In October 2019, the California Attorney General issued the initial draft of the proposed regulations, which imposed many new obligations on businesses that went beyond the CCPA, and solicited public comments on this draft for a 45-day period.

Nearly 1,700 pages of comments were submitted regarding the initial proposed regulations. It appears that the California Attorney General understood the burdens imposed on businesses by the initial version of the regulations, as many of the changes in the modified regulations scale back those obligations. While the modified regulations are still not final, and another public comment period is underway, some of the notable changes include:

• clarifying that a business does not collect "personal information" when it collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household;
• rolling back the prohibition on using a consumer's personal information for purposes other than those disclosed in the notice at collection, so long as such purposes are not materially different from those disclosed in the notice at collection;
• revising and expanding the exceptions to ways in which a service provider can retain, use, or disclose personal information and still be considered a service provider, which is important because a business that discloses personal information to entities other than a service provider may be considered to be "selling" the personal information if such entities do not qualify as service providers;
• relieving a business from providing personal information in response to an access request if such information is not maintained in a searchable or reasonably accessible format, is maintained solely for legal or compliance purposes, and the business describes to the consumer the categories of records that may contain the consumer's personal information;
• permitting a business that operates exclusively online to use only an email address as the method by which consumers can submit an access request;
• deleting the prior requirement that a business treat a deletion request that cannot be verified as a request to opt out, and now requiring that the business ask the consumer whether they would like to opt out of the sale of their personal information;
• introducing the opt-out button that businesses may use in addition to posting the notice of a consumer's right to opt out of the sale of personal information;
• limiting the third parties that a business is required to pass on the consumer's opt-out to those third parties to whom the business sold that consumer's personal information after the consumer submitted their request but before the business complied with the consumer's request;
• deleting the notice requirements of businesses that do not have a direct relationship with consumers, have registered as a data broker pursuant to Civil Code section 1798.99.80 et seq., and included in the registration submission a link to the online privacy policy that includes instructions on how consumers can submit a request to opt out;
• increasing the number of consumers whose personal information a business buys, receives for its commercial purposes, sells, or shares for commercial purposes to 10 million or more consumers in a calendar year to trigger metrics reporting requirements, including reporting the number and type of consumer requests received, granted, or denied and median or mean number of days taken to respond, in business' privacy policies;
• limiting the scope of requisite notices to employees, in line with the amendments to the CCPA that were signed after the initial version of the proposed regulations were issued; and
• providing guidance on how online notices could be reasonably accessible to consumers with disabilities, namely by following generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018.

While the changes noted above are largely helpful to businesses, the modified regulations also include changes that are not so helpful. For example, the modified regulations prohibit a business from providing a financial incentive program if the business is unable to calculate a good faith estimate of the value of the personal information. In addition, the modified regulations include a new requirement that businesses provide a just-in-time notice when collecting personal information from consumers' mobile devices for a purpose that a consumer would not reasonably expect, e.g., a flashlight app that collects geolocation information, harkening back to the Federal Trade Commission's 2013 settlement with Goldenshores Technologies. Moreover, the modified regulations still do not provide specific guidance on how the ad tech industry should implement policies and procedures in line with the CCPA or how businesses are supposed to recognize the particular user-enabled global privacy controls that businesses are required to treat as a request to opt out.

There are several other changes that are likely to impact policies and procedures that businesses implemented to comply with the initial version of the regulations. The granularity of the modified regulations also provides some further guidance in operationalizing the CCPA and understanding how the California Attorney General may interpret and enforce it. Accordingly, businesses (and service providers whose clients include businesses subject to the CCPA) would be wise to review and understand the impact of these modified proposed regulations on their operations.

Nevertheless, such a review should be undertaken with an understanding that additional changes will likely be needed, and that the modified proposed regulations are still not the final CCPA regulations from the California Attorney General. The California Attorney General is currently accepting written comments that pertain to the changes to the proposed regulations and new materials that the California Attorney General has added to the rulemaking file until February 25, 2020 at 5:00 p.m. PST.

For more information, advice concerning your CCPA compliance efforts, or assistance preparing or submitting a public comment to the California Attorney General, please contact Eddie Holman or another member of the firm's privacy and cybersecurity practice.