The California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020. In October 2019, the California Attorney General (“CA AG”) published proposed regulations. In the lead up to January 1, 2020, the CA AG repeatedly made the point that those subject to the CCPA should plan for compliance with its broad principals by the first of the year, while admitting enforcement would not start until the regulations were final, meaning July 1, 2020. As part of this process, the CA AG advised he did not expect there to be significant changes to the regulations between October and July. However, upon receiving comments to those October proposed regulations, he changed his mind and on February 7, 2020 revised regulations were issued. A subsequent notice on February 10, 2020 corrected the earlier publication, which omitted certain updates.
To be clear, some of the changes were long awaited (such as what the “Do Not Sell My Personal Data” button looks like), while others were unexpected (such as the change to the training requirement by raising the level of records from four million to ten million). This Alert will summarize the key proposed changes.
Notice of Collection
The new regulations go on to make the point that personal information (herein either “PI” or “data”) is a matter of context. Using the illustration of an IP address, and noting that whether or not its retention qualifies as personal information “depends on whether the business maintains the information in a matter that ‘identifies, relates to, describes, is reasonably capable of being associated with or could be reasonably linked, directly or indirectly, with a particular consumer or household.'” If that link does not exist, the IP address is not personal identification, but then best practice would dictate the company make clear what it does and does not associate with the data it retains.
The new regulations go on to reinforce the point the notice of collection should be presented timely, i.e., at or before the point of collection, and makes clear the categories of data being collected and the intended purposes. The regulations now also require accessibility for all consumers by implementation of the World Wide Web Consortium, Web Content Accessibility Guidelines, version 2.1 (June 5, 2018) standard. Available at https://www.w3.org/TR/2018/REC-WCAG21-20180605/.
There is also an attempt at further clarity regarding where the notice should be presented. For example, if the business collects personal information online, the notice should be on the home page and all other pages where personal information is collected. If the data is collected through a mobile app, the notice should be on the landing or download page and within the app, such as through the user’s settings menu. If the data is collected offline, then print forms and conspicuous signage should be used to direct the consumer to where the notice can be found offline. Lastly, if the information is collected by telephone, the notice may be provided orally.
There is also the caution that when data is collected by a mobile app that is not “reasonably expect[ed],” a just-in-time link to a notice with a summary of the categories of personal information being collected and a link to the full notice is to be provided. The illustration used is a flashlight app that collects geo-location data.
Do Not Sell Logo
Then, finally, we now know what the logo should look like if a company does sell personal information and provides the opt-out process now required.
The mandate now is the opt-out button or logo may be used in addition to any posting about the right to pot-out, but not in lieu of such notice. If used, the button or logo is to appear to the left of the text as above. The text itself should be in “approximately the same size as other buttons on the business’s webpage.” Of course, if the company does not sell personal information, this is not required. At the same time, companies that do sell data and do not use this button/logo, may find themselves with lots of complaints about how clear they are being regarding how consumers opt-out.
The revised regulations are also helpful to employers. First, there are two new definitions:
“Employment benefits” means retirement, health, and other benefit programs, services, or products to which consumers or their beneficiaries receive access through the consumer’s employer.
“Employment-related information” means personal information that is collected by the business about a natural person [for use with job applicants, employees, owners, directors, officers, medical staff or contractors; emergency contact details; and to administer benefits]. The collection of employment-related information, including for the purpose of administering employment benefits, shall be considered a business purpose.
Requests to Know/Delete
Another change which helps business is the revision about how requests to know/delete are to be dealt with. First, if the company operates exclusively online and so has a direct relationship with the consumer from whom the PI is collected, it need only provide an email address for submitting requests. All other businesses are to provide two or more methods for submitting such requests, with one being a toll-free number.
Companies may (not “shall”) use a two-step process for online requests, so it is no longer a requirement for the consumer to submit the request and separately confirm deletion is requested. There is also clarification the response deadlines are business not calendar days. Plus, if the business cannot verify the identity of the requestor within 45 days, the request may be denied. Further, if a request is received, the business is not required to search for personal information if: the business does not maintain the data in searchable or reasonably accessible format, it maintains the data for legal or compliance purposes only, it does not sell the data or use it for commercial purposes, and the business describes to the consumer the categories of records that may contain personal data which it did not search because it meets the other conditions stated.
Further unique biometrics were added to the list of data to not disclose, along with if the business cannot verify the identity of the requestor it is no longer required to inform the requestor of the denial if prohibited by law from doing so.
The response to any request has been revised so it now must include: 1) the categories of personal information collected about the consumer in the preceding 12 months; 2) the categories of sources from which the data was collected; 3) the purposes for which the data was collected or sold; 4) the categories of third parties with whom the data was shared; and 5) the categories of data sold or disclosed in the prior 12 months, and for each such category, the categories of third parties to whom that particular category of data was sold or disclosed.
When it comes to deletions, if the consumer data is on backup or archived systems, the request to delete may be delayed until that system is restored to an active one or is next accessed or used for a sale, disclosure or commercial purpose. Businesses are also now permitted to retain a record of the consumer’s request for deletion, provided the request was complied with, so as to insure the data remains deleted. Businesses are now also permitted to notify the consumer if deletion is not possible due to a conflict with state or federal law.
Just as with other methods of consumer notices to the business, the opt-out process is to be easy to understand and straightforward to execute. Minimal steps should be required. If the consumer has global privacy settings which conflict with device settings, the business is to honor the global settings, but may notify the consumer accordingly. Any opt-out technology is to be neutral, meaning no default to opt-in or out is permitted.
If a consumer has opted out, and attempts to use a product or service that requires an opt-in, the business is to honor the existing global setting, but may notify the consumer the product or service requires opt-in and provide instructions for the consumer to be able to do so.
There are some additional changes on this topic also worthy of note. The first is, as mentioned above, training is required only once the personal information about 10,000,000 consumer is maintained in a 12 month period.
A company is to maintain a record of consumer requests and how the business has responded for at least 24 months. Such records are to be maintained in a ticket or log format to include the date and nature of the request, manner in which the request was made, date and nature of the response, and the basis for denial in whole or in part. Information maintained for recordkeeping purposes is not to be shared with third parties.
The definition of a household has been refined to mean “a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.” If a common user name and password is used by various members of the same household, then any request, such as for deletion or knowledge, needs to be joined by all members of the household. That could end up meaning also confirming that any information about one user may need to be validated in terms of whether or not that person is still a member of the household! To comply with this change, businesses can be expected to insist that each user have their own user name and password.
Companies that have already implemented their CCPA compliance program and website/mobile app notices are now faced with deciding whether to update now or wait for further changes. Many will choose to wait since these February revisions are subject to further input, with the comment period closing on February 25, 2020.
A copy of the revisions to the regulations in red-lined format can be found here: CCPA February 2020 Regulatory Changes. If you wish to file comments, they can be sent via email to PrivacyRegulations@doj.ca.gov or by mail to Lisa B. Kim, Privacy Regulations Coordinator, California Attorney General, 300 S. Spring St, First Floor, Los Angeles, CA 90013.