The California Attorney General’s Office issued a revised set of regulations for the California Consumer Privacy Act (CCPA) on February 10, 2020, correcting an omission from the February 7, 2020 version. The changes are mostly clarifications, but some revised rules relating to consumer requests may require changes or updates to compliance procedures implemented before the law’s effective date of January 1, 2020. Below is a summary.
Are changes required to online privacy policies?
Probably not. A key feature of the initial draft was the requirement to tie the source of collection, purpose for use, and disclosure to third parties to each of the identified Personal Information (PI) categories in the CCPA. This led to disclosures in a chart format with separate columns for (1) the category of PI, (2) the source(s), (3) the purpose(s) of use, and (4) the category of third party to whom PI was disclosed/sold.
The revised regulations require only that the categories of PI disclosed/sold be tied to the category of third party to whom the PI was disclosed/sold, thus eliminating the need to tie the sources and purposes of use to each category. But leaving those disclosures would not be inconsistent with the revised requirements in the regulations and may even be helpful at the time of responding to a request to know the categories of PI collected. So, changes are not strictly necessary.
Are changes required to consumer request procedures?
Maybe. Many changes further clarify already established procedures. However, the changes relating to responding to requests for deletion, requests to know the categories of PI, and requests to opt-out may require changes to procedures, as described below.
Timing. The regulations clarify that the confirmation of receipt is due 10 business days from receipt of the request and the full response is due 45 calendar days from receipt of the request.
Deletion. Several changes were made regarding requests for deletion. First, the two-step process for deletion – whereby the consumer would first request, then confirm the request before deletion – is now permissive instead of mandatory. The practical effect is that if a business is willing and able to honor a request for deletion (for an email address from a marketing list, for example) it can do so without requesting a separate confirmation of the request.
Second, a business no longer needs to communicate how it complied with the request (as in whether it erased, deidentified, or aggregated the PI). Instead, the business must simply inform the consumer whether or not it complied with the request.
Third, whereas before a business had to convert a request for deletion to a request to opt-out of sale if the business could not verify the individual’s identity, it is now required only to offer that option to the consumer. Presumably, if there is no sale, then a business does not have to act on requests for deletion it cannot confirm identity for.
Last, the revised regulations clarify that a business may keep a record of requests for deletion to ensure the PI remains deleted from the business’s records.
Access or Request to Know Specific Pieces of PI. In responding to a request for access, a business does not have to search for PI if: (a) the business does not maintain the PI in a searchable or reasonably accessible format; (b) the business maintains the PI solely for legal or compliance purposes; (c) the business does not sell PI and does not use it for any commercial purpose; and (d) the business describes to the consumer the categories of records that may contain PI it did not search because it meets these conditions. This differs from the initial version of the regulations, which contained a vague standard allowing businesses to deny requests for access where there was a substantial, articulable, and unreasonable risk to the security of PI, the consumer’s account with the business, or the security of the business’s systems or networks. That standard was replaced with conditions (a)-(d) above.
The revised regulations also include “unique biometric data generated from measurements or technical analysis of human characteristics” in the list of data elements that cannot be disclosed in response to a request to know. The other data elements include social security, driver’s license, and government-issued identification numbers; financial account number; health insurance or medical identification number; account password; and security question and answer. This change brings the provision in line with the PI data elements in the California breach notification statute.
Requests to Know the Categories of PI. The manner of presenting information in response to this request was modified. Whereas before the information provided had to be tied to the category of PI, now the only linking required is between the categories of PI disclosed/sold and the categories of third parties to whom disclosed/sold. An explanatory chart follows.
October 2019 Draft Regulations
February 2020 Draft Regulations
For each identified category of PI:
The categories of PI collected in the preceding 12 months
The categories of sources
The categories of sources
The business or commercial purpose for collection
The business or commercial purpose for collection or sale
The categories of third parties to whom the business sold or disclosed PI
The categories of PI sold in the preceding 12 months, and for each, the category of third parties to whom sold
The business or commercial purpose for selling/disclosing PI
The categories of PI disclosed for a business purpose in the preceding 12 months, and for each, the category of third parties to whom disclosed
These modifications may require changes to the way information is presented to consumers in response to a request to know the categories of PI.
Requests to Opt Out of Sale. The rules no longer require businesses to communicate requests to opt out of sale to all those third parties to whom PI was sold in the prior 90 days. Instead, the requests must be communicated to the third parties to whom PI was sold after the consumer’s request was received but before it was acted upon.
Requests received by Service Providers. Service providers are no longer required to provide consumers with information on how to submit requests directly to the business on whose behalf the service provider processes the PI. Instead, a service provider that receives a request to know or to delete may either act on the request or inform the consumer that the request cannot be acted upon because it was sent to a service provider.
Do businesses still have to provide an online web form for consumers to submit requests?
The revised regulations provide that businesses operating exclusively online need provide only an email address for consumers to submit requests. This follows the CCPA’s text and eliminates a requirement in the earlier draft regulations for businesses with a website to offer a web form for submitting requests. But if a web form is provided, the business can still provide it, besides the email address.
What changed in the regulations regarding service providers?
A major point of clarification in the October 2019 version of the draft regulations was the statement that service providers could collect PI on a business’s behalf. This clarification remains, but the revised regulations include limitations on what service providers can do with the PI. Specifically, a service provider is prohibited from retaining, using, or disclosing PI obtained while providing services except:
- To perform the services specified in the written contract with the business;
- To retain or employ a subcontractor, where the subcontractor meets the requirements for a service provider;
- For internal use by the service provider to:
- Build or improve the quality of its services,
- provided that the use does not include building or modifying household or consumer profiles or cleaning or augmenting data from another source;
- To detect data security incidents, or protect against fraudulent or illegal activity; or
- For purposes of:
- Compliance with federal, state, or local laws,
- Compliance with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities,
- Cooperation with law enforcement agencies concerning conduct or activity that the service provider reasonably and in good faith believes may violate federal, state, or local law, and
- Exercising or defending legal claims.
While the conditions outlined above are generally broad, they do impose limitations on service providers’ use of PI that are arguably stricter than the limitations in the statute itself. Recall that the statute allows service providers to use PI received from a business “for the specific purpose of performing the services specified in the contract [with the business] or as otherwise permitted by [the CCPA].” This last phrase was read to allow service providers to use PI for any business purpose enumerated in the statute, which included a list that was broader than the limitations in the revised regulations.
If a service provider is using client data for a business purpose other than building or improving the quality of its services or for detection of security incidents, fraud, or illegal activity, those processing activities merit further review to determine whether they would follow the limitations in the regulations.
What do the regulations say about employee data?
What other changes are helpful from a business’s perspective?
The revised CCPA regulations include several other changes that are helpful from a business perspective. They are:
- The definition of household was narrowed so only those individuals residing at the same address who share a common device or the same service provided by the business are considered a household. Before, anyone occupying a single dwelling was considered a household.
- The regulations clarify that collecting IP address alone, without linking it to a particular consumer or household, would not constitute Personal Information.
- The revised regulations allow sale of personal information with consumer consent absent a “Do Not Sell” link. The initial version included a prohibition on sale absent the link. Now, if a business receives the consumer’s consent, it can sell data even if it does not have the link on its website.
- The 2020 draft clarifies that data on archive or backup systems subject to a request to delete need not be targeted for deletion unless the system is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose. Thus, accessing an archive or backup system for internal controls would not require targeting for deletion following a consumer request.
- The revised regulations shield certain household information from requests for access. Where a household does not have a password protected account with the business, a business does not have to comply with a request for specific pieces of PI unless all of the consumers in the household jointly make the request, the business individually verifies the identity of each member, and the business verifies that each individual making the request is currently a member of the household.
What are the next steps for the regulations?
The comment period closes on February 25, 2020. A final draft is expected shortly thereafter. The final draft must then undergo review by the Office of Administrative Law before formal adoption by the Secretary of State. This process will take at least 30 working days after the final draft of the rules and supporting documentation are published.