Modified CCPA Regulations- What Changed?

On February 7, 2020, the California Attorney General released modifications to its proposed CCPA regulations. The updates clarified the intent of the CCPA regulations, provided more guidance for processing consumer rights, and eased compliance for data brokers, service providers, and online businesses. If you don’t feel like reading a 32-page redline on a Saturday, below is our decidedly non-exhaustive take on the modifications; see our analysis of the initial regulations here.

Requests to Know:

a. Denial. Businesses can now deny requests to know if they are unable to verify a consumer within 45 days.

b. Records. Businesses also do not have to search through every possible record to respond to a request to know; a business does not need to search a record if the business (1) cannot search the record, (2) only maintains the record for legal or compliance reasons, (3) does not sell the information in the record or use it for a commercial purpose, and (4) tells the consumer the categories of records that it did not search. These exceptions beg the question of what is not searchable, what is legal/ compliance; nonetheless, businesses now have fewer records to search to comply with requests to know.

c. Verification. When verifying a request to know, the modified regulations advise trying to match information that the business already has about the consumer with information the consumer provides. By implication, the modified regulations make clear that a business should avoid asking for additional or sensitive information when trying to verify a consumer. In layman’s terms, ask the consumer what they bought from your business, not for their driver’s license.

d. Response. In responding to a request to know, the modified regulations clarify that a business should disclose the categories of (1) sources of personal information collected, (2) personal information collected, (3) the business purpose for which the information was collected or sold, (4) entities to whom the business has sold the information, (5) entities with which the information was shared for a business purpose, all within the preceding 12 months.

Requests to Delete: The original regulations contained an odd provision: if a business was unable to verify a request to delete, it had to treat that failed request as an opt out of sale. The provision left businesses wondering which consumer to opt out: the requestor or the person of record? The modified regulations deleted this clause and added the requirement that a business ask a failed requestor whether they would like to opt out of sale. The modified regulations also clarified that a business can keep a record of a request to delete after completing the request.

Requests to OptOut:

a. Third Parties. The modified regulations now state that businesses must flow requests to opt out to third parties that sell the consumer’s information. This is a large blow to the broker industry and will be logistically challenging to implement across the ad ecosystem in particular.

b. Do Not Track. The AG doubled down on its support of Do Not Track technology in the modified regulations, mandating that business websites must treat a consumer’s privacy setting on their browser or plugin as a valid consumer request to opt out of sale. We do not know which privacy controls meet the AG’s definition, only that a compliant privacy control must be able to submit an opt-out signal to a website.

c. Dark Patterns. The AG also made clear that requests to opt-out had to be “easy for consumers to execute [and] require minimal steps to allow the consumer to opt-out. A business shall not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.” Ease of opting out may scare some businesses; however, our clients are experiencing an opt-out rate of 1-5% of California traffic depending on the industry.

Service Providers: The original regulations prohibited service providers from using consumers’ personal information for any other purpose than providing services to the business. Realizing this was overly restrictive, the modified regulations also permit service providers to use persona information for subcontracting, internal use, security, and compliance with government laws & orders. Service providers also have to respect an opt-out of sale given to the business they service. Perhaps most importantly, the modified regulations give service providers the option of either handling consumer rights requests or directing those requests to the business that collected the information in the first place. Many businesses have already had their service providers sign CCPA Data Processing Addendums that are more restrictive than the modified regulations; service providers now have more cover to push back on such overly-restrictive DPAs.

Data Brokers: The AG clearly heard from many data brokers in drafting these modifications. Instead of requiring brokers to ensure that the original collector of PI that a broker sells had procured consumer consent, the modified regulations only require brokers to register with the AG and provide consumers with mechanism to opt-out. It is unclear how the AG will further regulate brokers, but this is a big win for the brokers (for now).

Households: The AG finally defined a “household” as a group of people who (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier. The modified regulations also clarified how verification of household consumer rights requests would work: if the household has an account, being signed into that account can pass for verification. If there is not an account, a business must verify each member of the household individually, with any children in the household requiring verified parental consent before being able to make a consumer request.

Employers: Effective in 2021, employers need to provide a privacy notice to employees at the time of collection of their personal information but do not need to provide an opt-out of sale for that information.

Mobile Applications: For the mobile applications of businesses subject to the CCPA, the modifications more or less confirmed the status quo: (1) provide consumers with a link to your privacy policy in the app, such as in the settings menu, and (2) give just-in-time notifications when your app accesses things like GPS, microphone, or camera.

Accessibility: The modified regulations reflect a desire for consistent terminology throughout the law. They also mention the Web Content Accessibility Guidelines, version 2.1 several times as a standard for accessibility and consumer notices.

Discrimination and Financial Incentives: The AG gave detailed examples on what constitutes a permissible financial incentive for collection of personal information; essentially, a business must prove why personal information is valuable to it in order to cease providing financial incentives after a consumer submits a deletion request.

In-Person Notices and Requests: The modified regulations codify what savvy businesses were already doing: oral notices of privacy practices when consumers provide personal information in the physical realm. The modified regulations also suggested a paper form for exercise of CCPA rights. Intuitive, but helpful to know the AG has a practical side.