More substantive changes in the latest draft of the AG’s CCPA regs
California Attorney General Xavier Becerra released an updated draft of the regulations that will provide implementation guidance for organizations covered under the California Consumer Privacy Act. The AG released the initial draft implementing regulations in October 2019 and received hundreds of written comments during its 45-day comment period and held several public forums. This latest draft, published Feb. 7, 2020, includes some notable changes — and equally notable are some aspects that remain.
More qualifications around accessibility: While this doesn’t really change the letter of the law, it’s a topic near and dear to my heart. I applaud the AG for including more prescriptive language around making online privacy notices accessible, and pointing to specific guidelines is a step in the right direction.
Modification of household: The definition of household has been narrowed to include only those within the household who share a device, account or unique identifier.
Modification of personal information (PI): A new stipulation states that information needs to be kept in a way that it can be connected to a particular consumer or household in order to be considered PI. The regs include the example of an IP address, “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’”
Modification of Service providers: This new iteration significantly revises the section on service providers, more clearly delineating the ways service providers can use PI provided them by a business. The regs outline the following appropriate uses:
To provide the services in the contract with the business,
Employing sub-contractors that also meet the service provider requirements,
Improving services as long as that doesn’t mean profiling or augmenting data from another source,
Detecting data security incidents.
The result of these changes is that organizations that previously would have been considered third parties will now be considered service providers, taking them out of scope for do-not-sell.
Mobile devices: The regs now require just-in-time notice for any collection of personal information (PI) from mobile devices that consumers would not reasonably expect. The notice must include categories of PI collected and a link to the full privacy notice.
Data broker obligations: This draft reduces obligations outlined in V1 for data brokers that have registered (Cal. Civ. Code 1978.99.80) with the AG’s data broker registry and include in their registration a link to their privacy notice and that privacy notice includes instructions on how consumers can opt out of the sale of their PI. These companies no longer have an obligation to ensure that consumers whose data they resell were provided a right to opt out.
Employment-related information: Though CCPA has been amended to exempt employment information for the time being, the AG has chosen to add in a requirement that businesses provide notice at collection of employment information just as any other PI, with the exception being there’s no need to link to the do-not-sell page.
The button (kind of): The first iteration of these regulations left a placeholder for the AG to propose a button businesses can use to direct people to the page where they can opt out of the sale of their PI. The new amendments include a red toggle switch (not really a button) that “shall appear to the left of the ‘Do Not Sell My Personal Information’ or ‘Do Not Sell My Info’ link.” The toggle does not replace notification obligations, however, and is voluntary.
Sources of PI in privacy notices: The AG has modified its rules around notifying consumers about the sources of PI. Businesses will no longer need to correlate the category of the source with the category of PI collected. You do need to include categories of third parties you sell it to per category of PI sold, however.
Two-step deletion process: The previously outlined two-step deletion process is now a “may”, not a “shall.” In the first version of the regs, the AG outlined a two-step process for deletion requests in which a consumer would request deletion and the business would then essentially have a way of asking “Are you sure?” This (which you may remember we thought was a great addition) is no longer required but allowed.
Exemption change for right to disclosure: Removed from the regs is a provision exempting businesses from complying with disclosure requests for security reasons. In its place is an exemption for businesses that:
Only hold PI for legal or compliance,
Don’t maintain PI in a searchable accessible format,
Do not sell or use PI for any commercial purpose,
Describe the categories of records that may contain PI and explain that you didn’t search for their PI because of the conditions above.
Biometric data: Biometric data has been added to the list of data elements you should not include in access reports. Other information on the do-not-distribute list includes government identification numbers, financial account numbers, health insurance or medical ID numbers, passwords, and security questions or answers.
Deletion response: New provisions state that you must include the option to opt-out of the sale of PI when you deny a deletion request. And when you comply with the deletion there is no longer a requirement to tell the requestor how you deleted their PI.
DNS and third parties: There is a new stipulation that businesses must notify of and direct third parties to comply with do-not-sell requests between receipt of the request and complying with the request.
Requirements for Authorized Agents: There is a new provision requiring authorized agents submitting requests on behalf of consumers to employ reasonable security measures for any PI they obtain about the consumer and a requirement not to use the PI for any purpose other than as required for conducting the request.
Metrics reporting in privacy notice: Introduced in the first draft of these regs is a requirement that certain businesses compile specific metrics on data subject rights requests and make them available in their privacy notice. This requirement stands in draft 2, but the scope of businesses has changed. This provision is now applicable to businesses that collect PI on at least 10 million consumers per year, whereas the first draft set the threshold at 4 million.
Only one submission method for online + direct relationship: These regulations offer an exception to the requirement in the CCPA that businesses provide two methods for consumers to submit access requests. For businesses that operate only online only and have a direct relationship with consumers from whom it collects PI, only an email address is required.
Things that didn’t change, but we thought they might.
Certain portions of the initial AG regs went above and beyond what most would consider implementation guidance and created new obligations for businesses. These, for the most part, were the more contentious elements of Becerra’s proposal. As such, we were on the lookout to see whether these provisions got rolled back. While some did, above, others did not. Here are some examples.
Opt-out timeframe: In the first iteration of these regulations, the AG reduced the timeframe for responding to do-not-sell requests to 15 days, and this remains in this draft.
Browser settings still = Do not sell: This requirement lives on unmodified, so businesses that fall under CCPA and don’t currently respond to browser do-not-track settings would need to put a system in place to do that. However, it’s important to note that the removal of the 90-day look-back for do-not-sell does make compliance with the overall process significantly easier.
These regulations remain a proposal, and the public has another week to comment on the draft — comments close Feb. 25. It’s likely we won’t have anything we can rely for a while. That said, we can start to read the tea leaves in what remains and what’s changed. So, here are a few things businesses can begin to work on in light of this second draft:
Do you have a way of responding to do-not-track browser settings? If not, it may be time to begin conversations to see what that would mean for your business.
Do you know your role under CCPA? Are you a business, third party, service provider or data broker? Perhaps more than one? A good place to start determining this is reviewing contracts that involve PI against the new qualifications for a service provider.
Check out our 5 steps to set up your business for CCPA success and beyond for more foundational tips.