March 16, 2020

California Attorney General Issues Revisions to CCPA Regulations

The California Attorney General has issued revisions to the previous version of the proposed regulations, and it appears to be aimed at making compliance more attainable.

The July 1, 2020 enforcement date for the California Consumer Privacy Act (CCPA) is closing in and companies doing business in the state are grappling with understanding and complying with its complicated and evolving requirements. On February 7th, the California Attorney General issued revisions to the previous version of the proposed regulations originally released back in October 2019. The changes appear to be aimed at making compliance more attainable, although various interpretive issues have yet to be resolved and operational challenges (including with respect to verifying and responding to consumer requests and record keeping) still abound. 

The deadline for public comment on these revisions closed on February 24th, which means there are likely more changes yet to come before the July 1 date.

Relief Provided to Data Brokers and Service Providers

Two groups likely to feel some relief are data brokers and service providers. Under the proposed revisions, data brokers that do not collect information from consumers directly and which are registered as data brokers with the Attorney General would no longer need to notify consumers about whether they sell the consumer's personal information (PI) or verify that the source provided such notice. These earlier proposed requirements were deleted and instead a registered data broker would be in compliance if it provides a link to its online privacy policy that includes instructions on how a consumer can submit an opt-out request.

Relief for service providers under the revised proposed regulations would allow them to utilize the data they receive to build or improve the quality of their services as long as they do not use the data to build or modify consumer or household profiles. The original proposed regulations appeared to limit the ability of service providers to do anything with PI it received outside of providing the contracted-for service. In addition, service providers that receive requests to know or delete from a consumer can take action on behalf of the businesses they represent or inform the consumer it cannot respond because they are a service provider. The prior version required service providers to notify the consumer to contact the business directly.

The revised proposed regulations also provide relief in the form of the addition of qualifying provisions such as adding "reasonably" to the provisions on accessibility to consumers with disabilities, and "readily" to available locations where consumers will see information helpful to making choices for opting in or out of things like financial incentives or price or service differences, which, although still strongly consumer-protective, create a more achievable standard.

Lastly, businesses would no longer need to specify the manner in which a consumer's PI has been deleted, but rather, can inform the consumer whether it has complied with the request to delete the PI.

Clarifying Amendments

  • The latest version contains several clarifying amendments, including:
  • what notice at the point of collection is required to include;
  • how an opt-out "Do Not Sell My Info" button may look; and
  • how the value of a consumer's data to the business might be calculated to demonstrate where discounts are "reasonably related" to the value of the consumer's data.

Other Observations

  • The proposed regulations introduce the concept of consumer communication and engagement through mobile applications for the first time, requiring that certain pop-up "just in time" notices be utilized for situations where data is being collected for a use that wasn't originally contemplated by the user of the app – e.g., where a flash light app on a cellphone that collects geospatial data.
  • The regulations previously required a business which buys, sells, receives, or shares the personal information of 4 million consumers annually to maintain and report certain metrics about its responses to consumer requests.The threshold has now been adjusted to 10 million annually, which should narrow substantially the number of businesses that need to compile and report these metrics on their websites.
  • Questions still remain about whether certain activities constitute a "sale," such as PI exchanged for targeted advertising purposes, which under the proposed regulations would currently necessitate an option for consumers to opt-out of such a sale.