Insight

Amidst COVID-19, CA Attorney General Issues Second Modified CCPA Regulation

Morgan Lewis Practical Advice on Privacy: Guide to the CCPA

March 25, 2020

The California attorney general on March 12 released additional modified regulations proposing further refinements to the California Consumer Privacy Act. This latest set are mostly minor adjustments, introducing fewer significant new concepts than the previous iterations on October 11, 2019 and February 7 and 10, 2020. Against this backdrop, businesses responding to the coronavirus (COVID-19) outbreak seek enforcement delays as the regulations approach final form.

AS CCPA REGULATIONS APPROACH FINAL, CALLS FOR ENFORCEMENT PUSHBACK INCREASE

While the March 12 modifications (Second Set of Modifications) suggest that the CCPA regulations are approaching their final form in advance of the law’s July 1, 2020 enforcement date, there is a growing movement in the business community calling for the pushback of the enforcement date to January 1, 2021 in light of the COVID-19 outbreak. On March 17, a group of 34 trade associations, companies, and organizations—including the Association of National Advertisers, California Retailers Association, and CalChamber—submitted a letter to the attorney general requesting a delay in enforcement.

The March 17 letter states the following:

The public health crisis brought on by COVID-19 juxtaposed with the quickly approaching enforcement date for the CCPA places business leaders in a difficult position. They are forced to consider tradeoffs between decisions that are best for their employees and the world-at-large and decisions that may help the organizations they lead avoid costly and resource intensive enforcement activities.

KEY MODIFICATIONS

Definition of “Personal Information”.The first set of modified CCPA regulations (First Set of Modifications) introduced guidance on the definition of personal information. That guidance included an example providing that if a business collects the IP addresses of visitors to its website but does not link the addresses to any particular consumers or households, and could not reasonably link the addresses with a particular consumer or household, then the IP address would not be deemed personal information.

This guidance, which seemed to respond to concerns of the online advertising industry and the many businesses with public-facing websites, was eliminated in the Second Set of Modifications. However, it is important to remember that the CCPA statute’s definition of personal information applies to information that “could be reasonably linked, directly or indirectly, with a particular consumer or household” and that definition, which is consistent with the deleted guidance, remains.

Definition of “Financial Incentive”. The definition of financial incentive is at the heart of the CCPA’s non-discrimination provisions, which prohibit discriminatory financial incentives and price or service differences if a business treats a consumer differently because the consumer has exercised CCPA privacy rights.

The Second Set of Modifications broadens the definition of financial incentive to mean a program, benefit, or other offering, including payments to consumers related to the collection, retention, or sale of personal information. The First Set of Modifications had defined a financial incentive as compensation for the disclosure, deletion, or sale of personal information. The revised definition’s focus on payments “related to the collection” of personal information is likely to impact loyalty programs.

Do Not Sell Button. The Second Set of Modifications eliminates the form of opt-out button developed by the California attorney general in the First Set of Modifications. The proposed button, which a business could use on its homepage to link to its right to opt-out of sale notice, was criticized as confusing during the most recent comment period. Critics charged that this proposed button could be misconstrued as an actual, functioning toggle switch (which it is not), rather than a logo:

Opt Out Button   

Privacy Policy Requirements. The First Set of Modifications deleted the requirement that a privacy policy specify the sources from which personal information is collected, as well as the business or commercial purpose for collecting personal information. The Second Set of Modifications reinstates the requirement to specify the sources of personal information that is collected.  Under this latest iteration, however, the sources do not have to be specified by category, which had been required under the original version of the CCPA regulations. 

Notice at Collection. The Second Set of Modifications continues to provide that a business’s response to a request to know shall not include disclosure of certain sensitive data elements, including a consumer’s Social Security number and driver’s license number, adding “unique biometric data generated from measurements or technical analysis of human characteristics” to the list. However, the business must inform the consumer with sufficient particularity that it has collected the type of information. For example, a business may state that it collects a fingerprint scan without disclosing the actual fingerprint scan data. In addition, the Second Set of Modifications clarifies that a business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.

Service Providers. The Second Set of Modifications clarifies that a service provider may collect personal information directly from a consumer, or about a consumer, and still qualify as a service provider under the CCPA.

Employment-Related Privacy Notices. The Second Set of Modifications provides that an employment-related privacy notice to employees, officers, directors, job applicants, or contractors is not required to provide a link to the business’s privacy policy.

COMMENT PERIOD AND BACKGROUND INFORMATION

The Second Set of Modifications to the proposed regulations are not final. The period to submit written comments to the Second Set of Modifications ends on March 27, 2020 at 5:00 pm PST.

If the attorney general’s office only makes non-substantial changes to the draft regulations, then there will be no further notice and comment period. In that event, the regulations will be submitted to the Office of Administrative Law, which has 30 working days to review to confirm that administrative procedure requirements have been followed. It is likely that the regulations will follow this path and be filed with the California secretary of state between March 1 and May 31, becoming effective on July 1.

If the attorney general’s office makes substantial proposed changes to the regulations that are not related to the current modified regulations, then the attorney general must repeat the full 45-day notice and comment process, which is less likely.

By way of further background, the California attorney general initially issued proposed regulations for the CCPA on October 10, 2019, with proposed modifications released on February 7, February 10, and March 12, 2020. As part of the rulemaking process, the California attorney general is deciding whether any modifications should be made to the proposed regulations before they become final based on public comments. The current comment period ends on March 27. In the meantime, the proposed regulations provide useful guidance as businesses seek to comply with the CCPA, which took effect on January 1, 2020.

HOW WE CAN HELP

  • The Morgan Lewis privacy team is providing practical privacy advice to more than 100 businesses on compliance with the CCPA, the newly proposed regulations, and how to accept requests. For help with CCPA-related or other issues in the privacy and cybersecurity space, please contact any of the lawyers listed below.
  • For more information and the latest CCPA updates, please visit our CCPA Resource Center.
  • In addition, for our clients, we have formed a multidisciplinary Coronavirus COVID-19 Task Force to help guide you through the broad scope of legal issues brought on by this public health challenge. We also have launched a resource page to help keep you on top of developments as they unfold. If you would like to receive a daily digest of all new updates to the page, please subscribe now to receive our COVID-19 alerts.

CONTACTS

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

San Francisco
Reece Hirsch
Carla Oakley
Michele Park Chiu
Kevin Benedicto
Gene Park

Los Angeles
Joseph Duffy

Philadelphia
Gregory Parks
Ezra Church
Kristin Hadgis
Julian Williams
Terese Schireson

New York
Martin Hirschprung

Washington, DC
Ronald Del Sesto
Dr. Axel Spies