While the final CCPA regulations remain pending, written comments on the recently released proposed modifications are due by February 25, 2020. This article highlights some of the most notable changes to the proposed regulations.
The California Office of the Attorney General on February 7 released proposed modifications to the draft regulations implementing California’s groundbreaking new privacy law, the California Consumer Privacy Act (CCPA), and released a further modified set of regulations on February 10. The modifications, which amend CCPA regulations published on October 10, 2019, were released in response to nearly 1,700 pages of comments that the attorney general received regarding the proposed regulations. The modifications do not impose major new obligations, but instead address concerns expressed by the business community and provide some clarifications.
The modifications to the proposed regulations are not final. The period to submit written comments to the modifications ends on February 25, 2020 at 5:00 pm (PST). If the attorney general’s office only makes non-substantial changes to the draft regulations, then there will be no further notice and comment period. In that event, the regulations will be submitted to the Office of Administrative Law, which has 30 working days to review to confirm that administrative procedure requirements have been followed. It is likely that the regulations will follow this path and be filed with the Secretary of State between March 1 and May 31, becoming effective on July 1. If the attorney general’s office makes substantial proposed changes to the regulations that are not related to the current modified regulations, then the attorney general must repeat the full 45-day notice and comment process, which is less likely.
While the list below is not exhaustive, this summary highlights some of the notable changes to the proposed regulations.
Scope of Personal Information. The modifications clarify that whether information is “personal information” depends on whether the business maintains the information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” To help understand this guidance, the modifications provide the following example: “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.” This clarification will be of interest to online advertisers and certain businesses that qualify for CCPA exemptions and are potentially subject to the CCPA based upon personal information collected through a public-facing website.
Households. The definition of “households” is revised under the modifications to mean those who reside at the same address, share a common device or the same service provided by a business, and are identified by the business as sharing the same group account or unique identifier. To respond to a household rights request, where a consumer has a password-protected account, the business may process requests to know and delete relating to household information through the business’s existing business practices.
Notice at Collection Requirements. The modifications revise the requirements that businesses cannot use personal information for “any purpose other than disclosed in the notice at collection.” The modifications state that so long as such purposes are not materially different from those disclosed in the notice at collection, the business does not need to notify and obtain consent from the consumer.
Mobile Application Notices. The modifications add new language to address mobile applications. When a business collects personal information through a mobile application, it may provide a link to the notice (and opt-out requirements) on the mobile application’s download page and within the application, such as through the application’s settings menu.
Unexpected Collection on Mobile Device; Just-in-Time Requirements. The modifications address notice requirements for when a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, citing the example of a flashlight application that also collects geolocation information. A business must provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection. The practice of “just-in-time” privacy notices within an app has previously been endorsed by the Federal Trade Commission and the California attorney general.
Affirmative Authorization. The modifications add a requirement that a business cannot sell the personal information it collected during the time the business did not have a notice of right to opt out notice posted unless it obtains the affirmative authorization of the consumer.
Opt-Out Button. The modifications introduce the design for an approved opt-out “button,” shown below, and state that its use is optional. But it continues to be clear that use of the button does not replace a business’s obligation to have the “do not sell my personal information” text link where applicable.
Online Business; Consumer Requests. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting requests to know. The modifications also delete the previous language suggesting that businesses that operate a website must provide an interactive web form for the submission of requests.
Clarifying Time to Respond to Requests. The modification clarified the period for responding to a request to know or a request to delete in terms of business or calendar days. Under the modification, confirmation of receipt to know or delete is now 10 business days, 45 calendar days to respond to the request, and 15 business days to respond to a request to opt out of sale.
Not Required to Search. The modifications add language indicating that when a business responds to a request to know, that the business is not required to search for personal information if the business: (a) does not maintain personal information in a searchable or reasonably accessible format, (b) maintains the personal information only for legal or compliance purposes, (c) does not sell the information or use it for a commercial purpose, and (d) describes to the consumer the categories of records not searched because it satisfies the three conditions above.
Non-Verified Request to Delete. The modifications delete language that required that a non-verified deletion request should be treated as a request to opt out of sale, and instead require that the business ask consumers if they would like to opt out of the sale of their personal information.
Service Providers. While the modifications provide that a service provider must not retain, use, or disclose personal information in the course of providing services beyond what is necessary to perform the services specified in a written contract, exceptions are created, including for internal use, by the service provider to build or improve the quality of its services (provided that the use does not include building or modifying household or consumer profiles) or cleaning or augmenting data acquired from another source. A service provider cannot sell data on behalf of a business when a consumer has opted out of the sale of their personal information with the business. The modifications also revise a service provider’s obligation to respond to a consumer’s right to know or delete such that a service provider may either fulfill the request on behalf of the business or inform the consumer that it cannot act on the request because it was sent to a service provider. A service provider is no longer required to provide the consumer with the contact information for the business.
Verification of Requests Fee. A business cannot require consumers to pay a fee for the verification of their requests to know or requests to delete. For example, a business may not require a consumer to provide a notarized affidavit to verify the consumer’s identity unless the business compensates the consumer for the cost of notarization.
Authorized Agents. The modifications expand the obligations of an authorized agent of a consumer. An authorized agent must implement and maintain reasonable security procedures and practices to protect the consumer’s information. An authorized agent must also not use a consumer’s personal information for any purpose other than to fulfill the consumer’s requests, for verification, or for fraud prevention.
Discriminatory Practices. The modifications provide that a business cannot offer a financial incentive if it is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive is reasonably related to the value of the consumer’s data. Further, the modifications add that it is not discriminatory for a business to deny a consumer’s request to know, request to delete, or request to opt out for reasons permitted by the CCPA.
Annual Disclosures. The threshold for recordkeeping metrics and privacy notice disclosure requirements that previously applied to businesses with the personal information of 4 million consumers has been increased to businesses with the personal information of 10 million or more consumers. These businesses must disclose recordkeeping metrics by July 1 of every calendar year in their privacy notice.
Consumers with Disabilities. The regulations previously provided that notices (and other rights) must be accessible to consumers with disabilities, and the modifications clarify that notices provided online must follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium.
While the above summary does not include all of the proposed changes to the regulations, they are representative of the tone and scope of the California attorney general’s approach to this update. The impact of the modifications will vary depending on how a business collects, uses, and discloses personal information, and how far along a business is in its CCPA compliance efforts.
The California attorney general initially issued proposed regulations for the CCPA on October 10, 2019, with proposed modifications released on February 7 and 10, 2020. As part of the rulemaking process, the California attorney general is deciding whether any modifications should be made to the proposed regulations before they become final based on public comments, which are due February 25. In the meantime, the proposed regulations provide useful guidance as businesses seek to comply with the CCPA, which took effect on January 1, 2020.
Please visit our CCPA Resource Center for more information and the latest updates.
The Morgan Lewis privacy team is providing practical privacy advice to more than 100 businesses on compliance with the CCPA, the newly proposed regulations, and how to accept requests. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:
Michelle Park Chiu
Charis A.M. Redmond
Ronald Del Sesto
Dr. Axel Spies
 CCPA, Cal. Civil Code §§ 1798.100-1798.199.
 The February 10, 2020, version added revisions to Section 999.317(g).