Overview:
The California Department of Justice (Department) provided notice of the second set of modifications made to the proposed regulations regarding the California Consumer Privacy Act on March 11, 2020.
The Department first published and noticed the proposed regulations for public comment on October 11, 2019. On February 10, 2020, the Department had given notice of modifications to the proposed regulations, based on the feedback received during the 45-day comment period.
Subsequently, the Department received around 100 comments in response to the modifications. This second set of modifications have been made in response to the comments received and to clarify and conform the proposed regulations to existing law.
The Department will be accepting written comments regarding the second set of proposed changes between Wednesday, March 11, 2020, and Friday, March 27, 2020. All written comments must be submitted to the Department no later than 5:00 p.m. on March 27, 2020, by email to PrivacyRegulations@doj.ca.gov, or by mail to the address listed on the website.[1]
To help the public submit effective comments to improve the proposed regulations before they become final, the Department has also shared Tips on Submitting Effective Comments on the website.
Please note, the California AG may begin enforcing the CCPA on July 1, 2020.
Some significant changes to the Second Set of Modifications are as follows:
- Definitions: Originally, the term Financial incentive was defined as a program, benefit, or other offering, including payments to consumers as compensation, for the disclosure, deletion, or sale of personal information.
The same has now been changed to— “Financial incentive” means a program, benefit, or other offering, including payments to consumers, related to the collection, retention or sale of personal information.[2] 11 CCR § 999.301(j). - Guidance Regarding the Interpretation of CCPA Definitions: The guidance from the First Set of Modifications regarding how “personal information” should be interpreted has been deleted. The example, in the First Set of Modifications, made it amply clear that when a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.” This, however, stands deleted.
Experts say “it may not affect how the California AG will interpret the CCPA (since the fact that information must relate to a particular consumer or household in order to be considered ‘personal information’ under the CCPA comes from the text of the law itself and not the draft regulations). Businesses, however, can no longer rely on this particular example regarding an IP address when determining whether the information they process qualifies as personal information under the CCPA.”[3] - Notice at Collection of Personal Information: A new subsection has been added to this section to clarify that a “business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.” 11 CCR § 999.305(d).[4]
- Furthermore, businesses collecting employment-related information are no longer required to provide a link to the business’s privacy policy in the notice at the point of collection of such information. This is a changed position from the First Set of Modifications where a suggestion was made to include a link to, or paper copy of, a business’s privacy policies for job applicants, employees, or contractors in lieu of a link or web address to the business’s privacy policy for consumers.[5] 11 CCR § 999.305(f)(2).
- Opt-Out Button or Logo: The opt-out button crafted by the California AG in the First Set of Modifications that businesses could use on their homepage to link to their right to opt-out of sale notice has been deleted from the proposed draft in the Second Set of Modifications.[6]
- Privacy Policy: The privacy policy requirements have been further revised. With specific reference to the information that must be included in the privacy policy—Businesses would need to identify the business or commercial purpose for collecting or selling consumers’ personal information. They would also need to describe it in a manner that provides consumers with a meaningful understanding of why the information is being collected or sold. 11 CCR §§ 999.308(c)(1)(e)-(f)[7] These requirements were included in the original version of CCPA regulations released by the California AG on October 11, 2019, but were removed in the First Set of Modifications.[8]
- Privacy Policy—Minors (11 CCR § 999.308(c)(9): Additionally, a new section added in the second set of modifications emphasizes that if a business has actual knowledge that it sells the personal information of minors under the age of 16, it must include a description of that process in the privacy policy as provided under Special Rules Regarding Minors in Article 5 of the draft regulations.
- Responding to Requests to Know and Requests to Delete—Responding to Requests to Know: As regards disclosure of sensitive information businesses would still be prohibited from disclosing a consumer’s social security number, driver’s license number, financial account number, health insurance or medical information, an account password, security questions and answers, or unique biometric information upon receiving a request to know from a consumer. However, per the Second Set of Modifications, a business would be required to inform the consumer with sufficient particularity that it has collected the abovementioned type of information.[9] “For example, a business shall respond that it collects ‘unique biometric data including a fingerprint scan’ without disclosing the actual fingerprint scan data.” 11 CCR § 999.313(c)(4).
- Service Providers: In terms of service providers, the Second Set of Modifications clarify that a service provider may collect information directly from a consumer or about a consumer and still be considered a service provider under the law. 11 CCR § 999.314(b).[10]
- Training; Record-Keeping: Under this section, a business that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 10,000,000 or more consumers in a calendar year, shall compile the metrics as provided in the regulations for the previous calendar year. The words ‘knows or reasonably should know’ added in the second set of modifications further clarify which businesses fall under the ambit of this provision. 11 CCR § 999.317(g).
- General Rules Regarding Verification: The Second Set of Modifications clarify that a business shall not require the consumer or the consumer’s authorized agent to pay a fee for the verification of their request to know or request to delete. For example, a business may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization. 11 CCR § 999.323(d).
- Calculating the Value of Consumer Data: The Second Set of Modifications clarify that for the purpose of calculating the value of consumer data, a business may consider the value to the business of the data of all natural persons in the United States and not just consumers. 11 CCR § 999.337(b).
For more details on the subject please see the Text of Second Set of Modified Regulations – Comparison Version, and if you have a CCPA-project you need a hand with, feel free to reach out to us at contact@legaleasesolutions.com.
LegalEase Solutions provides corporate legal departments and law firms innovative support with regulatory compliances. Our team is designed to function as an extension to your legal practice or department, providing you the capabilities and resources to stay up to date with your needs. Our team would be happy to assist you with the CCPA and other regulatory compliance requirements.
[1] Source: https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-notice-of-second-mod-031120.pdf?
[3] https://www.wilmerhale.com/en/insights/blogs/WilmerHale-Privacy-and-Cybersecurity-Law/20200316-california-ag-further-revises-modified-ccpa-regulations
[6] https://www.wilmerhale.com/en/insights/blogs/WilmerHale-Privacy-and-Cybersecurity-Law/20200316-california-ag-further-revises-modified-ccpa-regulations
[8] https://www.wilmerhale.com/en/insights/blogs/WilmerHale-Privacy-and-Cybersecurity-Law/20200316-california-ag-further-revises-modified-ccpa-regulations