California: AG modified proposed CCPA regulations
The California Attorney General ('AG'), Xavier Becerra, released, on 7 February 2020, a modified text of the proposed regulations ('the modified Proposed Regulations') under the California Consumer Privacy Act of 2018 ('CCPA') for public comment, further to the Proposed Regulations' first release in October 2019.
In particular, the modified Proposed Regulations include:
- new definitions and amendments to previous ones;
- the inclusion of 'opt-out' buttons that organisations may utilise;
- modifications to the procedures regarding consumer requests; and
- provisions on retention, use or disclosure of personal information by service providers.
Clarifying Personal Information
The modified Proposed Regulations clarify that whether information would be considered personal, depends on whether the business maintains it in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. David Saunders, Partner at Jenner & Block LLP, told OneTrust DataGuidance, "The modifications to the proposed regulations contain a number of revisions with the most significant changes involving the regulation of service providers and the definition of household and procedures around verified households […] The original, proposed regulations would have caused significant turmoil for businesses and would have potentially harmed consumers, with the revisions now taking a positive step [...]"
Therefore, and to bring clarity to the meaning of personal information, the modified Proposed Regulations note that, for example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be personal information.
Opting-Out and Complying with Consumer Requests
The modified Proposed Regulations also give further clarity with regards to opt-out clauses, and provide, for example, that businesses selling personal information must provide a notice of right to opt-out. Saunders stated, "There are two competing goals with respect to the opt-out provisions of the CCPA. Both consumers and businesses want consumers to be informed of their opportunity to opt-out of the sale of their information, but neither want them to be inundated with privacy forms, pop-ups and other impediments to the consumers actually engaging in a transaction that they want with a business."
Changes have also been introduced, regarding consumer requests to know or delete personal information that is collected, by distinguishing between businesses that operate exclusively online and have a direct relationship with a consumer from whom they collect personal information, with Saunders noting that "in the initial Proposed Regulations, businesses would have to treat the unverified deletion request as a request to opt-out. Now, however, businesses are only required to ask if the consumer wants to opt-out, returning control of the opt-out to the consumer."
Concerning service providers, the modifications mainly regard retaining, using, or disclosing of personal information in the course of providing services, which, in general, would not be permitted, except for certain cases, including retaining and employing another service provider as subcontractor, detection of data security incidents, or protection against fraudulent or illegal activity, or internal use by the service provider to build or improve the quality of its services. Saunders highlighted that "the modifications reflect the reality of what service providers may need to do, and ought to be permitted to do under the CCPA. They really just bring service providers in line with the rest of the CCPA."
Following these modifications, business have until 25 February 2020 to submit further written comments to the AG, although Saunders detailed that "what happens next is largely up to the AG, who could make more modifications, or publish finalised regulations, after which businesses will have to work to meet the new requirements in the regulations that are not currently in the CCPA."
Saunders also noted, "The entire CCPA process has been a lesson in how difficult a piecemeal approach to privacy can be for both consumers and businesses. We have a law that went into effect in January, but that will not be enforced until 1 July 2020, and don't yet know what the final regulations will look like […] Businesses will have spent years preparing for a law that is in effect, but is still very much a moving target, which makes it a recipe for compliance issues, and consumers may not be getting the protections and rights required because of how much uncertainty remains."
Iana Gaytandjieva Privacy Analyst
Comments provided by:
David Saunders Partner
Jenner & Block LLP