We're Getting Closer: AG Releases New Modified CCPA Draft Regulations

California Attorney General Xavier Becerra wasted no time in issuing new modified draft regulations for the California Consumer Privacy Act (“CCPA”), announcing new draft regulations on March 11, 2020 – just two weeks after the public comment period expired on the prior draft regulations. While the March 2020 changes are more limited than the February 2020 modifications to the original October 2019 draft regulations, the new changes have an immediate impact on all businesses currently working to comply with the CCPA’s requirements. Selected provisions of the newest draft regulations are set forth below:

  1. Personal Information Reverts to the Statutory Definition – There was a lot of excitement in February about the modification to the definition of “personal information” under the statute, including in what contexts certain information not explicitly linked to an individual or household (such as IP addresses collected from website visits) would or would not be considered “personal information.” As we noted in a previous article, the problem with that modification was that it created ambiguity regarding when certain personal information collected or disclosed by the business may be “capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household” when combined with other available information, even if the business itself makes no effort to create such a  link or identification. The newest draft regulations have accordingly deleted this attempt at narrowing the definition of “personal information,” essentially reverting back to the broad definition in the statute. Thus, as currently defined, essentially every piece of information that is reasonably capable of being related to a California resident or household, including IP addresses or other information not currently linked to an individual or household, constitutes collection of personal information under the CCPA.
  2. Businesses That Do Not Collect Information Directly Do Not Need To Provide Notice At Collection – Although this appeared to be the case based on statutory language and previous regulations, the March 2020 modifications added back in the provision that a business that does not collect personal information directly from a consumer does not need to provide a notice at collection if it does not sell consumers’ personal information.
  3. The Opt-Out Button And Logo Is Gone – The proposed Opt-Out Button and Logo released with the February 2020 modifications has been entirely deleted in the March 2020 modifications. It remains to be seen whether a new button or logo will be forthcoming or what it will look like.
  4. Responses to Request to Know Specific and Sensitive InformationThe February 2020 modifications clarified that businesses are restricted from disclosing certain sensitive information such as driver’s license number or other government-issued identification numbers, social security number, financial account number, health insurance or medical identification number, account password, security questions and answers, and biometric data, in response to consumer requests to know specific pieces of information collected about them. However, the new modifications explain that businesses must still disclose with “sufficient particularity” the type of sensitive information collected without disclosing the actual information. For example: if a business collects biometric data, it must respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
  5. Notice of Employment-related Information – A business collecting employment-related information still needs to provide notice at collection to employees and job applicants but does not need to include a link to a business’s main privacy policy in that notice.
  6. Privacy Policy Right To Know Description– Although the description of personal information required to be disclosed in a business’s privacy policy appeared to be somewhat relaxed by the February 2020 modifications, the new modifications clarify that a privacy policy must identify not only the categories of personal information collected about consumers in the previous 12 months, but also the categories of sources from which personal information is collected and the business or commercial purposes for collecting and selling the personal information (in addition to the previous requirement of identifying the categories of personal information sold or disclosed to third parties and –for each category – the categories of third parties to whom information was sold or disclosed).
  7. Information Of Minors – If a business has actual knowledge that it sells personal information of minors under 16 years of age, it must include a description of the affirmative opt-in consent process required for selling personal information of minors in its privacy policy.
  8. Opt-Out Privacy Controls – The February 2020 modifications prohibited businesses from providing pre-selected opt-outs in user-enabled privacy controls and required consumers to affirmatively exercise their choice to out-opt.  However, the March 2020 regulations deleted this affirmative selection requirement leaving the possibility of pre-selected settings. Moving forward, how businesses handle opt-outs in privacy controls will depend on a variety of factors including the industry the business operates in, target audience, and the value of the collected data to the business.

Despite all of this new information and guidance, it is important to remember that these modifications are still in draft form and will undergo further revisions until finalized later this year.  It remains to be seen how many more modifications will come between now and July, and businesses are already frustrated at the moving target of compliance presented by the ever-changing regulations.  While it is helpful to get periodic glimpses into the AG’s thought process and see where the regulations are heading, additional draft modifications – including adding and then removing requirements, or removing them and then adding them back in, as well as making other substantive changes – will likely incentivize businesses to stop taking any further steps toward compliance until final regulations are released.  The good news is the recent changes are less extensive, indicating that we are hopefully getting closer and closer to the final product.

For further information on how the modified regulations or the CCPA impacts your business, contact our Cybersecurity & Data Privacy lawyers Scott Hall and Foram Dave.  You can also review additional CCPA articles and resources in our CCPA Resource Center.