United States: California Consumer Privacy Act Amendments And Proposed Rules: Benefit Or Burden?

Almost in tandem, the California Office of the Attorney General (OAG) and California Governor Gavin Newsom each recently took significant steps in shaping the obligations of businesses under the California Consumer Privacy Act (CCPA). On October 10, 2019, the OAG released proposed regulations implementing the statute; the next day, Governor Newsom signed into law a series of bills amending the CCPA. Given the nature of the amendments, it seems likely that the OAG will issue additional proposed implementing rules, or at least tailor its final rules to account for the amendments.

Among the more impactful of the amendments are one-year exemptions from most of the CCPA's requirements with respect to personal information collected (i) in connection with a business-to-business transaction or (ii) in an employment-related context. Other amendments, such as an expanded exemption for consumer report information regulated under the Fair Credit Reporting Act (FCRA), are of less broad, but still appreciable, importance.

Although both the new statutory amendments and the proposed amendments provide some clarification of the CCPA's ambiguities, including those discussed in our Advisory regarding the enactment of the statute, they by no means fully resolve many perplexing aspects of the law. As businesses move forward in preparing for compliance, there will be a continued need to formulate the most reasonable interpretations possible, guided by general privacy principles, canons of statutory interpretation, and plain common sense about consumer expectations.

The OAG is inviting public comments and will be holding public hearings on the proposed rules December 2-5, 2019 in four cities across the state. Those hearings, as well as the option to submit written comments on the proposed rules by December 6, are meaningful opportunities for entities subject to the CCPA to provide input on the statute's appropriate interpretation, implementation, and enforcement.

Newly Enacted Amendments

The new CCPA amendments were contained in five separate bills. In addition, Governor Newsom signed related legislation amending the definition of "personal information" in California's data security and data breach notification statutes, which definition relates to the private right of action granted by the CCPA, as discussed below. Some of the notable amendments include:

  • Exemption for Personal Information Collected as Part of Business-to-Business Communications. For some businesses, the temporary "business-to-business" exemption mentioned above substantially curtails the application of the CCPA to their activities. That exemption, contained in Assembly Bill 1355, provides that, until January 1, 2020, the CCPA notice, deletion, and reporting requirements do not apply to personal information "reflecting" a communication or a transaction between the business and a consumer who is acting as an employee or other representative of a company or other organization, if the communication or transaction occurs solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from, such company or organization. Notably, however, businesses must still give individuals whose personal information is collected in such a "business-to-business" context an opportunity to opt out of the business's sale of that information.

    For financial institutions in particular, the "business-to-business" amendment signals broad—if temporary—relief from many CCPA obligations. That is because the CCPA separately exempts from the definition of "personal information" information that is collected or otherwise processed by a financial institution "pursuant to" the federal Gramm-Leach-Bliley Act (GLBA). Personal information governed by the GLBA is non-public personal information collected by a financial institution in connection with an individual's application for or obtaining a product or service from the institution for personal, family, or household purposes. Thus, coupled with the GLBA exemption, the new "business-to-business" exemption broadly removes most financial institution customer information from the scope of the CCPA.

  • Exemption for Credit Report Information. AB 1355 also expands the CCPA's preexisting exemption regarding "consumer report" information under the FCRA. Prior to the amendment's enactment, the CCPA simply provided that it did not apply to "sales" of personal information by or to a consumer reporting agency if the information was intended to be included in a "consumer report" as permitted under the FCRA. The new, expanded exemption excludes from the CCPA's scope any "consumer report" information, provided it is collected, used, and shared in compliance with the FCRA.
  • Partial Exemption for Employment-Related Information Assembly Bill 25 provides a one-year partial exemption from most of the CCPA obligations of a business with respect to personal information it collects from job applicants or the business's employees, owners, directors, officers, medical staff, or contractors, in the employment-related context. However, businesses must still provide these "consumers" with notice, prior to or at the point of collecting their personal information, regarding that collection, the purposes for it, and the categories of third parties whom the information may be shared.
  • Designated Methods for Submission of Consumer Requests. Assembly Bill 1564 modifies the CCPA's requirement that businesses provide both a toll-free number and another means for consumers to submit requests pertaining to their personal information. Under AB 1564, businesses that operate exclusively online and have a direct relationship with consumers from whom they collect personal information are permitted to provide only an email address to consumers.
  • Expanded Grounds for Data Breach Private Right of Action. Assembly Bill 1130 does not amend the CCPA itself, but expands the definition of "personal information" that, if subject to unauthorized access or disclosure due to a business' lack of "reasonable security measures," triggers the private right of action granted to consumers under the CCPA. AB 1130 also expands, in the same way, the definition of "personal information" in California's data breach notification statute. As so amended, "personal information" in those contexts can be a consumer's first name or first initial and last name coupled with any of the following: unique biometric data, tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document.

Proposed Regulations

The proposed regulations issued by the OAG provide guidance to businesses on several requirements of the CCPA, including:

  • Notices to Consumers—e.g., notice of collection of personal information, notice of the right to opt out of sales of personal information, and notice of financial incentives to provide information.
    • Notice of Collection. A business's notice that it will be collecting a consumer's personal information must be provided in plain, straightforward language, in a conspicuous format, and potentially in multiple languages. The notice must be accessible where consumers will see it before their personal information is collected, whether such collection occurs online or offline. (This could be provided as a link to the section of the business' privacy policy [described below] that describes personal information-collection.) Businesses that engage in multiple forms of personal information-collection will need to publish a notice of collection in multiple formats—for example, on the business's website, mobile application, and in printed materials and signage. And if a business intends to use a consumer's personal information for any purpose that was not disclosed at or before the time of collection, the business must obtain the consumer's explicit (opt in) consent to proceed with such use.
    • Notice of Right to Opt Out. The CCPA requires businesses that "sell" personal information to provide a link titled "Do Not Sell My Personal Information" on their websites, which must enable consumers to opt out of such sale. The proposed regulations permit businesses alternatively to title the link "Do Not Sell My Info" and require that businesses provided a webform or other document that can be used to submit an opt-out request, together with a link to the business's privacy policy. The OAG will propose a sample opt-out button or logo for businesses' use in a later version of the regulations. A business that does not, and will not, engage in the sale of personal information and states so in its privacy policy is exempt from these opt-out-related requirements.
    • Notice of Financial Incentive. The CCPA prohibits businesses from treating consumers who exercise their rights under the CCPA differently than other consumers. Thus, for example, a business may not charge a higher price of services to customers who have exercised their rights to opt out of the sale of their personal information, or requested deletion of their personal information, unless the price differential "is reasonably related to the value of the consumer's data." The proposed regulations require businesses to notify a consumer of each financial incentive or price or service difference offered in exchange for the retention or sale of the consumer's personal information. Such notice must include, among other things, a summary of the material terms of a financial incentive or price/service differential, instructions for providing and withdrawing consent for the retention or sale of the personal information, and an explanation of why the financial incentive or price/service differential is permitted under the CCPA, which must include a good faith estimate of the value of the consumer's personal information relative to the offering of the financial incentive or price/service differential, and a description of the method used to calculate such value.
  • Privacy Policy Requirements. The proposed regulations clarify certain aspects of the privacy policy requirements of the CCPA, including that privacy policies must contain a comprehensive description of a business's online and offline personal information collection practices. The proposed regulations reiterate the statutory requirements for the content of privacy policies, including, among other items, information regarding consumers' right to (i) know about personal information that is collected, disclosed, or sold, (ii) request deletion of personal information, (iii) opt out of the sale of personal information, and (iv) non-discrimination in connection with their exercise of privacy rights.
  • Responding to Consumer Requests. The proposed regulations provide guidance on how businesses should handle consumer requests about their data (i.e., "requests to know" and "requests to delete") and clarify acceptable methods for consumers to submit such requests and how businesses can verify them.
    • Designated Submission Methods. Businesses must provide two or more designated methods for the submission of consumers' requests to know and requests to delete. These methods may include, for example, calling a toll-free telephone number, sending an email, writing through regular mail, or making a request in person. In designating these methods, businesses must consider the ways in which they interact with consumers and at least one designated method must reflect the manner in which businesses primarily interacts with consumers. If a business does not interact with consumers directly in the ordinary course of business, it must make available an online method for consumers to submit requests.
    • "Do Not Ignore" Requirement. If a business receives a request to know or to delete other than via the business's designated submission channels, the business must either treat the request as if it had been submitted properly or provide the consumer with specific instructions to submit the request or address any deficiencies in the request that had been submitted. The business may not simply ignore the request.
    • Responding to Requests to Know. The CCPA requires businesses to respond to consumer requests to know within 45 days (with a possible extension to 90 days if the consumer is notified of the delay). The proposed regulations add a requirement that businesses must confirm receipt of consumers' requests to know or delete within 10 days, and must include in such confirmation a description of the business's verification process and an estimate of when the consumer should expect to receive a substantive response. If a business is not able to verify the identity of the person making a request for specific pieces of personal information, it must not disclose any specific personal information to the requestor and must inform him or her that it was unable to verify his/her identity. In addition, in provisions that are welcome for businesses concerned about the risk of a data security breach in disclosing specific pieces of information upon request, the proposed regulations place several restrictions and conditions on the disclosure of personal information in response to a such a request. A business may never respond by providing Social Security numbers, driver's license or other government-issued identification numbers, financial account numbers, health or medical identification numbers, account passwords or security questions and answers, or provide any other personal information where doing so would create a risk to the security of the information or the business's systems or networks.
    • Responding to Requests to Delete. The proposed regulations mandate specific types of methods to delete personal information when a business agrees to a consumer's request to delete. Businesses may use one of three methods of deletion: (i) complete erasure of personal information from the business's information systems (other than archives or back-up systems), (ii) de-identification of the information, or (iii) aggregation of the information (as defined in the CCPA). Businesses' responses must specify the manner of deletion and explain that the business will maintain a record of the request, including the personal information contained in the request.
    • Service Provider Obligations. Although service providers that are not also "businesses" under the CCPA generally do not have direct obligations under the law (but are bound by the service provider contracts they enter into with businesses), the proposed regulations impose certain requirements on services providers. First, a service provider may not use personal information obtained from or on behalf of one business (or directly from a consumer) for the purposes of any other business. Second, if a service provider receives directly from a consumer a request to know or to delete, it may comply, or, if it chooses to deny the request, it must explain the basis for the denial and inform the consumer that he or she should submit the request directly to the business on whose behalf the service provider processed the consumer's personal information.
  • Verification of Consumer Requests. While the CCPA requires businesses to verify the identity of consumers who submit requests to know or to delete, it does not prescribe methods for such verification. Nor do the proposed rules, but they do prohibit any verification method that is not reasonably based on several risk-indicative factors, including, for example, the type, sensitivity, and value of the personal information collected, the potential for unauthorized access to or deletion of such information, the likelihood that malicious actors may seek to access or obtain such information, and the manner in which the business interacts with consumers. A business that faces heightened risk in any of these areas should implement more stringent verification processes. Businesses are encouraged to avoid requesting additional information from consumers as part of any verification process. In the event, however, that a business requires and obtains additional information, it may use that information only for identity verification, security, or fraud-prevention purposes and must delete the information as soon as practicable upon processing of the consumer's request.
  • Data Collection from Minors. The proposed regulations implement special rules regarding data collection from minors, including with respect to the processes that should be followed to ensure that consent is obtained from a minor's parent or guardian (rather than an unauthorized person), documentation of such processes, and certain disclosures that must be provided in connection with the offering of goods and services to minors.

Interpreting and implementing the CCPA's requirements will be an ongoing challenge for many businesses, even with the clarification provided by some aspects of the recent amendments and proposed rules. A meaningful understanding the purpose and value of data privacy regulation, coupled with sensitivity to consumer expectations, will help businesses considerably in finding their way toward compliance with the CCPA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions