On Friday, February 7, 2020, California’s Attorney General’s Office released revisions to the proposed regulations (the “Modified Draft Regulations”) for the California Consumer Privacy Act (“CCPA”). The CCPA is a first-in-the-nation comprehensive data privacy law that gives consumers rights to access and delete their personal information and to opt out of the sale of their personal information. The CCPA also requires businesses to make certain disclosures and operational changes regarding how they collect, use, and share personal information. The Modified Draft Regulations update the draft regulations originally proposed by the Attorney General in October 2019 (the “Original Draft Regulations”).
The Modified Draft Regulations contain important revisions to the Original Draft Regulations that clients should be aware of. We highlight some key provisions below. Among other changes, the Modified Draft Regulations:
- Clarify the scope of the CCPA’s definition of “Personal Information.”
- Provide guidelines for businesses to follow in making their disclaimers accessible to persons with disabilities.
- Specify on what webpages the CCPA-required “Notice at Collection of Personal Information” must be displayed, and provide further guidance for mobile apps that collect a consumer’s personal information.
- Provide a design for an “opt out” button for the “Do Not Sell My Info” link required by the CCPA.
- Eliminate the 90-day look-back period for notifying third parties when a consumer opts out from the sale of their personal information.
- Require businesses to ask users who request to have their personal information deleted if they would also like to opt out from the sale of their personal information.
- Create an exception to the “Right to Know” for certain information maintained by businesses in non-searchable databases and that is collected only for legal compliance purposes.
More detail on these revisions follows below.
Guidance on the Definition of Personal Information
The definition of “Personal Information” is notably broad in the CCPA, so any additional guidance is welcomed. The statute explains that “Personal Information” is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o). The statute then enumerates several types of information that may constitute personal information, such as IP addresses, browsing history, personal identifiers, and more. But ambiguities abound. One of these is addressed by the Modified Draft Regulations, which confirm that the enumerated types of information only constitute personal information if they can be linked to a particular consumer or household. “For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’” Modified Draft Regulations 999.302(a). This is similar to the position the Article 29 Working Party took on this question under the EU Privacy Directive. See Article 29 Working Party, WP 37: Privacy on the Internet – An Integrated EU Approach to On-line Data Protection, at 21, adopted on Nov. 21, 2000.
Accessibility for Consumers with Disabilities
This requirement mirrors the European Commission’s implementation standards for the EU’s Web Accessibility Directive, which imposes accessibility requirements on public-sector websites and apps. The implementation standards create a presumption of compliance with the Web Accessibility Directive for websites and apps that comply with the Web Content Accessibility Guidelines.
Notice at Collection of Personal Information
The Modified Draft Regulations, 999.305(a)(3)-(4), make three notable changes to the requirement that businesses display consumers a notice before they collect personal information.
First, for websites, the Original Draft Regulations specified that a business must “conspicuously post” the notice on the website homepage or on all webpages where personal information is collected. The Modified Draft Regulations change this requirement such that a link to the notice must be conspicuously posted on the homepage and on all webpages where personal information is collected.
Second, the Modified Draft Regulations provide guidance concerning mobile applications. Apps may satisfy the notice requirement by providing a link to the notice “on the download page and within the applications, such as through the application’s setting menu.”
Third, the Modified Draft Regulations contain a heightened requirement for apps that collect personal information from a consumer’s mobile device “for a purpose that the consumer would not reasonably expect.” Such apps must “provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection.” To illustrate how this requirement would apply in practice, the Modified Draft Regulations draw from the now-infamous example of flashlight apps that collected location information, calendar information, mobile identifiers, and more to share that information with advertising networks. “[I]f the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the application . . . .”
The Right to Opt Out
The Modified Draft Regulations contain three notable changes regarding how businesses must effectuate consumers’ right to opt out of the sale of their personal information.
First, they introduce an “Opt-Out Button” that may be included next to the text “Do Not Sell My Personal Information” or “Do Not Sell My Info.”
Second, the Modified Draft Regulations relax a potentially onerous burden imposed on businesses by the Original Draft Regulations. When a consumer opts out, the prior draft regulations required a business to notify all third parties to whom it had sold the consumer’s personal information in the 90 days preceding the consumer’s request, and to instruct those third parties not to further sell the consumer’s personal information. The Modified Draft Regulations eliminate this 90-day lookback period and instead require businesses only to notify third parties to whom it sold the consumer’s personal information after the consumer submitted a request to opt out but before the business was able to comply with the request.
Third, the Modified Draft Regulations require businesses that sell personal information to ask a user that submits a request to delete personal information if the consumer would also like to opt out of the sale of their personal information. In responding to a consumer’s request to delete information, the business must specifically “ask the consumer if they would like to opt out of the sale of their personal information and . . . include either the contents of, or a link to, the notice of right to opt-out.” Modified Draft Regulations 999.313(d)(1).
The Right to Know
The CCPA gives consumer’s the “right to know” information about how a business collects, uses, and shares their personal information. The new draft regulations create a narrow exception for personal information maintained by businesses for legal or compliance purposes that is stored in non-searchable databases.
“In responding to a request to know, a business is not required to search for personal information if all the following conditions are met:
- The business does not maintain the personal information in a searchable or reasonably accessible format;
- The business maintains the personal information solely for legal or compliance purposes;
- The business does not sell the personal information and does not use it for any commercial purpose; and
- The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.”