Sunday, February 9, 2020

First Take: Summary of Revisions to the CCPA Regulations

On Friday afternoon, and without advanced notice, the California Department of Justice released changes to the California Consumer Privacy Act (CCPA) regulations that will affect how companies all over the world attempt to comply with the CCPA.

Background

Before describing the changes, let's remember how we got here.  The CCPA began as a ballot initiative funded by a wealthy real estate developer.  The ballot measure was so popular that it was certain to pass in the 2018 election, so the California legislature struck a deal with the proponents to make it a statute immediately (which made it easier for the legislature to amend).  It was amended once in 2018 and several times in September 2019.

The law became effective on January 1, 2020. When the CCPA was enacted back in June 2018, it delegated certain rulemaking responsibility to the California Department of Justice, led by the Attorney General.  After fifteen long months--and painfully close to the CCPA's effective date of January 1, 2020 the Attorney General released proposed regulations on October 10, 2019.  Because the Attorney General waited so long to publish regulations, the statute says that the California Department of Justice cannot begin enforcing the law until six months following its effective date--July 1, 2020.  The Attorney General has said, however, that companies are expected to comply on January 1, 2020, and enforcement actions after July 1 might relate to activities taken between January 1, 2020 and July 1, 2020.

CCPA Opt out button image from CCPA Regs
The new, standard CCPA opt-out button
When the regulations we first released on October 10, 2020, there was a public comment period, and many interested people, companies, and groups commented on the proposal.  Many pointed out that the regulations created new burdens not found in the statute, failed to clarify many ambiguities in the statute, and introduced new ambiguities.  The Attorney General, however, said in December that there would be no major changes to the regulations, despite the voluminous comments and criticisms. 

In response to the comment letters, and to clarify certain ambiguities in the regulations, the Department of Justice revised the regulations on Friday, February 7, 2020.  Despite the Attorney General's statement, hardly a paragraph of the original regulations is left intact; all 32 pages of the revisions show significant changes.

The Changes

Many of the changes are merely clarifying edits and do not signal substantive policy changes.  While it will take time to digest and understand the effects of the changes, my quick, initial summary of the more salient changes are listed below:

  • The disclosure of the categories of sources of personal information will be more specific than the three categories originally described. Several additional examples are provided: advertising networks, internet service providers, data analytics providers, operating systems and platforms, social networks.  Businesses will need to revise their public-facing privacy policy statements and disclosures in response.
  • New provisions addressing employee data are included. The term "employment-related information" is added.  Disclosures can be hyperlinked. 
  • More specific instructions for handling household requests are included.  Companies will need to revise their procedures to address this. 
  • The definition of "personal information" is to be interpreted slightly less broadly than some have thought.  For example, even though the statutory definition includes IP addresses, all IP addresses will not be considered personal information.  A consumer's IP address is only considered personal information if it can be linked to the consumer or household. 
  • The WCAG 2.1 (not 2.0!) accessibility standards are incorporated by reference. 
  • The "notice at collection" may be oral.
  • Non-intuitive collection via a mobile device will require a "just-in-time" notice, such as a pop-up window.
  • Businesses may use personal information for additional purposes if they are not "materially different" from the purposes previously disclosed.  This gives businesses a little more flexibility to adjust to new use cases than the previous language.
  • It appears that purposes need not be disclosed for each category of personal information, as originally required.  (Many companies may not need to describe purposes in the granular detail found in privacy policy statements published on January 1.)
  • Companies that collect consumer personal information only indirectly can avoid the notice of collection if they register as data brokers with the California Attorney General. All of the implications of this change are unclear to me at this point, but this could be very significant.
  • Mobile apps can use hyperlinks to privacy policy statements. 
  • A description of the process for authorized agents to demonstrate authority is no longer required to be included in the notice of opt-out rights.
  • The privacy policy statement URL is no longer required to be included in the notice of opt-out rights. 
  • Businesses do not need to commit to never sell personal information in the future in order to avoid opt-out notices, as was perhaps implied by the initial regulatory language.
  • A simple opt-out graphic is included for use in lieu of the hyperlink text for the opt-out mechanism.
  • Businesses must disclose the value of the consumer's data, explain how the financial incentive is related to the value of the consumer's data, when giving a notice of financial incentive.  Businesses will need to revise these notices to comply with the change.  This likely means loyalty and discount program terms and conditions need to include a dollar value for consumer data.  There are also new examples relating specifically to loyalty programs.
  •  Categories of sources of information, purposes for collection, and categories of third parties are no longer required to be disclosed separately for each category of personal information.  (The complex matrices and other highly-granular disclosures that some businesses have already released in response to the proposed regulations now seem unnecessary.  Those companies may want to make more general statements going forward.)
  • The requirement to affirmatively state whether data has been sold in the prior 12 months is removed.
  • The categories of third parties to whom personal information is sold must be disclosed separately for each category of personal information.  
  • Verification processes must be disclosed generally, not specifically, in the notice at collection.
  • The right to opt-out disclosure must state whether or not the company sells personal information.
  • Online-only, direct-to-consumer businesses can limit consumer requests to email; all others must offer two or more options.  The webform is no longer mandatory if a business has a website. 
  • The requirement to accept consumer requests to know and requests to delete via an additional method based on how the business interacts with consumers is now recommended but not mandatory.  
  • Confirmation must be sent within 10 business days, not calendar days.
  • If a business cannot verify identity within 45 days of receiving a request, the business may deny the request.
  • Businesses need not search for personal information if four criteria are met (this will be rare).
  • Business may not disclose certain biometric data in response to a request to know.
  • A response to a request for categories of personal information must include additional information.
  • If identity cannot be verified, a business must ask if the consumer wishes to opt out of the sale of their personal information (for which verification is not required).
  • A business does not have to describe how it deleted the consumer's data pursuant to a deletion request, but must state whether or not it has done so.
  • The revisions say that a business may tell a consumer that it is retaining a record of a deletion request "to ensure the personal information remains deleted from the business's records."  (While re-introduction of data through automated data syncs and dumps is a legitimate concerns, I worry that such a statement could lead a consumer to think that a business has a duty to avoid collecting the consumer's data in the future, or to periodically purge the data in the future.)
  • If prohibited from fulfilling a deletion request by law, the business must now explain the legal conflict. (!)
  • Several changes to the constraints placed on service providers are present, including the ability of service providers to use personal information to improve their own services.  (This was important, especially for AI providers.)
  • It must be "easy" to opt-out and involve "minimal steps." 
  • Additional expectations are set regarding the honoring of browsers' privacy settings and the "opt out" signal.  It is still unclear how this will work in the real world.
  • An authorized agent must have written authority that is signed by the consumer, and the business can require the consumer to confirm directly to the business that the authorized agent has permisison to do so.
  • Statistical disclosure is due on July 1 of each calendar year, for businesses that meet the threshold requirements for reporting.  (I believe July 1, 2021 will be the first reporting deadline.)
  • Household requests require verification of all household members.  (This seems likely to cause most businesses to treat household requests as multiple individual requests, for practical operational purposes.)
  • Verification cannot involve a fee payable by the consumer, even if payable to a third party.  Businesses cannot require notarization for verification unless the business pays for the notarization.  (Some businesses will need to revise their verification processes.)
  • Requests must be denied unless verified in accordance with the regulations (businesses seem to have no discretion). 
  • Authorized agents must use reasonable security procedures and cannot use a consumer's data for additional purposes.
  • Businesses must establish a method to verify that a parent acting on behalf of a child under 13 is the parent (or guradian).
  • If the value of consumer data cannot be calculated or does not relate to the value of a financial incentive, the financial incentive cannot be forfeited in response to a request to delete (unless the incentive is required by federal law).  The value of consumer data can be calculated based on the value to all individuals, not just the business's consumers.  The "typical consumer" concept is removed.
Again, this is just a quick summary after an initial reading of the revisions.  As I (and others) continue to scrutinize the revisions, better understandings and additional insights are likely to emerge, so please stay tuned.

What's Next?

The revisions to the regulation trigger an additional 15 day public comment period, which ends on February 24.  Following the comment period, the Department of Justice will submit the final text to the California Office of Administrative Law, which has 30 business days to review the regulations before they will go into effect.  In other words, the earliest date that the regulations could become effective is early April.  The latest date I can imagine them becoming effective is July 1, when the Department of Justice begins bringing enforcement actions against companies for violations.

If you would like to read the revised regulations for yourself, you can find them here. The notice is here.


1 comment: