Additional draft regulations were issued by the California Attorney General on February 7th and subsequently modified on February 10th. While a good number of revisions addressed syntax items or minor clarifications of previously enumerated regulations, a few of the revisions could have a significant impact from a compliance implementation perspective, including the following:
- Households: Definition expands and clarifies that a household includes individuals at the same address, who share a common device or service provided by the business, and are identified by the business as sharing the same group account or unique identifier. For households without a password-protected account able to be leveraged for verification purposes, businesses should not comply with requests to know or delete unless all of the following are met: (i) all consumers in the household jointly make the request, (ii) the business individually verifies same, and (iii) the business verifies each requestor is a current member of the household. Note, this is a deviation from the prior regulation which allowed for responding to unverified household requests to know or delete by providing aggregate household information.
- Mobile Applications: Notice for collection of personal information through a mobile device application may occur through a link to the notice on the application download page or within the application itself via application settings. A quick caveat: if the collection is beyond what a consumer would reasonably expect for use of a certain application, a ‘just-in-time’ notice through something akin to a pop-up within the application detailing the required notices is required. The example given in this instance is a flashlight application collecting consumer geolocation data.
- Notices: Notices regarding collection need to be made at or before the point of collection. The prior regulations contained more restrictive language for certain notice sections requiring collection notices to be present before the time of collection despite the prior definitions section including the ‘at or before’ language. Also note, the verbiage has been updated to the ‘point at which’ as opposed to timing language. The distinction is important for notices available spatially rather than via a more active pop-up attempting to engage with the consumer live at the exact time of collection while also appearing to require the notice on any page where personal information may be collected. Notice provisions have been loosened slightly concerning use disclosures by employing ‘materially different’ language as opposed to a complete ban on any additional uses of personal information outside those specifically enumerated in the initial notice provision. This revision in particular should allow for more flexibility with notices as to substantially similar uses of personal information by a business. Also of note, regarding the ‘Do Not Sell My Info’ icon contemplated in the initial regulations, the icon () may be used in conjunction with the ‘Do Not Sell My Info’ link with the link still being required regardless of whether or not the icon is also posted. Generally, the revised regulations call for greater sensitivity to website accessibility for notices and privacy policies by following general industry standards outlined in the World Wide Web Consortium Web Content Accessibility Guidelines (v. 2.1 released June 2018) available here: https://www.w3.org/TR/2018/REC-WCAG21-20180605/.
- Requests to Know: Important to note for both requests to know and requests to delete: confirmation of receipt of the request may be given in the same manner as received, including requests made via telephone. For example, if a request is made to a call center, the call center can confirm the request during the phone call. Further, the revised regulations clarify that if verification is not possible within 45 days for either a request to know or request to delete, the business may deny the request. This confirms that businesses are not obligated to take the 45-day extension for verification purposes. Businesses operating exclusively online with a direct relationship with the consumer only need to provide an email address for submitting requests to know. The prior regulations required all businesses to have at least two submission mechanisms for requests to know. Additionally, businesses are not required to search for personal information in response to a request to know if all of the following conditions are met: (i) the personal information is not maintained in a searchable/accessible format, (ii) the personal information is maintained purely for legal or compliance purposes, (iii) the personal information is not sold or used for any commercial purpose, and (iv) the business describes the categories of records that may contain personal information but were not searched. Note, ‘categories of records’ remains undefined.
- Requests to Delete: See notes above impacting both requests to know and requests to delete. Unlike a request to know, all businesses must still provide at least two mechanisms for submitting a request to delete. Also, the regulations have been revised to allow for permissive rather than mandated use of a two-step process for deletion requests submitted online. Another elective change impacting requests to delete comes in the form of unverifiable deletion requests. For unverifiable requests for deletion where the consumer has not yet ‘opted-out’, the business “shall ask the consumer” if they would like to opt-out as distinct from the prior language, which mandated automatically treating all unverifiable deletion requests as opt-out requests.
- Requests to Opt-Out: The revisions incorporate a significant timing change concerning the ‘look-back’ period for compliance with an opt-out request. Whereas the prior version of the regulations mandated a ‘look-back’ of 90 days after receipt of the request to inform third-parties receiving the consumer’s personal information during that time of the opt-out, the revised regulations only require a ‘look-back’ for any third-parties receiving the consumer’s personal information between the date of the consumer’s request and the primary business’s compliance with same. Separately, the requirement that businesses inform the consumer of completion of notifying third-parties of the opt-out request has been stricken.
- Right to Non-Discrimination: Businesses unable to calculate a good-faith estimate of the value of a consumer’s personal information and the relation of same to an offering of an incentive, price, or service differential are explicitly prohibited from offering financial incentives, price, or service differentials based on one’s exercise or waiver of certain rights under CCPA.
- Service Providers: Additional detail is provided surrounding the obligations of service providers including specific contract provisions describing use of personal information and an explicit prohibition on sale of consumer personal information where a consumer has opted-out. Service providers are also partially relieved of certain obligations for requests received directly from consumers. Whereas the prior regulations appeared to mandate providing the name of the correct business to contact (where feasible) to the requesting consumer, the revised regulations seem to offer status as a service provider as a valid response to denying a CCPA request received directly from a consumer whose personal information only resides with the service provider as a service provider and not a business, responding with identification as a service provider is the alternative to acting on behalf of the business in response to a consumer request.
- Children/Minors: Ambiguity concerning minors between ages 13-16 is partially resolved by the revised regulations, particularly as impacting ‘opt-in’ requests. Parents or guardians may opt-in for consumers under 13. Minors between the ages of 13-16 may opt-in without parent or guardian authorization. Additionally, the revised regulations correctly designate the ‘opt-in’ as applying to sale of personal information as opposed to collection and maintenance of same, this designation is consistent with the statute as written. Separately, if a minor under the age of 13 is a member of a ‘household’, the business must obtain verifiable parental consent before complying with rights to access or delete household information under CCPA. The revised regulations also include an explicit documentation requirement for processes surrounding verification of parental/guardianship status for exercising CCPA rights on behalf of minor children under 13 years of age.
- Reporting Requirements: The revised regulations increased the consumer threshold for businesses buying/receiving personal information for sale or commercial purposes from 4 million to 10 million consumers within a calendar year as relating to triggers for additional reporting requirements. Businesses meeting this threshold remain subject to specified metrics reporting requirements above and beyond those contemplated for businesses not meeting these parameters.
Please note, these regulations are not yet final and the current comment period closes as of February 25th. The current draft regulations and other resources may be found here: https://oag.ca.gov/privacy/ccpa.