On February 7, 2020, the California Attorney General released its revised draft implementing regulations for the California Consumer Privacy Act. The revised regulations are not yet final. The California AG will accept written comments regarding the updated regulations until 5:00 pm (PST) on Tuesday, February 25, 2020.

The following is a high-level overview of the key new requirements under the updated regulations that are important for businesses to consider in connection with their CCPA compliance efforts.

Definitions

The revised regulations include the following noteworthy CCPA definition updates:

  • Examples of “categories of sources” and “categories of third parties” have been included and these definitions have been updated to clarify that the categories of sources and categories of third parties must be described with enough particularity to provide consumers with a meaningful understanding of the type of person / entity / third party.
  • Clarity has been added to the definition of “household” to specify that household means individual(s) who i) live at the same address, ii) share a common device or service provided by the business, and iii) are identified by the business as sharing an account/unique identifier.

Service providers

Under the revised regulations, a service provider’s use of personal information has been expanded such that it would be acceptable (i.e., not a “sale”) for a service provider to use personal information to build or improve the quality of the service provider’s services, provided that such use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source. In addition, under the revised regulations, service providers in receipt of requests to know or requests to delete directly from consumers are no longer required to instruct those consumers to submit their requests to the business, and instead are permitted to respond directly to consumers.

Obligations related to “selling” personal information

The revised regulations include the following updates with respect to the “sale” of personal information:

  • Businesses have 15 business days to comply with a consumer’s exercise of the right to opt-out.
  • The requirement that businesses notify third parties to whom they sold consumers’ personal information within 90 days is removed. Instead, if a business sells personal information to a third party after the consumer submitted his or her request, but before the business has complied with such request, the business must notify those third parties of the consumer’s exercise of the right to opt-out and direct those third parties not to sell the personal information.
  • The updated regulations state that the opt-out process for consumers should be intuitive and require minimal steps for consumers to opt-out. Further, the opt-out process should require consumers affirmatively select their choice to opt-out and shall not be designed with any pre-selected settings.
  • The placeholder in the previous version of the regulations for an example “do not sell” button has been updated to include the following optional opt-out buttons:

Consumer requests

  • Requests to know. The revised regulations clarify circumstances when a business does not have to search for information in response to a request to know, namely: if the business does not maintain the personal information in a searchable format, maintains it only for legal and compliance purposes, does not sell the information or use it for any commercial purpose, and describes in its response to the consumer the categories of information it maintains that it did not search for because the aforementioned conditions were met.
  • Requests to delete. Under the revised regulations, a business would no longer need to i) specify the manner in which it deleted the personal information, or ii) treat an unverified request to delete as an exercise of the right to opt-out (instead, businesses must ask the consumer if they would like to opt out of the sale of the personal information).
  • Minors. Under the revised regulations, businesses have to establish a documented procedure for determining whether a person submitting a request to know or request to delete the personal information of a child under the age of 13 is the parent or guardian of the child.
  • Submitting requests. The previous requirement that businesses operating a website must provide an interactive webform for submitting requests to know has been eliminated. The revised regulations also state that businesses that operate exclusively online only need to maintain an email address for requests; however, the regulations still lack clarity on how businesses determine whether they “operate exclusively online.”
  • Timing. The revise regulations clarify that businesses have 10 business days to confirm receipt of a request to know or request to delete, and 45 calendar days to respond.

Notice

  • Generally. Previous notice-at-collection obligations required disclosure of the business or commercial purposes of use for each category of personal information. The “for each category” reference has been removed such that it appears sufficient to list the business or commercial purposes for using all of the categories of personal information, not each one individually.
  • Employee privacy notices. The revised regulations clarify employee / job candidate notices do not need to include a “Do Not Sell My Info/Information” link. In addition, rather than linking to the more detailed disclosures in the business’ privacy policy for consumers, employee privacy notices may include a link to the business’ general employee / job candidate privacy policy.
  • Mobile technology. The revised regulations state that if a business collects information from a mobile application, it may provide a link to its privacy policy within the application. However, if the application collects information that the consumer would not reasonably expect, the business must provide a just-in-time notice that explains the collection and links to the broader privacy policy, such as through a pop-up window when the consumer opens the application, which contains the required disclosure content.
  • Phone / In-person notices. The updates to the regulations provide that when a business collects personal information over the telephone or in person, it may provide the notice orally.
  • Disabilities. Under the revised regulations, accessibility to notices for individuals with disabilities will be governed by generally recognized industry standards, such as the Web Content Accessibility Guidelines.

Privacy policy requirements

The revised regulations require privacy policies to provide instructions on how a consumer can designate an authorized agent to make a CCPA request on the consumer’s behalf.

A link to a redlined version of the revised regulations (updated February 10, 2020) is available here. We will continue to monitor updates to the draft implementing regulations and how these updates impact businesses and their CCPA compliance efforts. For more information, please contact any of the authors listed below.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.

Author

Amy de La Lama has assisted a wide array of companies in addressing legal issues related to global privacy and data collection, data security, information technology and related restrictions on data collection and movement.

Author

Michael advises clients across various industries, including global online businesses, pharmaceutical companies, healthcare providers, manufacturers, financial institutions, sourcing providers, retail companies, and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer.

Author

Brandon Moseberry advises global consumer, information technology, manufacturing, medical device, and financial institutions, among other clients, on a wide range of global data privacy, cybersecurity, direct marketing, social media, behavioral advertising, and related matters.

Author

Gary is an associate in the Chicago office. His practice focuses on regulatory and transactional issues in global privacy and data protection, including cross-border data transfers, data security, data breach notification, global privacy, website privacy policies, behavioral advertising, and comprehensive compliance programs.

Author

Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.

Write A Comment