Recently, the California Attorney General’s Office (“AG”) issued two sets of modifications to the regulations that are meant to govern application and enforcement of the California Consumer Privacy Act of 2018 (“CCPA”). An original set of proposed regulations was issued in October 2019. A second set was issued on February 7, 2020 and then a third set was issued on March 11, 2020. These new modifications were intended to reduce confusion and uncertainty. The regulations have offered only limited clarity and provided more confusion with respect to some issues. See here for links to PDF versions of the three sets of proposed regulations.
A good example of the confusion involves the proposed definition of “personal information.” Industry groups have been pushing for a more restrictive definition of personal information that would apply only to personally identifiable information. That is, information that could be linked to and identify a particular consumer by name, home address or some other unique characteristic. Tech companies and online platforms want IP addresses to be excluded from the definition of “personal information” because IP addresses are often not linked in a manner that can personally identify users. Consumer IP addresses are extensively and routinely collected by, for example, cookies and programs that deliver targeted advertising.
The original 2019 regulations did not provide a definition of “personal information” that excluded IP addresses. However, the February 7, 2020 modifications gave the business groups what they wanted. Indeed, the proposed regulations added §999.302 which specifically stated that an IP address was not “personal information” if the IP address was not linked “… to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household.” However, in the March 11, 2020 publication, the entirety of §999.302 was removed. So, back to square one with respect to IP addresses. Similar types of confusion have been created with respect to the definition of “financial incentives,” the design of the “opt-out button” (now removed entirely) and other issues.
Those examples aside, the new proposed regulations do offer some clarifications. Here is a quick summary of the more important features of the revised regulations:
The California AG’s Office is interpreting the CCPA to apply to personal information collected on employees and from job applicants. This was clear in the 2019 proposed regulations.
The modified regulations add and clarify definitions to provide guidance on how to give notice to employees when an employer is collecting information for purposes of administering employment benefit plans. The new regulations make it clear that such is considered a “business purpose” and notice must be given and that the notice given to employees must state this as a business purpose. Additionally, notices provided to employees and job applicants do not need to include the link or web address to the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” and employers do not need to link to business’ privacy policies. §999.305(f).
REASONABLE Web Accessibility
The 2019 proposed regulations made it clear that businesses collecting consumer data were required to be compliant with current standards on website accessibility. The new proposed regulations soften this requirement slightly by mandating that the notices and consent forms must be REASONABLY accessible to consumers with disabilities. See §999.305(a); 999.306(a); 999.307(a), etc.
Telephone Calls and In-Person Collection of Data
The AG’s Office is interpreting the CCPA to apply to consumer data collected via in-person interactions and during phone calls. The 2019 proposed regulations made it clear that notices must be given and consent must be obtained to collect such information during these types of interactions. With respect to telephone communications, the new regulations clarify that such notices/consents can be given/obtained orally. §999.305(a)(4). For person-to-person interactions, the new regulations state that a business may be required to give in-person consumers reasonable methods of requesting information about what data has been collected and the business purposes for which the information is being collected. Examples given in the regulations include providing a printed paper form to complete or an in-store tablet or other device that links to an online request page. §999.312(c). The permissiveness of the language from §999.312(c) is another example of the legal confusion created by regulations that are supposed to offer clarity.
Change in Use and the Need for New Notices and Consent
The 2019 proposed regulations made it clear that a business could not use personal information that was collected for any “business purpose” that was not identified in the original notice and consent. If the business purpose — the use — of the information changed, then a new notice and a new consent was required. The modified regulations soften this slightly so that a change in business purpose must be “materially different.” This may sound helpful, but “materially different” is not defined. This change actually creates more legal uncertainty than it resolves. §999.305(a)(5).
The new modified regulations are helpful with respect to mobile devices. The new proposed regulations take a common sense approach to the unique features of such devices and how they are used in the real world. Generally speaking, linking to web pages is not required, but notices and/or consents can be resident on the mobile device or accessed via the relevant app. For example, the regulations now state that “[w]hen a business collects personal information through a mobile application, it may provide a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.” §999.305(a)(3). As another example, a “pop-up” notice can be provided when a business “collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect…” §999.305(a)(3); 999.306(b). The example provided is a mobile flash-light app that, for some reason, collects geo-location information on the user. A pop-up notice and consent can be given/obtained at the time of attempted use.
Opt-Out Must be Easy
The CCPA gives consumers the right to “opt-out” of having their personal information collected and sold. Businesses must provide an opt-out notice AND an easy-to-use opt-out mechanism like an opt-out button to swipe or click. However, as noted, the model opt-out button that was provided in the February 2020 revised regulations was removed in the March version. Thus, there are significant debates about what is “easy.” Be that as it may, the March 2020 proposed regulations specifically require that a business’s method for allowing opt-out “shall be easy for consumers to execute and shall require minimal steps…” Furthermore, businesses are barred from using any method that is designed with the purpose or “has the substantial effect of” subverting, preventing or impairing a consumer from making an opt-out choice. §999.315(c).
Failure to Provide Opt-Out Notice Means Any Collected Data Cannot be Sold
The new draft regulations also clarify what happens if opt-out notices and easy opt-out mechanisms are not provided: Any information collected during a time when the opt-out options are not available/posted cannot be sold/shared absent a later-obtained authorization. This is a significant modification. In the 2019 proposed regulations, under such circumstances, a consumer was automatically deemed to have opted-out. §999.306(e).
Information Related to Minors
The 2019 proposed regulations caused great concern with respect to information and data that is collected with respect to minors. It is nearly impossible to verify age for online consumers. The newly modified regulations clarify that, for all aspects, the business must have “actual knowledge” that it is selling and sharing information related to minors. §999.330; §999.331. In addition, the new regulations now clarify that the rules with respect to data on minors applies to the “selling” of data; not to the mere collecting and maintaining of such data. For example, the 2019 version of §999.330(a) stated, in part, that “[a] business that has actual knowledge that it collects or maintains the personal information of children under the age of 13 shall establish, document, and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child.” In the new regulations, the words “collects or maintains” has been changed to “sells.” See also §999.331(a).
Need for Toll-Free Number
According to the new proposed regulations, a purely online business that has direct relationships with its customers does not need to provide a toll-free number for consumer requests to know what information has been collected; an email address is sufficient for such a business. All other businesses must have two methods of making a “Right to Know” request. §999.312(a).
A few other notable changes/additions include:
- Privacy policies no longer need to link: Businesses must identify the categories of personal information collected and business uses, but linking to each is no longer required for privacy policies; §999.308
- Biometric data is added to the list of data that cannot be disclosed in response to a consumer “Right to Know” request
- Business days, not calendar days: Various deadlines in the CCPA are to be calculated based on business days, not calendar days; §999.313
- Website interactive requirement removed: With respect to a consumer “Right to Know” request, businesses no longer need to have an interactive webpage or form; §999.312
- No fees can be charged for a consumer “Right to Know” request; §999.323
- Reimbursement of expenses: Any requirement for a consumer “Right to Know” request that results in an expense to the consumer (such as obtaining a notarized affidavit) must be reimbursed by the business; §999.323
- User-enabled global privacy software and plugins are sufficient without more: “Opt-out” is considered the “default” for where any user-enabled consumer privacy software or plugins has been enabled; no need for a separate explicit opt-out statement from a consumer running such a privacy program or plugin; §999.315(d)
- Deleting household information is now nearly impossible: To respond to a request to delete “household” data and information, a business must now verify that all members of the household are requesting deletion and that each person requesting the deletion is currently a member of the household; this effectively prevents deletion of household information; §999.318
The AG’s Office is scheduled to finalize the CCPA regulations by June 1, 2020. If you have questions about the CCPA, about the new proposed regulations, or about internet privacy in general, contact the data privacy and internet lawyers at Revision Legal at 231-714-0100.