Recently, the California Attorney General’s
Office (“AG”) issued two sets of modifications to the regulations
that are meant to govern application and enforcement of the California Consumer
Privacy Act of 2018 (“CCPA”). An original set of proposed regulations
was issued in October 2019. A second set was issued on February 7, 2020 and
then a third set was issued on March 11, 2020. These new modifications were
intended to reduce confusion and uncertainty. The regulations have offered only limited clarity and provided more
confusion with respect to some issues. See here for links to PDF
versions of the three sets of proposed regulations.
A good example of the confusion involves the
proposed definition of “personal information.” Industry groups have
been pushing for a more restrictive definition of personal information that
would apply only to personally identifiable
information. That is, information that could be linked to and identify a
particular consumer by name, home address or some other unique characteristic.
Tech companies and online platforms want IP addresses to be excluded from the
definition of “personal information”
because IP addresses are often not linked in a manner that can personally
identify users. Consumer IP addresses are extensively and routinely collected
by, for example, cookies and programs that deliver targeted advertising.
The original 2019 regulations did not provide
a definition of “personal information” that excluded IP addresses.
However, the February 7, 2020 modifications gave the business groups what they
wanted. Indeed, the proposed regulations added §999.302 which specifically
stated that an IP address was not “personal information” if the IP
address was not linked “… to any particular consumer or household, and
could not reasonably link the IP address with a particular consumer or
household.” However, in the March 11, 2020 publication, the entirety of
§999.302 was removed. So, back to square one with respect to IP addresses.
Similar types of confusion have been created with respect to the definition of
“financial incentives,” the design of the “opt-out button”
(now removed entirely) and other issues.
Those examples aside, the new proposed
regulations do offer some clarifications. Here is a quick summary of the more
important features of the revised regulations:
Employment-Related
The California AG’s Office is interpreting the
CCPA to apply to personal information collected on employees and from job
applicants. This was clear in the 2019 proposed regulations.
The modified regulations add and clarify
definitions to provide guidance on how to give notice to employees when an
employer is collecting information for purposes of administering employment
benefit plans. The new regulations make it clear that such is considered a
“business purpose” and notice must be given and that the notice given
to employees must state this as a business purpose. Additionally, notices
provided to employees and job applicants do not need to include the link or web
address to the link titled “Do Not Sell My Personal Information” or “Do Not
Sell My Info” and employers do not need to link to business’ privacy policies.
§999.305(f).
REASONABLE
Web Accessibility
The 2019 proposed regulations made it clear
that businesses collecting consumer data were required to be compliant with
current standards on website accessibility. The new proposed regulations soften
this requirement slightly by mandating that the notices and consent forms must
be REASONABLY accessible to consumers with disabilities. See §999.305(a);
999.306(a); 999.307(a), etc.
Telephone
Calls and In-Person Collection of Data
The AG’s Office is interpreting the CCPA to
apply to consumer data collected via in-person interactions and during phone
calls. The 2019 proposed regulations made it clear that notices must be given
and consent must be obtained to collect such information during these types of
interactions. With respect to telephone communications, the new regulations
clarify that such notices/consents can be given/obtained orally.
§999.305(a)(4). For person-to-person interactions, the new regulations state
that a business may be required to give in-person consumers reasonable methods
of requesting information about what data has been collected and the business
purposes for which the information is being collected. Examples given in the
regulations include providing a printed paper form to complete or an in-store
tablet or other device that links to an online request page. §999.312(c). The
permissiveness of the language from §999.312(c) is another example of the legal
confusion created by regulations that are supposed to offer clarity.
Change
in Use and the Need for New Notices and Consent
The 2019 proposed regulations made it clear
that a business could not use personal information that was collected for any
“business purpose” that was not identified in the original notice and
consent. If the business purpose — the use — of the information changed, then
a new notice and a new consent was required. The modified regulations soften
this slightly so that a change in business purpose must be “materially
different.” This may sound helpful, but “materially different” is not
defined. This change actually creates more legal uncertainty than it resolves.
§999.305(a)(5).
Mobile
Devices
The new modified regulations are helpful with
respect to mobile devices. The new proposed regulations take a common sense
approach to the unique features of such devices and how they are used in the
real world. Generally speaking, linking to web pages is not required, but
notices and/or consents can be resident on the mobile device or accessed via
the relevant app. For example, the regulations now state that “[w]hen a business
collects personal information through a mobile application, it may provide a
link to the notice on the mobile application’s download page and within the
application, such as through the application’s settings menu.”
§999.305(a)(3). As another example, a “pop-up” notice can be provided
when a business “collects personal information from a consumer’s mobile
device for a purpose that the consumer would not reasonably expect…”
§999.305(a)(3); 999.306(b). The example provided is a mobile flash-light app
that, for some reason, collects geo-location information on the user. A pop-up
notice and consent can be given/obtained at the time of attempted use.
Opt-Out
Must be Easy
The CCPA gives consumers the right to
“opt-out” of having their personal information collected and sold.
Businesses must provide an opt-out notice AND an easy-to-use opt-out mechanism
like an opt-out button to swipe or click. However, as noted, the model opt-out
button that was provided in the February 2020 revised regulations was removed
in the March version. Thus, there are significant debates about what is
“easy.” Be that as it may, the March 2020 proposed regulations
specifically require that a business’s method for allowing opt-out “shall
be easy for consumers to execute and shall require minimal steps…”
Furthermore, businesses are barred from using any method that is designed with
the purpose or “has the substantial effect of” subverting, preventing
or impairing a consumer from making an opt-out choice. §999.315(c).
Failure
to Provide Opt-Out Notice Means Any Collected Data Cannot be Sold
The new draft regulations also clarify what
happens if opt-out notices and easy opt-out mechanisms are not provided: Any
information collected during a time when the opt-out options are not available/posted
cannot be sold/shared absent a later-obtained authorization. This is a
significant modification. In the 2019 proposed regulations, under such
circumstances, a consumer was automatically deemed to have opted-out.
§999.306(e).
Information
Related to Minors
The 2019 proposed regulations caused great
concern with respect to information and data that is collected with respect to
minors. It is nearly impossible to verify age for online consumers. The newly
modified regulations clarify that, for all aspects, the business must have
“actual knowledge” that it is selling and sharing information related
to minors. §999.330; §999.331. In addition, the new regulations now clarify
that the rules with respect to data on minors applies to the
“selling” of data; not to the mere collecting and maintaining of such
data. For example, the 2019 version of §999.330(a) stated, in part, that
“[a] business that has actual knowledge that it collects or maintains the
personal information of children under the age of 13 shall establish, document,
and comply with a reasonable method for determining that the person
affirmatively authorizing the sale of the personal information about the child
is the parent or guardian of that child.” In the new regulations, the
words “collects or maintains” has been changed to “sells.”
See also §999.331(a).
Need
for Toll-Free Number
According to the new proposed regulations, a
purely online business that has direct relationships with its customers does
not need to provide a toll-free number for consumer requests to know what
information has been collected; an email address is sufficient for such a
business. All other businesses must have two methods of making a “Right to
Know” request. §999.312(a).
A few other notable changes/additions include:
- Privacy policies no
longer need to link: Businesses must identify the categories of personal
information collected and business uses, but linking to each is no longer
required for privacy policies; §999.308
- Biometric data is added to the list
of data that cannot be disclosed in response to a consumer “Right to Know”
request
- Business days, not
calendar days: Various deadlines in the CCPA are to be calculated based on
business days, not calendar days; §999.313
- Website interactive
requirement removed: With respect to a consumer “Right to
Know” request, businesses no longer need to have an interactive webpage or
form; §999.312
- No fees can be charged for a consumer
“Right to Know” request; §999.323
- Reimbursement of
expenses: Any requirement for a consumer “Right to Know”
request that results in an expense to the consumer (such as obtaining a
notarized affidavit) must be reimbursed by the business; §999.323
- User-enabled global
privacy software and plugins are sufficient without more: “Opt-out”
is considered the “default” for where any user-enabled consumer
privacy software or plugins has been enabled; no need for a separate explicit
opt-out statement from a consumer running such a privacy program or plugin;
§999.315(d)
- Deleting household
information is now nearly impossible: To respond to a request to delete
“household” data and information, a business must now verify that all
members of the household are requesting deletion and that each person
requesting the deletion is currently a member of the household; this
effectively prevents deletion of household information; §999.318
The AG’s Office is scheduled to finalize the
CCPA regulations by June 1, 2020. If you have questions about the CCPA, about
the new proposed regulations, or about internet privacy in general, contact the
data privacy and
internet lawyers at Revision Legal at 231-714-0100.