This website uses cookies to improve your experience on the site. By continuing to use this site, you agree to the use of cookies. To learn more about how we use cookies, please see our Cookie Policy.
This website uses cookies to improve your experience on the site. By continuing to use this site, you agree to the use of cookies. To learn more about how we use cookies, please see our Cookie Policy.
The California Attorney General’s Office issued a revised set of regulations for the California Consumer Privacy Act (CCPA) on February 10, 2020, correcting an omission from the February 7, 2020 version. The changes are mostly clarifications, but some revised rules relating to consumer requests may require changes or updates to compliance procedures implemented before the law’s effective date of January 1, 2020. Below is a summary.
Are changes required to online privacy policies?
Probably not. A key feature of the initial draft was the requirement to tie the source of collection, purpose for use, and disclosure to third parties to each of the identified Personal Information (PI) categories in the CCPA. This led to disclosures in a chart format with separate columns for (1) the category of PI, (2) the source(s), (3) the purpose(s) of use, and (4) the category of third party to whom PI was disclosed/sold.
The revised regulations require only that the categories of PI disclosed/sold be tied to the category of third party to whom the PI was disclosed/sold, thus eliminating the need to tie the sources and purposes of use to each category. But leaving those disclosures would not be inconsistent with the revised requirements in the regulations and may even be helpful at the time of responding to a request to know the categories of PI collected. So, changes are not strictly necessary.
Are changes required to consumer request procedures?
Maybe. Many changes further clarify already established procedures. However, the changes relating to responding to requests for deletion, requests to know the categories of PI, and requests to opt-out may require changes to procedures, as described below.
Timing. The regulations clarify that the confirmation of receipt is due 10 business days from receipt of the request and the full response is due 45 calendar days from receipt of the request.
Deletion. Several changes were made regarding requests for deletion. First, the two-step process for deletion – whereby the consumer would first request, then confirm the request before deletion – is now permissive instead of mandatory. The practical effect is that if a business is willing and able to honor a request for deletion (for an email address from a marketing list, for example) it can do so without requesting a separate confirmation of the request.
Second, a business no longer needs to communicate how it complied with the request (as in whether it erased, deidentified, or aggregated the PI). Instead, the business must simply inform the consumer whether or not it complied with the request.
Third, whereas before a business had to convert a request for deletion to a request to opt-out of sale if the business could not verify the individual’s identity, it is now required only to offer that option to the consumer. Presumably, if there is no sale, then a business does not have to act on requests for deletion it cannot confirm identity for.
Last, the revised regulations clarify that a business may keep a record of requests for deletion to ensure the PI remains deleted from the business’s records.
Access or Request to Know Specific Pieces of PI. In responding to a request for access, a business does not have to search for PI if: (a) the business does not maintain the PI in a searchable or reasonably accessible format; (b) the business maintains the PI solely for legal or compliance purposes; (c) the business does not sell PI and does not use it for any commercial purpose; and (d) the business describes to the consumer the categories of records that may contain PI it did not search because it meets these conditions. This differs from the initial version of the regulations, which contained a vague standard allowing businesses to deny requests for access where there was a substantial, articulable, and unreasonable risk to the security of PI, the consumer’s account with the business, or the security of the business’s systems or networks. That standard was replaced with conditions (a)-(d) above.
The revised regulations also include “unique biometric data generated from measurements or technical analysis of human characteristics” in the list of data elements that cannot be disclosed in response to a request to know. The other data elements include social security, driver’s license, and government-issued identification numbers; financial account number; health insurance or medical identification number; account password; and security question and answer. This change brings the provision in line with the PI data elements in the California breach notification statute.
Requests to Know the Categories of PI. The manner of presenting information in response to this request was modified. Whereas before the information provided had to be tied to the category of PI, now the only linking required is between the categories of PI disclosed/sold and the categories of third parties to whom disclosed/sold. An explanatory chart follows.
October 2019 Draft Regulations |
February 2020 Draft Regulations |
For each identified category of PI: |
The categories of PI collected in the preceding 12 months |
The categories of sources |
The categories of sources |
The business or commercial purpose for collection |
The business or commercial purpose for collection or sale |
The categories of third parties to whom the business sold or disclosed PI |
The categories of PI sold in the preceding 12 months, and for each, the category of third parties to whom sold |
The business or commercial purpose for selling/disclosing PI |
The categories of PI disclosed for a business purpose in the preceding 12 months, and for each, the category of third parties to whom disclosed |
These modifications may require changes to the way information is presented to consumers in response to a request to know the categories of PI.
Requests to Opt Out of Sale. The rules no longer require businesses to communicate requests to opt out of sale to all those third parties to whom PI was sold in the prior 90 days. Instead, the requests must be communicated to the third parties to whom PI was sold after the consumer’s request was received but before it was acted upon.
Requests received by Service Providers. Service providers are no longer required to provide consumers with information on how to submit requests directly to the business on whose behalf the service provider processes the PI. Instead, a service provider that receives a request to know or to delete may either act on the request or inform the consumer that the request cannot be acted upon because it was sent to a service provider.
Do businesses still have to provide an online web form for consumers to submit requests?
The revised regulations provide that businesses operating exclusively online need provide only an email address for consumers to submit requests. This follows the CCPA’s text and eliminates a requirement in the earlier draft regulations for businesses with a website to offer a web form for submitting requests. But if a web form is provided, the business can still provide it, besides the email address.
What changed in the regulations regarding service providers?
A major point of clarification in the October 2019 version of the draft regulations was the statement that service providers could collect PI on a business’s behalf. This clarification remains, but the revised regulations include limitations on what service providers can do with the PI. Specifically, a service provider is prohibited from retaining, using, or disclosing PI obtained while providing services except:
While the conditions outlined above are generally broad, they do impose limitations on service providers’ use of PI that are arguably stricter than the limitations in the statute itself. Recall that the statute allows service providers to use PI received from a business “for the specific purpose of performing the services specified in the contract [with the business] or as otherwise permitted by [the CCPA].” This last phrase was read to allow service providers to use PI for any business purpose enumerated in the statute, which included a list that was broader than the limitations in the revised regulations.
If a service provider is using client data for a business purpose other than building or improving the quality of its services or for detection of security incidents, fraud, or illegal activity, those processing activities merit further review to determine whether they would follow the limitations in the regulations.
What do the regulations say about employee data?
The revised regulations state, in the definitions, that the collection of employment-related information, including to administer employee benefits, is considered a business purpose. The revised regulations also clarify that, in terms of providing notice, a “Do Not Sell” link is not required in the employee notice and the notice may include a link to, or copy of, the business’s policy for job applicants, employees, or contractors, rather than the website privacy policy. These clarifications give businesses greater direction on providing notice to employees and comfort regarding employee data handling as consistent with the business purposes defined in the CCPA.
What other changes are helpful from a business’s perspective?
The revised CCPA regulations include several other changes that are helpful from a business perspective. They are:
What are the next steps for the regulations?
The comment period closes on February 25, 2020. A final draft is expected shortly thereafter. The final draft must then undergo review by the Office of Administrative Law before formal adoption by the Secretary of State. This process will take at least 30 working days after the final draft of the rules and supporting documentation are published.
If you have questions on the revised regulations, or the CCPA, please contact Camila Tobón at camila.tobon@dgslaw.com
or 303-892-7467.