CCPA Update: Attorney General Proposes Modified Draft Regulations
On February 7th, The California Attorney General released proposed modifications to the CCPA. (California Consumer Privacy Act).
These modifications to the law, propose a number of changes to current regulations. Below is a recap of the modified provisions to the law:
1. Service Providers: The modifications clarify that it would be acceptable (and thus, not a “sale”) for a service provider to use a business’s personal information to build or improve the quality of the service provider’s services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.
These revisions to the law require the service provider to stop selling data on behalf of a business when a consumer has opted out of the business’s sale of their personal information.
2. Third Parties: The modifications no longer require a third party that purchases personal information to contact the consumer directly to provide notice and an opt out. They also aren’t required to contact the source and confirm that the source provided the required notice.
3. Loyalty Programs/Not Discrimination: If a consumer informs the business that she would like to remain in a loyalty program but otherwise have the business delete their information, it is lawful under the CCPA for the business to deny the deletion request as to the information necessary to maintain the enrollment in and benefits from the loyalty program.
4. Personal Information: The modifications reinforce that whether information is “personal information” depends on how the business maintains the information, noting, for example, “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”
This essentially means that if data collected technically could be considered personal information under the CCPA, but the business does not and cannot reasonably link that data to any particular consumer or household, that data would not be personal information.
5. Notice at Point of Collection: The modifications clarify that a business may not use personal information for purposes that are materially different from those disclosed in the notice at collection, unless the business directly notifies the consumer of the new use and obtains explicit consent.
· The categories of personal information collected
· The categories of sources from which it’s collected
· The business or commercial purpose for collecting or selling personal information
· The categories of third parties with whom the business shares personal information
· The categories of personal information the business sold in the past 12 months and, for each category, the categories of third parties to whom they sold it
· The categories of personal information disclosed for business purposes in the past 12 months and, for each category, the categories of third parties to whom they were disclosed
8. Consumer Rights Requests: The modifications would update how a business responds to consumer rights requests:
· Online-Only Businesses: If they have a direct relationship with a consumer, an online-only business need only provide an email address for submitting requests
· Timing: A business has 10 business days to confirm receipt of a request, and 45 calendar days to respond. If the business cannot verify the consumer’s identity within the 45 days, the business may deny the request.
In other words, the clock does not run indefinitely if the consumer has not verified his or her identity during the initial 45-day period.
· “Right to Know” Search Exceptions: A business does not need to search for personal information in response to a request if the business does not maintain the personal information in a searchable format, maintains it only for legal and compliance purposes, does not sell the information or use it for any commercial purpose, and describes in its response to the consumer the categories of information it holds that it did not search but which may contain the information. This provides some flexibility to avoid expensive searches for personal information, such as call recording or video footage collected by companies for security or legal compliance purposes.
· “Right to Know” Production Exceptions: The modifications struck the express exception preventing a business from providing specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of the personal information, the consumer’s account with the business, or the security of the business’s systems or networks.
Instead, the modifications more generally state that a business may avoid producing specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or based an exception to the CCPA, but must inform the requestor and explain the basis for the denial, unless prohibited from doing so by law.
· Deletion Denial/Opt-Out Notice: If the business denies a deletion request, it also must ask the consumer if she wants to opt out of the sale of her personal information (even if the consumer has not made the opt-out request), and include a link to the opt out.
· Deletion Compliance: Two-step confirmation of deletion requests is no longer required. In fulfilling a deletion request, the business does not need to specify the manner in which it deleted the personal information.
· No Fee for Verification: A business cannot require a consumer to pay a fee for the verification of a request to know or request to delete.
9. Do Not Sell Button: The modifications provide additional information about the voluntary use of the opt-out button. When the opt-out button is used, it should be the same size as the other buttons on the web page.
10. Opt-Out: A business has 15 business days to comply with an opt-out request. Significantly, the modifications provide that businesses will not need to notify third parties to whom they sold the consumers data within 90 days.
Instead, this obligation is limited to circumstances when the business sold personal information to third parties between the date of the opt-out request and the date of compliance. For sales made during this limited period, the business shall direct the third-party purchasers not to further sell the data. In addition, the opt-out method must be easy for consumers to execute and require minimal steps to allow the consumer to opt-out. “A business shall not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.”
11. User-Enabled Privacy Controls: A privacy control developed in accordance with the regulations must clearly communicate that a consumer intends to opt out of the sale of her personal information. The privacy control must require that the consumer affirmatively select her choice to opt out and not be designed with pre-selected settings. If a global privacy control conflicts with a consumer’s existing business-specific privacy setting or participation in a business’s financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.
13. Households: The modifications clarify that a household means those who reside at the same address, share a common device or the same service provided by a business, and are identified by the business as sharing the same group account or unique identifier. In terms of responding to “household” rights requests, if a consumer has a password-protected account with a business that collects personal information about a household, the business may process requests to know and delete relating to household information through the business’s existing business practices and in compliance with the regulations. If a member of a household is a minor under the age of 13, a business must obtain verifiable parental consent before complying with a request to access specific pieces of information for the household or the deletion of household personal information pursuant to CCPA-mandated parental consent.
14. Employee Privacy Notice: Under the revised regulations, employee privacy notices do not need to contain links to the Do Not Sell option.
Original Article: Ad Law Access