On February 7, 2020, California Attorney General Xavier Becerra released a second version of draft regulations implementing and interpreting the California Consumer Privacy Act (CCPA). The second iteration of the Attorney General's draft regulations contain numerous important changes from the initial draft, some of which are summarized below. One of the most disappointing aspects of the new draft, particularly for retailers, is that the AG seems to have doubled down on the requirement that businesses explain the method that they use for determining what "financial incentives" they offer consumers for the collection of their personal information (PI), such as through loyalty programs—a requirement that seems based on a misapprehension of how such programs actually work.
The most significant changes to the Attorney General's draft regulations include:
- Noting that whether information is "personal information" or PI, depends on whether the business maintains the information in a manner that identifies, relates to, or is reasonably capable of being associated with a particular consumer or household. For example, if a business collects the IP addresses of visitors to its website but does not link—and could not reasonably link—the IP address to any particular consumer or household, then the IP address would not be "personal information."
- Stating that a business, in collecting personal information through a mobile app for a purpose that the consumer would not reasonably expect, should provide a "just-in time" notice at the point of collection summarizing the categories of PI that are being collected and providing a link to a full notice.
- Stating that in providing the "notice at collection" about what PI is collected about visitors to a website, a business may post a conspicuous link to the notice on the "introductory page" of the website and on each page where PI is collected. This could mean that a conspicuous link to the notice must be placed on each page of a website, to the extent that technical information constituting PI is collected from visitors to each page. The previous iteration of the draft regulations said a business could provide such a link either on the homepage or on each page where PI is collected.
- No longer requiring businesses to employ a two-step submission process for deletion requests.
- Listing certain circumstances under which a business does not have to search for personal information pursuant to a request to know.
- Stating that when a business cannot verify the identity of the person making a deletion request, the business must ask the person if she would like to opt-out of the sale of her personal information (rather than requiring that an unverified deletion request automatically be treated as an opt-out request, as per the original draft).
- Providing that a service provider may internally use PI received from another business "to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source." A service provider may also retain, use, or disclose such PI "[t]o detect security incidents, or protect against fraudulent or illegal activity."
- Removing the requirement that a business notify all third parties to which it sold a consumer's personal information in the 90 days preceding a consumer's opt-out request and instruct them not to sell the consumer's PI. Instead, a business now must only make such notifications and instructions to third parties to which it sold the consumer's personal information in the period following the consumer's submission of her or his request and before business’ ceased selling the consumer's information.
- Removing the requirement that businesses that do not collect information directly from consumers but want to sell consumers' PI either contact consumers directly to provide notice about the consumers' right to opt-out, or obtain signed attestations from the source of the information that the source provided the requisite notices to consumers.
- Specifying that a business cannot require a consumer to pay a fee for the verification of a request to know or request to delete, and noting that this means a business may not require a consumer to provide a notarized affidavit unless the business compensates the consumer for the cost of notarization.
- Directing businesses not to provide specific pieces of personal information in response to a request to know if the business cannot verify a consumer’s identity pursuant to the regulations.
- Specifying businesses can deny deletion requests from consumers who want to remain in a business's loyalty program, to the extent any PI retained is necessary to the implementation of the program.
- Providing information about the "opt-out button" that websites can use to allow consumers to submit a request to opt-out of the sale of their PI.
- Specifying a business shall not sell PI it collected during the time it did not post a notice of the right to opt-out unless it obtains the affirmative authorization of the consumer. This change is particularly important for businesses that may have been late in implementing their full CCPA compliance plan.
Many businesses will be disappointed that numerous requirements that were introduced in the first iteration of the draft regulations were not removed or made less onerous. For example, the revised draft regulations retain the requirement that a business calculate the value of a consumer’s personal information in connection with the offering of a financial incentive and explain how the financial incentive is reasonably related to the value of the consumer's data remains. This affects things like loyalty programs, discounts given to consumers who provide their email address or phone number, and lotteries, raffles, and other games designed in part to collect consumers' information. Additionally, the revised draft regulations maintain somewhat onerous record-keeping requirements.
The Attorney General's modified draft regulations will undergo another round of notice and comment. Businesses that want to submit comments on the modified draft regulations must do so by 5:00 p.m. PST on February 25, 2020. Businesses should continue to monitor for any additional changes to the draft regulations before they are finalized, likely this Spring, and for any additional guidance from the Attorney General.