California Attorney General Strikes and Redlines Again: New Changes to Proposed CCPA Regulations

by: Justine Gottshall and Tatyana Ruderman

Last week the California Attorney General published its latest modifications to its proposed regulations for the California Consumer Privacy Act, which went into effect January 1, 2020.

Below we review some of the key updates and highlight ongoing considerations on how to interpret this Act. Remember, however, that these Regs still are not final and more changes could be coming. The AG is also accepting written comments on the proposed changes until Tuesday, February 25, 2020 at 5:00pm.

Quick Highlights

• New Definition of “Household”: Narrows “household” to mean person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier occupying a single dwelling.

  • This new definition very much limits the circumstances in which a business would need to deal with a “household” and addresses some of the potential security risks to consumers that existed without the more narrow definition.

• More Guidance Interpreting What Becomes “Personal Information: Attempts to clarify that whether something is personal information depends on whether the business maintains information in a manner linked to a particular consumer or household.

  • The issue of when an identifier or similar non-contact information is “personal information” for CCPA purposes remains a bit grey in many circumstances and the example provided by the AG does not fully clarify: “For example, if a business collects IP addresses of site visitors and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information”.

• Authorized Agents: The new changes help clarify that the privacy policy should provide instructions to the authorized agent on how they can act on a consumer’s behalf.

  • While this may at first glance seem to make it possible to execute a request without a consumer’s participation (such as if they are completely incapacitated), the regulations still allow a business to require that the consumer verify their own identity directly with the business and may also require that the consumer directly confirm with the business that they provided the authorized agent permission to submit the request. Thus, the concept of authorized agents seems to have little practical value, given how much the consumer likely must still interact with the business.

• “Just-In-Time” Notice for Collection from Mobile Device: Adds that when a business collects personal information from a mobile device for a purpose the consumer would not reasonably expect, it must provide a just-in-time summary of the categories of personal information being collected and a link to the full notice at collection. For example, if a weather app collects geolocation to provide accurate weather report and also to geo-target advertisements, it needs to disclose that fact at the point of collection.

  • This addition essentially codifies prior regulatory guidance and existing best practices.

• What to Do When Using Information for New Purposes Not Previously Disclosed: Clarifies that if a business seeks to use a consumer’s previously collected personal information for a purpose materially different than previously disclosed, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for the new purpose.

  • While the clarification that this applies only to previously collected information and material changes is welcome, it seems to require notice and opt-in consent, which will likely change the way most companies provide notice and obtain a level of consent today.

• Introduces Design for Opt-Out Button: The recent modifications introduced an opt-out button that could be placed next to a business’s “Do Not Sell My Info” or “Do Not Sell My Personal Information” link.

Untitled 2.png
  • This is particularly confusing and seems to run afoul of the AG’s own guidance: that a privacy control “shall clearly communicate or signal that a consumer intends to opt-out and . . . that the consumer affirmatively select their choice to opt-out and shall not be designed with any pre-selected settings.” The proposed design is difficult to interpret (is the x opt-out? Opt-in to “do not sell?”) and appears to have a pre-selected option.

• Cannot Require Consumer to Pay for Verifying a Request: For example, the business cannot require a consumer to provide a notarized affidavit (unless it reimburses the cost). We believe best choice in most circumstances is a signed declaration under penalty of perjury.

• Not Required to Confirm Deletion Requests: The AG removed the requirement to confirm a deletion request via email before executing it.

  • Most companies will want to consider continuing to do so, for verification and security purposes.

• Narrow Conditions under which Business is Not Required to Search for Personal Information when Responding to Access Request: The AG introduced a new provision seemingly to lift some of the burden on responding businesses. A business is not required to search when: (1) the personal information is not maintained in a searchable or reasonably accessible format; (2) it is maintained solely for legal or compliance purposes; (3) the business does not sell it or use it for any commercial purpose; AND (4) the business describes to the consumer the categories of records that may contain personal information that it did not search.

  • This exception is much weaker than it looks, seems to apply very narrowly, and adds the additional obligation to tell the consumer what a business did not search. It may help for certain categories of compliance-related information, such as information retained for tax purposes.

• Cannot Disclose Biometric Data: A refreshing bright line rule, in addition to other highly sensitive types of information like SSN or security questions and answers, the AG added that a business shall not ever disclose “unique biometric data generated from measurements or technical analysis of human characteristics.”

• Loosens Formula for Calculating the Value of Consumer Data: Previously the AG regulations dictated a list of ways in which a business could estimate the value of a consumer’s data, such as “aggregate value to the business of the sale, collection, or deletion of consumers’ data divided by the total number of consumers”. Now however, the AG only asks businesses to consider one or more of the formulas.

• Overreaching Restriction on CCPA Records: The AG added a restriction that “information maintained for recordkeeping purposes shall not be shared with any third party.”

  • The AG has not made exceptions that are likely necessary for many businesses, such as sharing with legal counsel, tax and financial advisors, and similar business advisors.

• Raised Threshold for Requirement to Publicly Disclose CCPA Metrics from 4,000,000 to 10,000,000 or More California Consumers. The regulations require that businesses who buy, receive, sell or share for commercial purposes the personal information of 10,000,000 or more California consumers (a significant and needed increase from 4,000,000) make certain disclosures about their CCPA compliance program by July 1 of every calendar. While these new changes add some clarity on certain aspects of the law, in other aspects they only spur more confusion, and there is still much to be desired in terms of guidance on how a business can comply with the Act. There is the potential for additional modifications to the regulations prior to them becoming final, and therefore, there remains hope for some clearer guidance on certain open issues.

Companies should continue to be attentive and flexible in developing their CCPA compliance programs. And stay tuned . . .