Updated CCPA Regulations Released
On Friday, February 7th, 2020, California’s Attorney General (AG) Xavier Becerra released the updated rules for the California Consumer Privacy Act (CCPA), having considered comments on the previous draft regulations made in writing and at multiple public hearings.
We previously highlighted the main points of the regulations, and Datawallet also submitted comments on the old draft. In this post, we focus only on the key proposed modification and clarifications important to companies that the updated CCPA regulations include.
The AG made some clarifications that reinforce that the definition of personal information (PI) is dependent on how a business handles the data points. It’s noted that “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”So while it may be considered “personal information” under the definition by the CCPA, if the business cannot reasonably link it to any consumer, it would not be regarded as “personal information” by the Attorney General.
Example Opt-Out Button
The modified regulations include an example opt-out button design that companies can use on their website (pictured below). However, while the example design is not binding, it is mandatory for companies that sell personal data to place a prominent and easily accessible opt-out button on their website. While a standard for the design of such a button is a good step towards establishing a minimum requirement for all companies to adopt, many compliance solutions (like Datawallet) may utilize better alternatives.
Lastly, the notice at point of collection was altered. Now, a business cannot use a consumer’s personal information for a “purpose materially different than those disclosed in the notice at collection,” unless the consumer is notified, and the business obtains explicit consent.
Data Subject Requests
Several modifications to the regulations have an impact on how businesses handle consumer rights requests (Data Subject Requests or DSRs):
Time to respond: A business now has 10 business days to confirm the receipt of a DSR, but 45 calendar days to respond to the request. If the business cannot verify the consumer’s identity in the 45 calendar days, the request can be denied.
If the business operates solely online and has a direct relationship with the consumer, providing only an email address for requests to know is sufficient.
Deletion Requests: The updated regulations no longer require a two-step confirmation process for deletion requests; this has become optional. A business is also no longer required to inform about the method by which the consumer’s data was deleted. If the business denies the deletion request, it must give the consumer the option to opt-out of the sale of their information and include the content of or a link to the relevant notice.
Businesses cannot burden consumers with a fee for the verification of a DSR.
Right to know: A business is not required to search for personal information if the business does not maintain the information in a searchable or reasonably accessible format, uses the PI solely for legal or compliance purposes, does not sell or use the PI for commercial purposes and describes in its response the categories of records it holds that may contain PI. This allows businesses to avoid some expansive and expensive searches of, for instance, call log data kept for compliance. Further, biometric data is now included in the data that should never be handed over to a request.
The modified CCPA regulations clarify that “service providers” are allowed to use the personal information they obtain while being a service provider in order to “build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.” This creates a useful and clear line between improving services and copying/enriching data to create a better service.
Lastly, the regulations require that service providers cannot sell data on behalf of a business when a consumer has opted-out of the sale of their personal information with the business.
Mobile Application Notifications
User-Enabled Privacy Controls
The AG also made clarifications regarding pre-set privacy controls, such as browser settings, as there was a lot of confusion regarding handling this type of “opt-out”. The regulations state that a “global privacy control” should be developed in accordance with the regulations and must “clearly communicate or signal that a consumer intends to the opt-out of the sale of personal information” and it requires that the consumer “affirmatively select their choice to opt-out and shall not be designed with any pre-selected settings.” These settings should be considered as if the requests directly from the consumer, not through an authorized agent.
If the global privacy controls conflict with a consumer’s existing business-specific privacy setting or their participation in a business’s financial incentive program, then the business has to respect the global privacy control, but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.
The regulations clarify that “Household” means a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier
Companies also do need to include Do Not Sell links in employee privacy notices (e.g. for job applicants or contractors); however, this clause becomes inoperative on January 1st, 2021.
A business must comply with a request of an authorized agent acting on a consumer’s behalf, provided that the agent has written and signed permission to do so, or the consumer directly confirms with the business that they have authorized the agent. The agent must also implement and maintain reasonable security measures and cannot use the consumer’s data for any other purpose but to fulfil the request.
The above are some of the major modifications and clarifications in the updated CCPA regulations. There are many additional smaller changes not mentioned in this post. The new deadline to submit written comments on the updated regulations is February 25th, 2020, at 5:00 p.m. (PST). Datawallet continues to productize and review the draft regulations.
If you have questions on how your business should tackle the CCPA, or on data governance in general, contact the Datawallet team at any time. We also have a self-service CCPA Readiness Questionnaire, or you can and request a quick, free CCPA Readiness Assessment from our experts. You can find out whether the CCPA applies to you with our self-service CCPA Questionnaire. You can also sign up for our solution easy-to-use compliance platform here.Consumer PrivacyRegulatory UpdatesCCPADatawallet