Privacy & Consent

California AG Publishes Revised Version Of CCPA Regulations

Pinterest LinkedIn Tumblr

The California Attorney General (AG) Xavier Becerra published a revised version of CCPA regulations on February 7th, 2020. This was further republished on the 10th of February, 2020 after a minor omission from the document. 

The revised version is inferred directly from the first draft of CCPA published on October 10th, 2019. The deadline for comments on the revised publication has been extended to 25th February, 2020.

It is still not clear when the final regulations will be published, a worrisome state with the enforcement deadline almost 18 weeks away from now. The newer version of CCPA regulations appears to eliminate ambiguities present in the first draft. 

Although the document in itself is quite comprehensive and wide-ranging, here are key takeaways from the publication:

Definitions

The CCPA AG has aimed at clarifying the definitions in the first draft. The proposed changes in some of the definitions and major additions are as follows:

Changes

  • Categories of Sources: These include types or groupings of persons or entities from which a business collects personal information. They should include enough details about the entity or person for consumers to have a clear understanding. These can include the consumer directly, advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers. 
  • Categories of third-party: These may include advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and consumer data brokers. These are groups or types of third-parties which a business shares personal information with. Consumers should clearly be made aware of the particularity of the type of third-party.
  • Meaning of Household: A person or a group of people who reside at the same address, share a common device or service provided by a business, and are identified by the business as sharing the same group account or unique identifier. 

Additions  

  • Employment Benefits: These include retirement, health, and other benefit programmes that a consumer receives access through his employer. These also include consumer’s beneficiaries who have access to the same services. 
  • Employer-related Information: This is personal information collected by a business of a natural person under Civil Code section 1798.145 subdivision (h) (1). Collecting this information will be considered a business purpose. 

Interpretation Of CCPA Definitions 

This is a newly added section in the CCPA regulations with an objective of clarifying what ‘personal information’ means. 

Under the Civil Code section 1798.140 subdivision (o), personal information’s definition is dependent on whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” 

To understand this better, if the business collects IP addresses of their website’s visitors and is unable to map them to a particular person or household, then it will not be considered personal information. 

Required Notices

Another important addition to the regulations is a section which mentions about required notices and cases in which they will be necessary. These include businesses that collect personal information, sell personal information, and the ones that offer a financial incentive. Some of the changes are:

All the four notices must be reasonably accessible to consumers with disabilities. Businesses are also required to follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium, etc for online notices.

Regulation for mobile apps: If a mobile app business collects personal information from a consumer’s device that they may not reasonably expect from being taken, an in-time notice is necessary. This should include a list of information being collected along with a link to the full notice at collection. For example, if a consumer downloads an e-commerce app that requires their location, then a notice is required in any form such as a pop-up window, etc. 

Data Brokers: If a business is registered as a data broker with the California AG and does not collect information directly from consumers, they do not need to provide a notice at collection if if it has included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out.

Employment-related Information: A business that collects employment-related information shall comply with:
a. The notice does not need to include the link or web address to the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info”.
b. Notice at the collection of employment-related information may include a link to or copy of the business’s privacy policy for job applicants, employees or consumers instead of a link to the business’s privacy policies for consumers.

Financial Incentive: The most significant change under this category is the addition of a requirement stated as:

“A business that does not offer a financial incentive or price or service difference related to the disclosure, deletion, or sale of personal information is not required to provide a notice of financial incentive.”

Opt-out Button: The opt-out button changes are listed in the image below: 

Opt-out button in CCPA regulations

Handling Consumer Requests 

There are multiple tweaks under this category and we are listing down the most important ones.

Methods for Submitting Requests to Know and Requests to Delete

  • If a business is only present online and has a direct relationship with a consumer they collect personal information from, they shall only be required to provide an email address for submitting requests to know. 
  • If a business interacts with a consumer in-person, methods may include printed form submitted by mail, an online form filled by consumer, or a toll-free number that a consumer can call on.

Responding to Requests to Know and Requests to Delete

  • Businesses should respond to requests within 45 days of receiving the request. Businesses may deny the request if they cannot verify the consumer within these 45 days. 
  • Business is not to search for personal information if these conditions are met:

a. The business does not maintain the personal information in a searchable or reasonably accessible format.

 b. The business maintains the personal information solely for legal or compliance purposes.

c. The business does not sell personal information and does not use it for any commercial purpose.

d. The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above. 

Verification Of Requests 

Key proposed changes/additions under this category are: 

  • A business shall not require a consumer to pay a fee for the verification of his or her request to know or request to delete. 
  • Introduced are new rules for authorized agents making CCPA requests on behalf of consumers. An authorized agent shall implement and maintain reasonable security procedures and practices to protect the consumer’s information and not use a consumer’s personal information, or any information collected from or about the consumer, for any purpose other than to fulfill the consumer’s requests, for verification, or for fraud prevention

Special Rules Regarding Minors

Authorization for minors under the age of 13 requires businesses to establish, document, and comply with a reasonable method for determining whether a person submitting a request to know or a request to delete the personal information is a parent or a legal guardian of that child or not.

Non-Discrimination 

A business’s denial of a consumer’s request to know, request to delete, or request to opt-out for reasons permitted by the CCPA or these regulations shall not be considered discriminatory. The examples for this practice are listed under this article in the revised CCPA regulations. 


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.