The California Attorney General has published a revised version of the first draft of CCPA regulations. Comments have been extended to 25th Feb, 2020.
The California Attorney General (AG) Xavier Becerra published a revised version of CCPA regulations on February 7th, 2020. This was further republished on the 10th of February, 2020 after a minor omission from the document.
The revised version is inferred directly from the first draft of CCPA published on October 10th, 2019. The deadline for comments on the revised publication has been extended to 25th February, 2020.
It is still not clear when the final regulations will be published, a worrisome state with the enforcement deadline almost 18 weeks away from now. The newer version of CCPA regulations appears to eliminate ambiguities present in the first draft.
Although the document in itself is quite comprehensive and wide-ranging, here are key takeaways from the publication:
The CCPA AG has aimed at clarifying the definitions in the first draft. The proposed changes in some of the definitions and major additions are as follows:
- Categories of Sources: These include types or groupings of persons or entities from which a business collects personal information. They should include enough details about the entity or person for consumers to have a clear understanding. These can include the consumer directly, advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers.
- Categories of third-party: These may include advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and consumer data brokers. These are groups or types of third-parties which a business shares personal information with. Consumers should clearly be made aware of the particularity of the type of third-party.
- Meaning of Household: A person or a group of people who reside at the same address, share a common device or service provided by a business, and are identified by the business as sharing the same group account or unique identifier.
- Employment Benefits: These include retirement, health, and other benefit programmes that a consumer receives access through his employer. These also include consumer’s beneficiaries who have access to the same services.
- Employer-related Information: This is personal information collected by a business of a natural person under Civil Code section 1798.145 subdivision (h) (1). Collecting this information will be considered a business purpose.
Interpretation Of CCPA Definitions
This is a newly added section in the CCPA regulations with an objective of clarifying what ‘personal information’ means.
Under the Civil Code section 1798.140 subdivision (o), personal information’s definition is dependent on whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
To understand this better, if the business collects IP addresses of their website’s visitors and is unable to map them to a particular person or household, then it will not be considered personal information.
Another important addition to the regulations is a section which mentions about required notices and cases in which they will be necessary. These include businesses that collect personal information, sell personal information, and the ones that offer a financial incentive. Some of the changes are:
All the four notices must be reasonably accessible to consumers with disabilities. Businesses are also required to follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium, etc for online notices.
Regulation for mobile apps: If a mobile app business collects personal information from a consumer’s device that they may not reasonably expect from being taken, an in-time notice is necessary. This should include a list of information being collected along with a link to the full notice at collection. For example, if a consumer downloads an e-commerce app that requires their location, then a notice is required in any form such as a pop-up window, etc.
Employment-related Information: A business that collects employment-related information shall comply with:
a. The notice does not need to include the link or web address to the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info”.
Financial Incentive: The most significant change under this category is the addition of a requirement stated as:
“A business that does not offer a financial incentive or price or service difference related to the disclosure, deletion, or sale of personal information is not required to provide a notice of financial incentive.”
Opt-out Button: The opt-out button changes are listed in the image below:
Handling Consumer Requests
There are multiple tweaks under this category and we are listing down the most important ones.
- Methods for Submitting Requests to Know and Requests to Delete
I. If a business is only present online and has a direct relationship with a consumer they collect personal information from, they shall only be required to provide an email address for submitting requests to know.
II. If a business interacts with a consumer in-person, methods may include printed form submitted by mail, an online form filled by consumer, or a toll-free number that a consumer can call on.
- Responding to Requests to Know and Requests to Delete
I. Businesses should respond to requests within 45 days of receiving the request. Businesses may deny the request if they cannot verify the consumer within these 45 days.
II. Business is not to search for personal information if these conditions are met:
a. The business does not maintain the personal information in a searchable or reasonably accessible format.
b. The business maintains the personal information solely for legal or compliance purposes.
c. The business does not sell personal information and does not use it for any commercial purpose.
d. The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.
- Verification Of Requests
Key proposed changes/additions under this category are:
I. A business shall not require a consumer to pay a fee for the verification of his or her request to know or request to delete.
II. Introduced are new rules for authorized agents making CCPA requests on behalf of consumers. An authorized agent shall implement and maintain reasonable security procedures and practices to protect the consumer’s information and not use a consumer’s personal information, or any information collected from or about the consumer, for any purpose other than to fulfill the consumer’s requests, for verification, or for fraud prevention.
- Special Rules Regarding Minors
Authorization for minors under the age of 13 requires businesses to establish, document, and comply with a reasonable method for determining whether a person submitting a request to know or a request to delete the personal information is a parent or a legal guardian of that child or not.
A business’s denial of a consumer’s request to know, request to delete, or request to opt-out for reasons permitted by the CCPA or these regulations shall not be considered discriminatory. The examples for this practice are listed under this article in the revised CCPA regulations.