Last week, on March 11, the California Department of Justice, Office of the Attorney General (AG) released its second set of revisions to its draft regulations under the California Consumer Privacy Act (CCPA). This second set of proposed revisions is based in part on comments received in response to an initial set of proposed revisions released by the AG last month (see February 10 Reed Smith client alert here). Written comments to this second set of proposed revisions must be submitted by March 27, 2020.
This set of proposed revisions was not extensive. Highlights appear below.
- Withdrawn limitation on “personal information”: The AG withdrew its generous clarification that the existence of personal information may depend in part on the manner in which information is maintained by a business. Thus, an IP address that is not combined with other identifiable information (such as from a customer session or an ISP) may still be “personal information.”
- Privacy notice guidance: The proposed revisions clarify that notice is not required where a business collects information about, but not directly from, a consumer but does not sell that information. Of course, other provisions of the CCPA would still apply (as well as, in some situations, the separate data broker law). In addition, the proposed revisions state that a privacy notice should provide consumers with “a meaningful understanding” of the various data sources the business uses and the purposes for collecting and, if applicable, selling personal information. This standard is a useful litmus test for a business’ disclosure approach, including an assessment of the appropriate level of granularity.
- Data subject requests: The proposed revisions clarify that, while biometric information should not be provided in response to a “request to know,” the business must nonetheless disclose “with sufficient particularity” the type(s) of biometric data it has collected (for example, fingerprint, facial recognition geometry). Also, the sample button for use in connection with an opt-out of the sale of personal information has been removed from the draft regulations, as has the language that prohibited preselection of choices when developing privacy controls (global or business-specific) that implement the opt-out right. This makes sense, given that this is an “opt-out” right (not an “opt-in”), and it could be burdensome to the consumer to be required to make an affirmative choice every time the opt-out appears. The important thing, which remains, is that the nature of the do-not-sell opt-out right must be made clear.
- Restrictions on service provider uses of information: In the proposed revisions, the previous limitation on service providers use – “to perform the services specified in the written contract” – is jettisoned in favor of a less malleable limitation: “[t]o process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA.” This seems to be designed to prevent any effort to expand permissible service provider handling of personal information by expanding the contractual description of the services to be provided.
- Financial incentives tweaked and clarified: Under the proposed revisions, the relevant price or service level difference is whatever may be offered for the collection or retention of personal information, not the disclosure or deletion of information. This may be a distinction without much of a difference, given that retention is directly related to deletion, and incentives for disclosures that constitute a “sale” still count.
Note that this is only a preliminary assessment as to some, but not all, of the proposed revisions to the proposed CCPA regulations. You should obtain legal advice before taking or refraining from any action concerning those proposed regulations.
As indicated above, written comments relevant to these proposed revisions may be submitted on or before 5 p.m. (PST) on March 27, 2020, by email (at the address provided in the Notice) or by mail to:
Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013