By Jim Halpert and Katie Lee
On March 11, 2020, the California Attorney General’s Office issued a third version of its draft CCPA rules (Version 3.0), only two weeks and a day after receiving comments on the second version. Comments are due March 27 at 5 p.m. PDT.
Most of the changes in Version 3.0 are technical in nature. The very quick turnaround of Version 3.0 suggests that the AG’s Office has narrowed the issues it is actively considering and may be close to finalizing its regulations. However, there are several significant issues raised by the changes in Version 3.0 that we discuss below.
Definitions. The latest draft contains a subtle, but potentially significant, change to the definition of a “financial incentive.” The change would expand the definition from benefits or offers “as compensation for the disclosure, deletion or sale of personal information” to benefits or offers “related to the collection, retention or sale of personal information.” The addition of the noun “collection” may be a drafting error, but potentially would expand notice of incentives obligation in the regulations well beyond the non-discrimination right in the CCPA. Both the CCPA and its non-discrimination obligation apply to sale, right to know, deletion, access and portability rights, but do not regulate, or apply to waivers of, collection of personal information.
Definitional guidance (§ 999.302). Version 3.0 cuts entirely clarifying language in Version 2.0 regarding when an IP address is “personal information.”
Notice at collection (§ 999.305). Version 3.0 separates from data broker registration the exception that a business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer unless it sells the consumer’s personal information. In practice, this may exempt from the at collection notice entities that obtain information indirectly for analytics purposes, for example, and do not sell personal information. In addition, the revisions clarify, consistent with the text of the employee data moratorium, that notices at collection of employment-related information do not need to include a link to a business’s long-form privacy policies.
Opt-out button. Version 3.0 removes the optional “do not sell” icon that Version 2.0 had added in § 999.306(f). The regs yet again do not include a suggested opt-out icon. Instead, businesses that sell personal information must include a “Do Not Sell My Personal Information” or “Do Not Sell My Information” hyperlink on their website home page or landing page of their mobile app.
Privacy policies (§ 999.308). Under the revised regulations, businesses must expand again the scope of the disclosures in their privacy policies. Version 3.0 reinstates the previously deleted requirements to identify (i) the categories of sources from which personal information is collected, and (ii) the business or commercial purpose for collecting or selling personal information. In addition, businesses that know that they sell personal information of minors under the age of 16 will now have to describe the opt-in processes that they are required to implement to comply with § 999.330 and § 999.331.
Responding to requests to know and to delete (§ 999.313). The proposed regulations qualify the prohibition against providing specific pieces of information (e.g., social security number, driver’s license number) in response to a right to know request, by requiring that businesses instead inform consumers of these types of information collected without supplying the data element. In other words, a business will need to inform the consumer that it has collected the consumer’s social security number instead of providing the actual number. In addition, Version 3.0 appears to expand the obligation on businesses that deny a data deletion request of a consumer who has not opted out of sale to offer the consumer an opportunity to opt out of sale regardless of whether the business actually sells personal information.
Service providers (§ 999.314). The service provider exception is extended to cover service providers that collect personal information about a consumer, but not directly from the consumer. It also now allows service providers to perform services not specified in their written contract, provided that those services are “in compliance” with the contract and are on behalf of the business. Version 3.0 further clarifies the service provider “internal use” exception by stating, consistent with the statute, that service providers may build or modify household or consumer profiles for the business that engaged them, but not “to provid[e] services for another business.” Last, it clarifies that the restriction against “cleaning . . . data acquired from another source” means “correcting” data.
Requests to opt-out (§ 999.315). Under the revised regulations, privacy controls that communicate an option to opt out of a sale of personal information no longer need to be designed so that the consumer affirmatively selects a choice (i.e., controls may be designed with pre-selected settings). However, it appears that responding to these signals is still not mandatory.
Record-keeping requirements (§ 999.317). Version 3.0 adds a scienter standard, that the business ‘know[s] or reasonably should know’ that it meets the receiving, selling or sharing 10.0 million or more consumers’ personal information threshold, before the business must post metrics on its performance times for individual rights requests.
Verification (§ 999.323). The revisions to the regulations extend the prohibition on businesses charging fees to verify requests to know or delete to consumers’ authorized agents, which raises the prospect of authorized agents making demands that they be reimbursed for proof of authorization and inundating businesses with requests on behalf of large groups of consumers.
Non-discrimination (§ 999.336, § 999.337). The proposed regulations extend the exception that permits certain price or service differences that are the direct result of compliance with a state law, in addition to a federal law. In addition, the regulations narrow the basis for calculating the value to a business of consumer data by stating that businesses may only consider the data of all natural persons in the United States, and not globally.
DLA Piper has adjusted its CCPA compliance templates to reflect the changes in the last two versions of the CCPA regulations. Please contact any member of our team, if you would like to update your CCPA compliance documents to reflect the update draft regulations.