On March 11, 2020, the California Attorney General (AG) issued a second set of modified draft regulations for the CCPA. AG Becerra’s first modified regulations were issued on February 10, 2020. These new modifications make small updates and clarifications to 10 key areas of the CCPA including consumer notices, privacy policies, responding to consumer requests, and rules regarding verification.
Note: only substantive changes since February 10, 2020, Modified Regulations are noted below.
Notice at Collection
- If a business doesn’t collect information directly from a consumer, no need for notice of collection if that business does not sell consumer information
- Clarification that Modified Regs 999.305(d) refers to data brokers
Notice of Right to Opt-Out of Sale
- Total deletion of the opt-out logo – no replacement
- Now understandable to ‘consumers’ instead of ‘an average consumer’
- Must include, regarding personal information (PI) collected/disclosed/sold:
- Sources for collecting personal information (meaningful understanding for consumers)
- Identify the business or commercial purpose for collection/sale of PI (meaningful understanding for consumers)
- If a business has actual knowledge that it sells the PI of minors younger than 16 years old, they must include information for minors younger than 13 and minors 13-16 (opt-in process and right/how to opt back out)
Responding to Requests to Know/Delete
- Businesses cannot provide social security numbers (SSN), health insurance numbers, biometrics, etc. But should inform the consumer that they have collected that type of information
- Example: “collected biometric info including fingerprint scan” but do not send the actual fingerprint scan
- Unverified request to delete – requirement to ask if they want to opt-out deleted but kept in a different section – see next
- If a business that sells PI denies request to delete, that business shall ask if they want to opt-out and include a link to or contents of the notice of right to opt-out
- Using PI – clarifications made
- “performing services in contract” clarified to “To process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA”
- Internal Use – PI can’t be used for building/modifying consumer/household profiles for providing services to another business or for correcting or augmenting data acquired from a different source
Requests to Opt-Out
- Privacy controls developed in accordance with the regulations – no longer required that “the controls do not have pre-selected choices and consumers have to affirmatively select the choice to opt-out”
Training and Record-Keeping
- Information maintained for record-keeping shall not be shared with any third party except to comply with legal obligations
- Publishing metrics threshold – now any business who “knows or reasonably should know” that every year, it receives/sells/shares PI of 10 million or more consumers in a calendar year
General Rules Regarding Verification
- Can’t make a consumer or an authorized agent pay a fee for verification
- An authorized agent only needs to show signed permission from the consumer when making a request on their behalf (as opposed to written and signed)
Calculating the Value of Consumer Data
- When calculating the value of consumer data, businesses can use the value of the data of all people in the United States (rather than the data of all natural persons)
You can read the Modified Regulations in their entirety, here.
Because one of the biggest obstacles businesses face when it comes to CCPA preparedness is a lack of time and bandwidth, as well as the complexity of the law, we created a 5 Step CCPA Compliance Checklist. This checklist includes recommended actions to help businesses working towards CCPA compliance. We also created the CCPA Master Class series where you can prepare for CCPA-specific requirements.