On February 10, 2020, California Attorney General (AG), Xavier Becerra, released a modified text of his proposed regulations for the California Consumer Privacy Act (CCPA). These modifications were made to the initial draft regulations that were released in October of 2019. The Modified Proposed Regulations are not necessarily the final draft of the Regulations and AG Becerra can still make additional changes before the final version is released in the Spring of 2020.
The modified Proposed Regulations include modifications to definitions and further guidance relating to consumer notices, handling consumer requests, and rules regarding minors and non-discrimination.
To see if you’re compliant with the CCPA, download this checklist.
The modified Proposed Regulations include new definitions for certain terms and also amend the majority of the definitions that already existed in the original text. Some notable changes include:
- Clarified ‘categories of sources’ to include a description that allows consumers to understand the type of person or entity
- Added ’employment benefits’ and ’employment-related information’
- Redefined ‘Household’ – reside at the same residence, share common device or service from business, and business has identified household as sharing the group account or unique identifier
The updated Proposed Regulations also provide a general overview of the required notices businesses must disclose to consumers, which include:
- a notice at the collection of information, for any business that collects information from a consumer;
- a notice of right to opt-out, for a business that sells personal information; and
- a notice of financial incentive for a business that offers a financial incentive or price or service difference.
Notices at the point of collection must be readily available for consumers to encounter it at or before the point of collection of personal information. Notable updates include:
- Business may not use personal information (PI) for purposes materially different from those disclosed at the time of collection
- Mobile app collection
- Employee-related information is exempt from the “Do Not Sell My Personal Information” link requirement; instead, businesses may include a link to, or paper copy of, a business’s privacy policies for job applicants, employees, or contractors.
- This provision would expire on Jan. 1, 2021
Opt-Out of Sale / Do Not Sell My Personal Information
The biggest change relating to the right to opt-out is the introduction of the opt-out button, which may be used in addition to posting the notice of the right to opt-out, but not in lieu of any posting of the notice of right to opt-out. When this button is used, it must be placed to the left of the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link and must be approximately the same size as other buttons on the business’s webpage.
Specifically, for opt-out requests, the modified Proposed Regulations add that the methods of submission must be easy for consumers to execute and must require minimal steps to allow opting out. Some notable updates include:
- Privacy controls that are created according to regulations shall communicate the opt-out signal clearly, with no pre-selected settings
- If global privacy control conflicts with business specific privacy settings/participation in financial incentive, respect global signal
- May notify consumer of conflict and give them choice to confirm business specific privacy setting /participation in financial incentive
- Timeline – 15 business days to comply
- If PI is sold between date request is made and date the request is fulfilled, business must inform those third parties of the exercised right to opt-out and direct them to stop selling that consumer’s info
- Replaces 90-day look-back requirement
- Can use authorized agent with written, signed attestation
- If consumer is opted out and initiates transaction/service that requires sale of data, inform consumer that requested service requires sale of data and provide instructions on opting in
Join the conversation on LinkedIn: CCPA Compliance Forum
Handling Consumer Requests
For the purpose of submitting requests to know and to delete, the modifications distinguish between businesses that operate exclusively online and have direct relationships with consumers, stating they are only required to provide an email address for submitting requests to know. In contrast, all other businesses must provide two or more methods for submitting requests, including at least a toll-free telephone number.
For circumstances where a business interacts with the consumer in person, the business must consider providing an in-person method, such as a printed form, a tablet or computer portal, or a telephone. Note, it is no longer required that businesses use a two-step process for online requests to delete.
Regarding responses to requests to know and to delete, it is clarified that the confirmation of the receipt of the request must be given within 10 business days, in the same manner in which the request was received. Additionally, the 45–day deadline to respond to the request and the 45-day extension have been clarified to mean 45 calendar days.
Furthermore, businesses are not required to search for personal information if the following conditions apply cumulatively:
- Business doesn’t keep PI in searchable or reasonably accessible format
- PI is maintained only for legal or compliance purposes
- Business doesn’t sell PI or use it for commercial purposes
- A description is provided to the consumer, of the categories of records that may contain personal information that were not searched because the conditions stated above were met
Further updates relating to the handling of consumer requests include:
- No disclosure of biometric data for request to know
- If conflicting with state or federal law; business can explain denial as such unless prohibited by law
- No need to delete from archived system unless back-up is restored to active system or accessed/used for a sale/disclosure/commercial purpose
- No need to inform consumer of how deletion occurred (aggregation, deidentification, deletion, etc.)
- For an unverified request to delete, do not delete.
- If the consumer hasn’t requested to opt-out, the business shall ask the consumer if they’d like to opt-out of sale and include contents of/link to notice of right to opt-out
- Replaces requirement to treat unverified request to delete as a request to opt-out
Additionally, the threshold for the online publication of request metrics has been raised from the handling of information of 4 million consumers or more to 10 million consumers or more.
The provisions on service providers have been slightly amended by the modified Proposed Regulations, mainly with regard to retaining, using or disclosing of personal information in the course of providing services, which is not allowed, with exceptions such as performing contracted services and to detect security incidents, fraud, and illegal activity. Service providers are also prohibited from building profiles or augmenting data collected from other sources.
Register now: OneTrust for CCPA 2020 Master Class Webinar Series
Verification of Requests
The modified Regulations stipulate that:
- A consumer cannot be required to pay a fee for identity verification
- Business can deny a request if it can’t verify the identity of the requestor
Rules Regarding Minors
Consent forms that must be signed by a parent or guardian of a child can be done either physically or electronically. Additionally, businesses must establish, document, and comply with a reasonable method for determining whether a person submitting a request of a child under the age of 13 is, in fact, the parent or guardian of that child.
The modified Regulations provide that a business should not offer financial incentives, or price or service difference if it is unable to calculate a good-faith estimate of the value of the consumer’s data or can’t show that the financial incentive or price or service difference is reasonably related to that value. Additionally, denying a consumer request for reasons permitted by the CCPA or the Regulations is not considered discriminatory.
Examples were provided showing that loyalty programs can be acceptable and nondiscriminatory under the Modified Regulations. Finally, in order to calculate the value of consumer data, businesses can consider the value of data of all-natural persons to the business and not just consumers.
Is your business compliant with the CCPA? Download this checklist to find out.
The California Department of Justice is accepting written comments regarding the modified Proposed Regulations until Tuesday, February 25, 2020. Written comments must be submitted no later than 5:00 p.m. on February 25, 2020 by email to [email protected], or by mail at the following address:
Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013
Email: [email protected]
- Learn more about OneTrust for CCPA
- Download the whitepaper: Getting Started: 5 Steps to Start Your CCPA Privacy Program
- Download the whitepaper: How OneTrust Helps: California Consumer Privacy Act (CCPA)
- Get the free OneTrust CCPA Initial Planning Assessment
- Download the free OneTrust CCPA Mobile App from the App Store and Google Plays
Check out our CCPA blog series:
- The CCPA is Here
- The CCPA: Right to Opt-Out
- The CCPA Toll-Free Requirement
- CCPA Do Not Sell Requirement
- CCPA Compliance: Your Most Frequent CCPA Questions Answered
- CCPA vs. GDPR
- CCPA Readiness: Third Wave Report
- In the Know: CCPA Personal Information
- CCPA Applicability: Who will the CCPA Impact?
- CCPA Requirements for Businesses
- California Governor Signs CCPA Amendments Into Law
- Proposed Regulations Under the CCPA: What You Need to Know
- CCPA Proposed Regulations
- Comply With the CCPA’s “Toll-Free Requirement” with OneTrust
- California Privacy Rights and Enforcement Act Ballot Initiative
- CCPA Amendment Crunch Time
- CA Attorney General Holds Public Forums on the CCPA: What You Need to Know
- The Importance of the CCPA Look Back Requirement and What it Means for Your Organization
- 5 Simple Steps to CCPA Readiness
- CCPA: New Amendment Bills One Step Closer to Becoming Law
- How OneTrust Helps: CCPA Consumer Rights Management