California AG releases second set of modified proposed CCPA regulations
On March 11, the California attorney general released a second set of draft modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA). These modifications follow the initial proposed regulations published last October and the first set of draft modifications published last month (covered by Buckley Special Alerts here and here). According to a notice issued by the California Department of Justice, these changes are in response to roughly 100 comments received by the Department to the proposed February modifications and are intended “to clarify and conform the proposed regulations to existing law.”
Key modifications are as follows:
- Personal Information. In the February modifications, a section was added to provide guidance regarding the interpretation of CCPA definitions and specifically defined the term “personal information” and provided an example of when IP addresses were not considered “personal information.” In the recent modifications, the Attorney General (AG) struck this section of the regulations.
- Indirectly Receiving Personal Information. The modifications clarify that a business that does not collect personal information directly from a consumer is not required to provide a consumer with a notice at collection if it does not sell the consumer’s personal information.
- “Opt-Out Button” Button. The modifications strike a provision that previously provided a model for the opt-out button that companies could include on their websites as an additional way for consumers to opt out of selling their information, as well as information about when the button should be used.
- Responding to Requests to Know. While the regulations have made clear that there are certain types of data that a business must never disclose in response to a request to know, such as Social Security number, driver’s license or government ID number, biometric data, etc., the modifications clarify that when responding to a request to know, businesses must inform consumers “with sufficient particularity” that they have collected that type of information. The modifications provide the following example – the business must respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
- Responding to Requests to Delete. The modifications provide that if a business denies a consumer’s request to delete, the business sells personal information, and the consumer has not already made a request to opt out of the sale, then the business must ask the consumer if he/she would like to opt out and include either the contents of, or a link to, the notice of right to opt-out.
- Service Providers. The modifications clarify that a service provider may not retain, use, or disclose personal information obtained while providing services unless the information is used to “process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information” and complies with the CCPA’s requirements for a written contract for services. The modifications also add that while the service provider may use the personal information to build or improve the quality of it services, it may not build or modify household or consumer profiles to use in providing services to another business.
- Training: Record-Keeping. The modifications clarify that information retained for record-keeping purposes may not be shared with third parties “except as necessary to comply with a legal obligation.”
- Authorized Agent. The modifications clarify that businesses shall not require consumers, or a consumer’s authorized agent, to pay a fee to verify requests to know or to delete.
- Calculating the Value of Consumer Data. The modifications provide that for the purpose of calculating the value of consumer data, a business may consider the value of the data of all natural persons in the United States and not just consumers.
Comments on the second set of proposed modifications are due by March 27. As a reminder, the CCPA became effective January 1.