As Enforcement Looms, California Consumer Privacy Act Proposed Rules Gain Clarity Through New Modifications
On February 10, 2020, the Office of the California Attorney General (OAG) issued proposed modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA) that were published on October 11, 2019. 1The proposed modifications (Modified Proposed Regulations) 2 clarify certain aspects of the initially proposed regulations and add detailed requirements related to some provisions of the CCPA. Among other things, the Modified Proposed Regulations set forth more clearly the responsibilities and liability exposure of service providers, pull back on some aspects of the proposed regulations to align with the CCPA's express text, and offer relief for covered businesses from certain obligations the CCPA purports to impose but the fulfillment of which, in some circumstances, would be patently impracticable.
The OAG is accepting comments on the Modified Proposed Regulations only until February 25, 2020. Following consideration of those comments, the OAG will issue final regulations on or before July 1, 2020, the date on which the OAG will be authorized to bring actions to enforce violations of the statute.
Overview
The Modified Proposed Regulations include clarifications and amplifications of several of the CCPA's definitions and the statute's requirements for businesses to (i) provide notices to customers regarding the collection, use and disclosure of their personal information, (ii) maintain privacy policies, (iii) honor consumers' right to opt out of the sale of their personal information, (iv) respond to consumer requests for access to or deletion of their personal information, and (v) not penalize consumers for exercising their CCPA rights. This Advisory highlights only some of these proposed modifications, focusing on those that are particularly notable either in resolving questions left unanswered by the initial proposed regulations or in indicating the OAG's likely approach to enforcement.
Definitions
Personal Information. The Modified Proposed Regulations add a "guidance" provision on the CCPA's definition of "personal information." Under the statute, "personal information" is information that "identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household." As examples, the statute lists a lengthy group of categories of information. There have been questions whether that list, although prefaced by the above-quoted statement (made twice within two sentences), includes data elements that are categorically "personal information." The Modified Proposed Regulations underscore that this is not the case. They expressly state that the determination of whether a particular data element, even if it is included in the statutorily listed categories, is "personal information," "depends on whether the business maintains [the] information in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household."
Although this clarification might be viewed as superfluous given its repetition of the statutory text, it very helpfully adds the specification that the analysis of whether certain information is "personal information" "depends on [the manner in which] the business maintains [the] information." Thus, under the Modified Proposed Regulations, a business need not consider hypothetical possibilities of data linkages beyond those it itself is capable of performing. If the business does not, and reasonably could not, link data elements to individuals or households, those data elements are not "personal information" for that business's CCPA compliance purposes. The Modified Proposed Regulations provide an example to underscore this point: "if a business collects the IP address of a visitor to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, the IP address would not be 'personal information.'"
Another welcome definitional clarification is of the term "household." The OAG's initial proposed regulations stated simply that a "household" consisted of persons or groups of persons occupying a single dwelling. The Modified Proposed Regulations define the term "household" in greater detail as "a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier." All three prongs of this definition must be satisfied for a "household" to be identifiable.
Disclosures to Consumers
The Modified Proposed Regulations clarify that even if a business does not collect personal information directly from consumers, it still must maintain an accessible privacy policy and honor consumers' CCPA rights (i.e., rights to know how their personal information is processed, to access the data or have it deleted, to opt out of its sale, and to receive nondiscriminatory treatment if they exercise their rights). Specifically, the modifications include a new express requirement that (1) every covered business provide a privacy policy, (2) a business that collects personal information from a consumer must provide a notice at the time of collection, (3) a business that sells personal information must provide a notice of right to opt-out, and (4) a business that offers a financial incentive or price or service difference to consumers must provide a notice of financial incentive (discussed in our October 2019 Advisory), in each case in accordance with the CCPA and applicable implementing regulations.
All of these disclosures must be clear and conspicuous and presented in such a way that they catch a consumer's attention, including on small screens such as small mobile phones. And to clarify how businesses should satisfy the CCPA's requirement that the disclosures be "reasonably" accessible to consumers with disabilities, including online, the Modified Proposed Regulations specify that businesses must follow "generally recognized industry standards, such as the Web Content Accessibility Guidelines . . . from the World Wide Consortium."
Privacy Policy. As noted, the Modified Proposed Regulations clarify that every business must have a privacy policy, which must, as prescribed by the CCPA, identify the categories of personal information the business has collected about consumers in the preceding 12 months. In a change from the initial proposed regulations, the Modified Proposed Regulations eliminate the requirement that, for each category of personal information collected, the privacy policy identify (1) the categories of sources from which the information was collected and (2) the business or commercial purpose(s) for the collection of the information. This change apparently reflects comments the OAG received on the initial proposed regulations pointing out that the CCPA itself does not impose these two requirements. The Modified Proposed Rules retain, however, the mandate that each business include in its privacy policy a list of the categories of personal information, if any, that it has sold in the past 12 months and, separately, a list of the categories of personal information that it has disclosed for a business purpose (if any) in the past 12 months.
Notice of Collection. The Modified Proposed Regulations clarify certain requirements regarding the notices to consumers that must be provided before or at the time of collection of their personal information, including by adding or altering language on the following points:
- When a business collects personal information online, it should provide a conspicuous link to the policy both on the introductory page of the business's website and on all web pages where personal information is collected.
- When a business collects personal information through a mobile application, it may provide a link to the notice on the application's download page and within the application, such as through the application's settings menu.
- When a business collects personal information from a consumer's mobile device for a purpose that the consumer would not reasonably expect, it must provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice. For example, if the business offers a flashlight application and the application collects geolocation information, the business must provide a just-in-time notice, such as through a pop-up window when the consumer opens the application, which contains the notice.
- When a business collects personal information over the telephone or in person, it may provide the notice orally.
In addition to these specifications of the manner in which the notice of collection must or may be provided, the Modified Proposed Regulations emphasize that the "purpose of the notice of collection is to "provide consumers with timely notice, at or before the point of collection about the categories of personal information to be collected from them and the purposes for which the personal information will be used." Under the Modified Proposed Regulations, and consistent with generally recognized privacy principles, a business must be comprehensive in listing all anticipated uses of personal information in the notice, because use for a purpose not identified at or before the time of collection defeats the purpose of the notice (i.e., to provide individuals with the opportunity to choose whether to permit collection of their personal information based on an informed understanding as to what will happen if they do). Notably, however, the Modified Proposed Regulations add a materiality component to the consideration of whether a subsequent use of personal information is permissible: they provide that absent obtaining explicit consent from a consumer, a business may not use the consumer's previously collected personal information for a purpose that is "materially different" than what was described to the consumer in the notice at or before the time of collection.
Notices to Employees and Job Applicants. As discussed in our October 2019 Advisory, the OAG issued its initial proposed regulations shortly before the California Governor signed into law several amendments to the previously enacted CCPA, including a one-year exemption of "employee" personal information from most of the statute's requirements. The Modified Proposed Regulations include provisions to help implement the CCPA requirement that is not subject to the statutory "employee" exemption: the requirement for a business to provide notices of collection to its employees, job applicants, officers, directors, owners, medical staff members, and contractors. Under the Modified Proposed Regulations, businesses collecting personal employment-related information must comply with the general notice of collection requirements except that the notice at collection of employment-related information (1) need not reference a right to opt out of the sale of personal information and (2) may include a link to, or paper copy of, a business's privacy policies for job applicants, employees, or contractors rather than to the business's privacy policy for consumers.
Consumer Requests
Methods for Submitting Requests to Know and Delete. The Modified Proposed Regulations clarify certain aspects of the means businesses must offer to consumers to submit requests to know or to delete. The initial proposed regulations, reaching beyond what the CCPA itself requires, had mandated that businesses provide not only a toll-free number for consumers to call to exercise their rights to know and to delete, but also, for any business that operates a website, an interactive webform that consumers could use to exercise those rights. The Modified Proposed Regulations step back from this requirement. In alignment with the CCPA's text, the Modified Proposed Regulations omit the previously proposed requirement for an interactive webform and, further, they provide that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information need only provide an email address for submitting requests to know. (All other businesses must provide two or more designated methods for submitting requests to know, including, at a minimum, a toll-free telephone number.) Other acceptable methods for submitting these requests include, but are not limited to, a designated email address, a form submitted in person and a form submitted through the mail.
Duty to Respond to Requests to Know. In a helpful addition to the initial proposed regulations, the Modified Proposed Regulations offer businesses much-welcome comfort regarding their obligation to respond to certain requests to know. Many businesses have been deliberating about how to respond to requests to know where the personal information of the requestor is not held in a structured manner and thus is difficult, if not impossible, to locate and retrieve. Apparently recognizing the obstacles to granting requests to know in these circumstances, the Modified Proposed Regulations establish that a business is not required to search for personal information if all the following conditions are met: (1) the business does not maintain the personal information in a searchable or reasonably accessible format; (2) the business maintains the personal information solely for legal or compliance purposes; (3) the business does not sell the personal information and does not use it for any commercial purpose; and (4) the business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above. Although the Modified Proposed Regulations refer only to requests to know in this new provision, arguably businesses also would not need to search for any such personal information in response to a request to delete. Personal information that the business maintains "solely for legal or compliance purposes" arguably is also information that, under the CCPA's exceptions from the requirement to grant requests to delete, is justifiably retained, despite a request to delete, in order to "comply with a legal obligation" and/or for use "in a lawful manner that is compatible with the context in which the consumer provided the information."3
The Modified Proposed Regulations also helpfully add guidance on responding to consumer requests to know or delete personal household information. They explain, for example, that:
- Where a household does not have a password-protected account with a business, a business is not required to comply with a request to know specific pieces of personal information about the household or a request to delete household personal information unless: (1) all consumers of the household jointly present the request; (2) the business individually verifies all the members of the household; and (3) the business verifies that each member making the request is currently a member of the household;
- Where a consumer has a password-protected account with a business that collects personal information about a household, the business may process requests to know and requests to delete relating to household information through the business's existing business practices and in compliance with the CCPA's regulations; and
- If a member of a household is a minor under the age of 13, a business may not grant a request for access to specific pieces of information for the household or for deletion of household personal information unless the business first obtains verifiable parental consent for granting that request.
Verification of Requests. The Modified Proposed Regulations also clarify certain aspects of the CCPA's requirement that a business verify the identity of a consumer before responding affirmatively to the consumer's request to know or delete. Among other things, the modifications prohibit a business from requiring a consumer to pay a fee for the verification of his or her request to know or request to delete. For example, a business may not require a consumer to provide a notarized affidavit to verify his or her identity unless the business compensates the consumer for the cost of notarization.
The Modified Proposed Regulations also provide new guidance on how a business can verify the identity of a consumer whose name the business has not collected, through the consumer's registration, account-creation or otherwise. For example, the modifications state that if a business maintains personal information in a manner that is not associated with a named actual person, the business may verify the consumer by requiring the consumer to demonstrate that they are the sole consumer associated with the non-name identifying information. If the business collected information from the consumer via a mobile application, the business could determine whether, based on the facts, it may reasonably verify a consumer by asking him or her to provide information that only the person who used the mobile application may know, or by requiring the consumer to respond to a notification sent to his or her device.
The Modified Proposed Regulations confirm that a business cannot grant a request to know specific pieces of personal information if it cannot verify the identity of the requestor. If there is no reasonable method by which a business can verify the identity of the consumer, the business must state so in response to any request and explain why it has no reasonable method to verify the identity of the requestor. And, if a business has no reasonable method by which it can verify any consumer, the business must explain that (and why) in its privacy policy (which will convey that the business cannot grant requests to know or to delete). On an annual basis, any such business must evaluate and document whether a reasonable method of verification can be established.
Service Providers. As noted, the Modified Proposed Regulations make certain important clarifications about the obligations of service providers under the CCPA. The potential CCPA liability of service providers is evident from the statute's express statement that "[a]ny business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty."4 But given that the obligations on service providers flow from their contracts with businesses subject to the statute, the circumstances triggering enforcement of this statutory provision are somewhat obscure. The Modified Proposed Regulations offer helpful clarification in this context, providing that:
- If a person provides services to another person that is not a "business" under the CCPA, the person providing services is a "service provider" for CCPA purposes only if it is itself a "business" under the CCPA.
- To the extent that a business directs a second business to collect personal information directly from a consumer on the first business's behalf, and the second business would otherwise meet the requirements and obligations of a "service provider," the second business shall be deemed a service provider of the first business. Thus, although the CCPA defines a "service provider" of a business as a person "to which the business discloses a consumer's personal information for a business purpose," the OAG is defining "service provider" more broadly to include persons who collect personal information on behalf of a business.
- A service provider shall not retain, use, or disclose personal information obtained in the course of providing services except: (1) to perform the services specified in the written contract with the business that provided the personal information; (2) to retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a "service provider"; (3) for internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source; (4) to detect data security incidents, or protect against fraudulent or illegal activity; or (5) to (a) comply with federal, state, or local laws, (b) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities, (c) cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law, or (d) exercise or defend legal claims;
- A service provider shall not sell data on behalf of a business when a consumer has opted-out of the sale of their personal information with the business; and
- If a service provider receives a request to know or a request to delete from a consumer, the service provider shall either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider.
* * *
The modifications described above are only a select group from the many included in the Modified Proposed Regulations. Please do not hesitate to contact us for additional information or if you might wish to submit comments on the Modified Proposed Regulations.
© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
-
For background on the OAG’s initial proposed regulations, please see our Advisory California Consumer Privacy Act Amendments and Proposed Rules: Benefit or Burden?
-
Clean and redlined copies of the text of the Modified Proposed Regulations are available here and here, respectively.
-
-