New Revisions to the CCPA

Author: Susan Kohn Ross

The California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020. In October 2019, the California Attorney General (“CA AG”) published proposed regulations. In the lead up to January 1, 2020, the CA AG repeatedly made the point that those subject to the CCPA should plan for compliance with its broad principals by the first of the year, while admitting enforcement would not start until the regulations were final, meaning July 1, 2020. As part of this process, the CA AG advised he did not expect there to be significant changes to the regulations between October and July. However, upon receiving comments to those October proposed regulations, he changed his mind and on February 7, 2020 revised regulations were issued. A subsequent notice on February 10, 2020 corrected the earlier publication, which omitted certain updates.

To be clear, some of the changes were long awaited (such as what the “Do Not Sell My Personal Data” button looks like), while others were unexpected (such as the change to the training requirement by raising the level of records from four million to ten million). This Alert will summarize the key proposed changes.

Privacy Policy

The first such change is to clarify there is a distinction between the requirement to give notice that personal information is being collected and having a privacy policy. The notice requirement being a compliant notice be given that personal information is being collected and it appears at or near the place of collection and the intended uses of that data are included. Whereas, a privacy policy is defined as a “statement that a business shall make available to consumers describing the business’s practices, both online and offline, regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their own personal information.” Companies may, of course, use a link from the collection notice to the privacy policy to provide any needed notice details, but if doing so, the link should be to the relevant section(s) and not the privacy policy generally.

Notice of Collection

The new regulations go on to make the point that personal information (herein either “PI” or “data”) is a matter of context. Using the illustration of an IP address, and noting that whether or not its retention qualifies as personal information “depends on whether the business maintains the information in a matter that ‘identifies, relates to, describes, is reasonably capable of being associated with or could be reasonably linked, directly or indirectly, with a particular consumer or household.'” If that link does not exist, the IP address is not personal identification, but then best practice would dictate the company make clear what it does and does not associate with the data it retains.

The new regulations go on to reinforce the point the notice of collection should be presented timely, i.e., at or before the point of collection, and makes clear the categories of data being collected and the intended purposes. The regulations now also require accessibility for all consumers by implementation of the World Wide Web Consortium, Web Content Accessibility Guidelines, version 2.1 (June 5, 2018) standard (available here).

There is also an attempt at further clarity regarding where the notice should be presented. For example, if the business collects personal information online, the notice should be on the home page and all other pages where personal information is collected. If the data is collected through a mobile app, the notice should be on the landing or download page and within the app, such as through the user’s settings menu. If the data is collected offline, then print forms and conspicuous signage should be used to direct the consumer to where the notice can be found offline. Lastly, if the information is collected by telephone, the notice may be provided orally.

There is also the caution that when data is collected by a mobile app that is not “reasonably expect[ed],” a just-in-time link to a notice with a summary of the categories of personal information being collected and a link to the full notice is to be provided. The illustration used is a flashlight app that collects geo-location data.

Helpful to business is a broader definition of when a business may use personal information. Now the standard is the business may use the personal data so long as that use is not “materially different” from the uses disclosed in the collection notice. If the intended use is “materially” different, then notice must be given and explicit consent received from the consumer. Helpful to data brokers is a change that allows them to register with the CA AG as a data broker and eliminates the need to provide collection notices but only if the data broker provided a link to its online privacy policy in the registration submission and that policy includes clear instructions as to how to opt-out.

Read the entire article.