- Wednesday, February 19, 2020
Author: Susan Kohn Ross
The California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020. In October 2019, the California Attorney General (“CA AG”) published proposed regulations. In the lead up to January 1, 2020, the CA AG repeatedly made the point that those subject to the CCPA should plan for compliance with its broad principals by the first of the year, while admitting enforcement would not start until the regulations were final, meaning July 1, 2020. As part of this process, the CA AG advised he did not expect there to be significant changes to the regulations between October and July. However, upon receiving comments to those October proposed regulations, he changed his mind and on February 7, 2020 revised regulations were issued. A subsequent notice on February 10, 2020 corrected the earlier publication, which omitted certain updates.
To be clear, some of the changes were long awaited (such as what the “Do Not Sell My Personal Data” button looks like), while others were unexpected (such as the change to the training requirement by raising the level of records from four million to ten million). This Alert will summarize the key proposed changes.
Notice of Collection
The new regulations go on to make the point that personal information (herein either “PI” or “data”) is a matter of context. Using the illustration of an IP address, and noting that whether or not its retention qualifies as personal information “depends on whether the business maintains the information in a matter that ‘identifies, relates to, describes, is reasonably capable of being associated with or could be reasonably linked, directly or indirectly, with a particular consumer or household.'” If that link does not exist, the IP address is not personal identification, but then best practice would dictate the company make clear what it does and does not associate with the data it retains.
The new regulations go on to reinforce the point the notice of collection should be presented timely, i.e., at or before the point of collection, and makes clear the categories of data being collected and the intended purposes. The regulations now also require accessibility for all consumers by implementation of the World Wide Web Consortium, Web Content Accessibility Guidelines, version 2.1 (June 5, 2018) standard (available here).
There is also an attempt at further clarity regarding where the notice should be presented. For example, if the business collects personal information online, the notice should be on the home page and all other pages where personal information is collected. If the data is collected through a mobile app, the notice should be on the landing or download page and within the app, such as through the user’s settings menu. If the data is collected offline, then print forms and conspicuous signage should be used to direct the consumer to where the notice can be found offline. Lastly, if the information is collected by telephone, the notice may be provided orally.
There is also the caution that when data is collected by a mobile app that is not “reasonably expect[ed],” a just-in-time link to a notice with a summary of the categories of personal information being collected and a link to the full notice is to be provided. The illustration used is a flashlight app that collects geo-location data.