A February 2020 Surprise: California Attorney General Proposes Significant Revisions to CCPA Regulations

Just as companies were starting to recover from their exertions to put in place California Consumer Privacy Act (“CCPA”) compliance programs before the law’s January 1, 2020 entry into force, the California Attorney General (“AG”) provided an early February surprise. CCPA watchers long expected that the AG would revise the CCPA regulations he initially proposed on October 10, 2019. But when the AG actually released his proposed regulations on February 7 – a proposal he subsequently modified slightly on February 10 – both the timing and breadth of the revisions were surprising. In short, the revisions were both sooner and more significant than expected.

Luckily, however, the changes also seem to be largely practical amendments that should reduce unnecessary compliance burdens. Of particular note, and as developed in more detail below, the AG’s revisions make clear that:

  • information – and, in particular, technical Internet information like an IP address – is not “personal information” under the statute if a business does not maintain the information in a manner that would allow it to be linked to a particular consumer or household;
  • privacy policies do not need to include, as the first draft of the regulations suggested, a detailed cross-tab providing, for each category of personal information collected, the sources from which it was collected, the purposes for collecting it, and with whom it is shared;
  • businesses are not obligated to search for personal information in response to an access request if doing so would be overly burdensome and the data is not sold or used for a commercial purpose; and
  • service providers are allowed to use personal information to improve their products and services, so long as they aren’t using the information to build profiles or clean or augment other data.

We describe the key changes in the new proposal below and follow that description with a discussion of the procedural path forward – i.e., what steps remain until the regulations become binding and whether, given those steps, businesses should now assume that the final regulations will look like the latest draft. To that end, although it seems likely that the later in the regulatory process we get, the more unlikely significant changes will come, the AG is accepting comments on the proposed regulations until Tuesday, February 25, 2020 at 5:00 p.m. PST.

What key changes did the Attorney General make in his most recent proposed regulations?

As noted above, the AG’s revisions are more extensive than anticipated. The entire set of revisions is thus worth a careful read. Nonetheless, for your convenience, we flag below what we believe to be the most significant changes, keyed to the relevant regulatory section:

  • Unlinked information is not “personal information” (§ 999.302 in the revised regulations). The definition of “personal information” has been one of the most perplexing aspects of the CCPA, as businesses have struggled to apply its broad terms. In these revisions, the Attorney General did not change the definition, but he helpfully clarified its scope. In particular, the regulations now make clear that, if a business does not maintain information in a way that identifies, relates to, describes, or can reasonably be linked or associated with a particular consumer or household, that information is not personal information, regardless of whether it could be personal information under the CCPA in other contexts (because, for example, the information is a “unique identifier” that could be maintained in a way that links it to a consumer or household). The revised regulations further point as an example to what is likely the most significant application of this new guidance: Internet Protocol (“IP”) addresses. The revised regulations explicitly state that IP addresses will not be considered “personal information” for CCPA purposes when businesses do not themselves link IP addresses they collect (e.g., through their websites) to a particular consumer or household.
  • Practical guidance on accessibility requirements (§ 999.305-08). The AG’s original proposed regulations made clear that CCPA-required notices must be accessible to consumers with disabilities, and the recent revisions provide clarity on that requirement. In particular, the revisions point businesses to a recognized industry standard for website accessibility—the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018 (“WCAG 2.1”)—and note that businesses can in some contexts provide information to a consumer about accessing the notice in an alternative format.
  • Additional clarification regarding “point of collection” notices (§ 999.305). The revised proposal clarifies numerous minor aspects of the “point of collection” notice requirement, including that notices should be adapted to the context in which the consumer’s information is collected (e.g., when information is collected telephonically, consumers should be informed orally). Most importantly, the revised regulations explicitly state that, when a business collects personal information from a customer’s mobile device for a purpose a consumer would not reasonably expect, the business must provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to a full notice. (The example the regulations provide of unexpected collection is a flashlight application collecting geolocation information.)
  • No attestation requirement for third party sources of personal information (§ 999.305). One of the most potentially onerous requirements of the AG’s initial proposed regulations was that a business which wanted to re-sell personal information collected from a third-party source had to either (1) provide notice to the consumer; or (2) obtain, retain for two years and make available upon request, an “attestation” from the third-party source that the consumer had received the required privacy disclosures. The revised regulations do away with this general requirement and instead simply state that data brokers registered with the AG pursuant to the new California data broker law do not need to provide a notice to the consumer at the point of collection, provided their data broker registration includes a link to their privacy policy and instructions on how to submit an opt out request.
  • Clarifications with respect to employee notifications (§ 999.305). The revised regulations clarify that employment-related information notices do not need to include the opt-out of sale link. It also specifies that the notice at collection of employment-related information may include a link or paper copy of a business’s privacy policy for applicants, employees or contractors in lieu of the general consumer-facing privacy policy, tacitly acknowledging that many businesses are creating separate policies for HR purposes.
  • Optional “opt-out” button unveiled (§ 999.306). When the AG issued the first draft of his proposed regulations, he noted that a “Do Not Sell” button or logo would follow later. The revised regulations deliver on that promise, although they also make the button (called a “toggle” by the regulations) optional and only allow it alongside a tagline. (Interestingly, research cited by the Attorney General indicates that the use of taglines – e.g., “Do Not Sell My Information” – are more effective than the toggle in conveying the opt-out choice to consumers.) The revised regulations also state that opt-out methods “shall require minimal steps,” indicating that the Attorney General’s Office may well scrutinize overly-complex rights processes.
  • Welcome revisions to privacy policy guidance (§ 999.308). The new proposal makes several tweaks to the guidance on required privacy policies, including an important change that removes the initial proposal’s requirement that businesses specify the categories of sources, purposes of collection, and other information on a category-by-category basis for each subcategory of Personal Information. This reasonable and welcome change should give companies greater comfort in streamlining their privacy policy to avoid the repetitive granular disclosures the prior regulations demanded.
  • Removal of webform requirement for right to know and delete requests (§ 999.312). The AG’s revisions to the regulations maintain the requirement that businesses must provide at least two methods for businesses to submit right to know and delete requests. The revisions eliminate, however, one of the requirements included in the last regulatory draft – i.e., that businesses which operate a website must include an interactive webform as one of the methods. This practical change could ease compliance burdens on businesses with websites that don’t typically interact with their customer online.
  • Removal of requirement for two-step deletion process (§ 999.312). One of the innovations in the AG’s first regulatory proposal was the requirement that businesses put in place a two-step deletion process, with the first step submission and the second confirmation. While understandable, this requirement raised questions about how to operationalize the requirement, and businesses will thus be thankful to see that the AG has changed the deletion two-step from mandatory to optional.
  • Express limits on searching data (§ 999.313). The AG’s revised regulations place reasonable and welcome limits on businesses’ search responsibilities in response to right to know requests. In particular, the regulations state that a business is not required to search information if a four-part test is met: namely, that the business (1) maintains the data only for legal or compliance purposes, (2) does not maintain the data in searchable/accessible format, (3) does not sell or use the data for a commercial purpose, and (4) describes to a consumer who submits such a request the categories of records that may contain personal information that it did not search under these criteria. Businesses should clearly delineate the purposes for data retention so that they more readily satisfy these conditions.
  • Revised (and potentially narrower) guidance on security issues with respect to specific pieces of information (§ 999.313). The initial proposal prohibited businesses from providing certain types of data (e.g., Social Security number) in response to requests for specific pieces of personal information. It also gave businesses the discretion not to disclose information if doing so produced substantial and unreasonable security risks to the consumer or to the business. The new proposal strikes the latter provision, while maintaining the limited number of highly sensitive data types that businesses are prohibited from disclosing and expanding the list to include biometric data. This could limit businesses’ ability to withhold information for security reasons, although nothing in the revised regulations affects a business’s obligation not to disclose information that would infringe the privacy rights of other individuals.
  • Guidance on deleting archived or backup information (§ 999.313). The revised proposal clarifies that businesses do not need to honor requests to delete “with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose.” (Emphasis added on certain revisions.) This small change may be a significant help to businesses seeking to determine their obligations with respect to archival or backup systems.
  • Service providers given more leeway to use data internally (§ 999.314). One of the most restrictive portions of the original proposed regulations was a provision stating that “service providers” under the CCPA were not permitted to use personal information for any of their own, internal purposes except in narrow circumstances (i.e., to detect data security incidents or protect against fraud or crime). The revised proposal removes this restriction and expressly permits service providers to use data to, among other things, build on or improve the quality of the services they provide (so long as they do not build or modify household or consumer profiles or clean or augment data acquired from another source). If the revised provisions are finalized as proposed, service providers and businesses alike may wish to reconsider the terms of their service provider agreements, depending on how those agreements were originally drafted.
  • Clarification of responsibility to pass along opt-out requests (§ 999.315). One of the most discussed provisions in the AG’s first regulatory proposal was the requirement that businesses pass along opt-out of sale requests to any third parties to whom the business had sold information within the last 90 days. The regulatory revisions pull back on that requirement, now only obligating businesses to pass along opt-out requests to third parties if the business sold information to that third party after the consumer submitted, but before the business took action on, the opt-out request. (Businesses have 15 days to comply with opt-out requests.)
  • Revisions to record-keeping and reporting requirements (§ 999.317). The AG made a number of revisions to one of the more novel sections of the regulations – the record-keeping and reporting requirements. In particular, among other things, the revised regulations: require businesses to “implement and maintain reasonable security procedures and practices in maintaining” records; forbid businesses from using information maintained for record-keeping purposes for any other purpose “except as reasonably necessary for the business to review and modify its processes for compliance with the CCPA and these regulations”; and increase the volume of personal information that triggers annual reporting of privacy request metrics in the business’ privacy policy from 4 million to 10 million in a calendar year. Overall, while none of the changes to the record-keeping and reporting requirements are particularly substantial, there are a number of meaningful and practical changes businesses should consider.
  • Revised “household” guidelines (§ 999.318). The revised regulations further clarify the definition of “household” under the CCPA and provide additional guidance for verifying requests to access or delete household information. Specifically, the revised regulations now define “household” to mean the following (with newly added language in italics): “a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.” The revised proposal also imposes additional limits on when businesses can honor household requests to delete or know specific pieces of information, by requiring businesses not only to verify each member of the household, but also to verify that each member making the request is currently a member of the household.
  • Further guidance on financial incentive, with examples (§ 999.336). Revisions to the non-discrimination requirements provide concrete examples. For example, the revised regulations explain that loyalty programs and premium services offering product or service differentials tied to the consumer’s willingness to sell his or her personal information are discriminatory and can therefore only survive if the business properly quantifies the value of consumer’s data to the business. On the other hand, the revised regulations note as an example that a business does not discriminate when it refuses to delete personal information necessary to provide a rewards program tied to the amount that the consumer spends with the business. The revised regulations also clarify that both financial incentive and price or service difference programs must be “reasonably related” to the value of a consumer’s data.

Can businesses now rely on the AG’s revised proposed regulations?

The CCPA requires the AG’s regulations to become effective on or before July 1, 2020. In order to hit that deadline, the AG must send his proposed regulations to the Office of Administrative Law no later than April 16, 2020. The Office of Administrative Law then has 30 working days to review, approve and file the regulations with the Secretary of State. To hit the July 1st effective date, the Office of Administrative Law must file by May 29, 2020 (the deadline is technically May 31st, but that day falls on a Sunday in 2020). The AG must publish the version of the regulations that the Office of Administrative Law files with the Secretary of State no later than 15 days after those rules are submitted.

As noted above, the AG has asked for comments on his most recent regulatory proposal by February 25. Although we can expect the AG to make revision in light of the comments he receives, the short turnaround before he needs to get the regulations to the Office of Administrative Law may limit his ability to alter the regulations dramatically. Moreover, given the short period of time between the latest date on which the draft regulations may be made public and the regulation’s effective date, businesses may not have much time to absorb the final version of the regulations before compliance efforts will need to begin. Thus, it may be prudent for businesses to get started on revising compliance procedures based on the current draft regulations in order to give themselves the best chance to be ready in time.