California AG Issues Revised Proposed CCPA Regulations
The California Attorney General (AG) recently published modified proposed California Consumer Privacy Act (CCPA) regulations. Comments on the modified proposed regulations must be submitted by or before 5:00 PM (PST) on February 25, 2020.
The modified proposed regulations incorporate the recent amendments to the CCPA that were enacted after the AG issued the original proposed regulations on October 10, 2019. They also reflect the public comments that the AG received on the original proposed regulations.
Notices to Consumers
Changes to the original proposed regulations regarding the required notices to consumers include, in part, the following:
- To satisfy the requirement that the required notice at the point of collection must be accessible to consumers with disabilities, businesses providing online notices must follow generally recognized industry standards (e.g., the Web Content Accessibility Guidelines from the World Wide Consortium).
- When personal information (PI) is collected over the telephone or in person, a business may provide the notice required at the point of collection orally.
- A just-in-time notice is required when a business collects PI from a consumer’s mobile device for a purpose that the consumer would not reasonably expect.
- The modified proposed regulations provide a model opt-out button and specifically state how it should be displayed on a business’s webpage.
- If a business that does not collect PI directly from consumers is registered with the AG as a data broker, it does not need to provide the notice at the point of collection if it has included in its data broker registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt out.
- Although a business collecting employment-related information must generally comply with the notice at the point of collection requirements, such business: (i) does not need to include a link or web address to the “Do Not Sell My Personal Information” or a “Do Not Sell My Info” page, and (ii) may replace the link or web address to the business’s privacy policy for consumers with a link or web address to the business’s privacy policies for job applications, employees, or contractors.
- The modified proposed regulations also clarify some of the information that must be included in a business’s privacy policy.
Business Practices for Handling Consumer Requests and Verification of Requests
Changes to the original proposed regulations regarding how businesses must handle consumers’ requests include, in part, the following:
- A business that operates exclusively online and has a direct relationship with consumers is only required to provide an email address for submitting requests to know.
- The modified proposed regulations also clarify the information that must be disclosed to consumers when a business responds to requests to know. Moreover, in responding to a request to know, a business is not required to search for PI if the business: (i) does not maintain PI in a searchable or reasonably accessible format, (ii) maintains PI solely for legal or compliance purposes, (iii) does not sell PI nor use it for any commercial purpose, and (iv) describes to consumers the categories of records that may contain PI that it did not search because it met the aforementioned required conditions.
- A business is prohibited from requiring a consumer to pay a fee for the verification of a request to know or request to delete (e.g., the business “may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization”).
- In connection with requests to delete, a business is no longer required to specify the manner in which the information was deleted. However, if the business sells PI and the consumer has not already made a request to opt out, the business must ask the consumer if they would like to opt out and include either the contents of or a link to the notice of right to opt out.
- A business that alone or in combination buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes PI of 10,000,000 or more consumers in a calendar year (originally 4,000,000) is subject to additional requirements.
Moreover, the modified proposed regulations: (i) revise the requirements for collecting PI from minors, (ii) clarify how a business can comply with the CCPA’s non-discrimination provisions, (iii) amend and add certain definitions, (iv) include additional illustrative examples for various requirements, and (iv) delete certain duplicative provisions. WBK covered the AG’s original proposed CCPA regulations here and the recent amendments to the CCPA here.