On March 11, California’s Attorney General issued a second round of revisions to the proposed California Consumer Privacy Act regulations (CCPA). Among a number technical corrections and clarifications are several important changes, most notably the removal of the Opt-out / Do Not Sell button, and the guidance provided regarding the interpretation of “personal information”.
However, it is questionable whether this iterative rule-making process will; impact the AG’s approach to enforcement of the CCPA, or businesses’ interpretation of the CCPA and these regulations when they are eventually finalized.
Interpretation of “Personal Information”
The February modifications added guidance illustrating how “personal information” could be interpreted in the context of a business collecting IP addresses on its website that are not linked to a particular consumer or household. The March modifications strike out this provision entirely, leaving businesses to figure out for temselves how to approach this issue under the CCPA.
Notice of Right to Opt-out
The March mofifications also delete the optional Opt-out button. This change does not affect other sections of this regulation, or the statutory requirements for notifying consumers specified in the CCPA.
The modifications also remove the obligation that user-enabled privacy controls require consumers to affirmatively select their choice to opt-out and not be designed with any preselected settings.
Notice at Collection of Personal Information
The March modifications adds language that states a business that does not collect personal information directly from a consumer is not required to provide a notice at collection if it does not sell the consumer’s personal information.
The latest modifications revise the term “financial incentive” to mean “a program, benefit, or other offering, including payments to consumers, related to the collection, retention, or sale of personal information.”
The definition previously described the term as “including payments to consumers as compensation, for the disclosure, deletion, or sale” of personal information. The new “related to the collection, retention, or sale” language also is included in the “price or service difference” definition and in the Notice of Financial Incentive regulation.
The March modifications required privacy policies to identify the categories of sources from which personal information is collected and identify the business or commercial purposes for collecting or selling the information.
Responding to Requests to Know and Delete
While businesses are prohibited from disclosing certain personal information in response to a request to know, including a consumer’s Social Security number, driver’s license number and other specialized personal information, the March modifications add language requiring a business to disclose it has collected this particular type of data.
Where a business that sells personal information denies a deletion request, that business will now be required to ask the consumer if they wish to opt out of the sale of their personal information.
The AG has revised exemptions to the general rule that a service provider cannot retain, use, or disclose personal information obtained in the course of providing services. The new exemptions significantly decrease a service provider’s ability to use personal information to perform services generally. Service provider must now limit the use of personal information “on behalf of the business that provided the personal information.”
A previous provision that permitted a service provider to use personal information for internal purposes, such as to build or improve the quality of its services has also been revised. In these revisions, the AG made clear this exemption does not allow a service provider to build or modify consumer profiles to use in providing services to another business or to correct or augment data acquired from another source.
The changes in this latest revision becons to covered businesses to be prepared. It is still possible that further revisions will follow before the CCPA becomes effective on July 1, this year.
The California AG’s CCPA website provides comprehensive information describing the rule-making process, as well as comments received on previous proposed modifications. Comments regarding the March modifications can be submitted in writing up until March 27.