On February 7, the Office of the Attorney General of California issued a second draft of its California Consumer Privacy Act regulations, quickly fixed an omission from that draft Feb. 10, and set a Feb. 25 deadline for written comments. While "Version 2.0" of the regulations scales back several of the ways the first version exceeded the plain language of the statute, it keeps the do-not-sell signal requirement and adds proposed restrictions on service provider handling of personal information.
Definitions. Notable clarifications include: (1) tightening the definition of “household” data as people who not only live at the same address, but also share a common device or service from the business, and are identified as sharing the same account or unique identifier; (2) adding examples of “categories of [data] sources” and “categories of third parties” that must be disclosed to consumers and specifying these “must be described with enough particularity to provide consumers with a meaningful understanding of the type of person or entity” (§999.301 (d)(e) and (3) specifying whether information is “personal information” depends upon how the information is maintained so that if an IP address cannot reasonably link to a particular consumer or household, it is not personal information (§ 999.302).
Notice. The “at collection” notice requirements have expanded somewhat from "Version 1.0." The regulation appears to require notices on “all webpages where personal information is collected,” as well as both on a mobile app download page “and within the app,” such as through the app’s download page or settings menu. Oral notice would be permissible when information is collected in person or over the phone (§ 999.305(a)(3)(d)). Also, a just-in-time notice requirement for mobile device personal information collection “that the consumer would not reasonably expect” has been added.
Accessibility standards. Version 2.0 clarifies that, for notices provided online, businesses “shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium,” which Version 2.0 incorporates by reference.
Do Not Sell Notice (§ 999.306). The proposed regulations require opt-in consent, instead of a total ban, for sale of personal information collected when a “do not sell” notice is not posted. Also, Version 2.0 sets out an optional “do not sell” icon but requires the posting of a “do not sell” link regardless of whether the icon is posted.
RESPONDING TO REQUESTS TO KNOW AND REQUESTS TO DELETE
Timing. The timeline for initial acknowledgement of a request to know or to delete would be extended to 10 business days.
Requests to know. Version 2.0 adds a consumer’s unique biometric information to the list of sensitive information that must not be disclosed in response to an access request and adds an exception to requests to know for information that is maintained solely for legal or compliance purposes and not otherwise used or disclosed.
Requests to delete. Under the proposed regulations, businesses no longer need to treat an unverified deletion request as an opt-out of sales. Instead, they are permitted to ask the consumer if they would like to opt out of the sale of the personal information. Businesses would also be permitted to retain a record of a deletion request for the purpose of ensuring the consumer’s personal information remains deleted from the business’s records. Version 2.0 also provides some clarity regarding the deletion exception for data stored on backup systems, explaining that personal information does not need to be deleted unless the data in the backup system is restored to an active system or is accessed or used for a sale, disclosure or commercial purpose.
Submitting requests. Version 2.0 also eliminates the previous requirement that businesses with a website must provide an online web form for submitting requests to know. Now, businesses operating exclusively online only need to maintain a consumer request email address for requests. All other businesses must provide a toll-free number and at least one other method for requests. Businesses should consider the method by which they primarily interact with consumers when choosing the additional method for deletion requests.
Service providers (§ 999.314). The most significant revisions to these rules allow service providers to use personal information for their own internal purposes but bar using it to build consumer profiles, “clean” personal data or augment the data with data obtained from another source. None of these terms is defined, and their meaning is unclear. The revision also clarifies that a service provider, in possession of a request to delete or know, must either act on behalf of the business or inform the consumer they cannot process the request because they are a service provider.
Requests to opt-out requests (§999.315). The revised rules clarify the opt-out process should be easy to use and allow consumers to exercise their rights without being subject to multiple steps that are intended to or have the effect of burdening the submission of an opt-out. The mechanism must be designed to allow consumers to affirmatively opt out and cannot be designed with any pre-selected settings. Under the proposed regulations, companies would have 15 business days to act on a “do not sell” request upon receipt. They must also notify third parties they may have sold the consumer’s information from the opt-out request and direct them to not sell the consumer’s data during the processing time frame. This replaces the requirement of having to notify all third parties within 90 days prior to the receipt of the consumer’s opt-out.
Request to opt-in after opting out (§ 999.316). The rule is modified to allow a business to obtain an opt-in, if the customer initiates a post-opt-out purchase of a service. In response to a sale initiated by the customer, the business can request an opt-in after it informs the customer the purchase or requested transaction requires the selling of personal information to third parties.
Training and record keeping requirements (§ 999.317). The most significant change to the requirements under Section 999.317(g) is the modification that applies to businesses that buy, sell or use for commercial purposes the personal information of 10 million or more consumers within a single calendar year. The revision should reduce the application of this reporting obligation and allow more flexibility.
Requests to access or delete household information (§ 999.318). The revisions add a verified joint request protection that shields the records of other household members from household accounts, unless the requester has the password for a password-protected account. The revisions also clarify that when members of a household are under 13, verified parental consent must be obtained before a business can fulfill requests for access or deletion of specific personal information.
Verification of requests (§ 999.318). The revisions to the verification requirements prohibit businesses from charging fees to requestors. A fee would include costs that a business requires a consumer to incur to meet the business’s verification process, such as when a business requires a notarized affidavit. To the extent there are costs to consumers for complying with these types of requests, the revisions prohibit these “fees” from being imposed on consumers.
Verification for non-account holders (§999.318). The examples for verifying consumers are revised to include a response to an in-app and (for retailers) providing a transaction amount or item purchased (instead of credit card number).
Authorized agent requests (§ 999.326). Unlike the statute, the draft regulations allow authorized agent requests to delete and know. Version 2.0 allows the business to require the consumer to provide the agent with a signed permission to submit a request on the consumer’s behalf (mirroring the change in § 999.315(g)) and directly confirm the authorization of the agent with the business. Version 2.0 includes new obligations on authorized agents: to implement and maintain reasonable security procedures and practices and restrict use of any information collected from or about a consumer except to fulfill the consumer’s request for verification or fraud purposes.
Minors under 13 years of age (§ 999.330). Version 2.0 fixes a drafting error that would have required opt-in consent for collecting or maintaining personal information of children under the age of 16. It now requires opt-in for “sale” of personal information consistent with the statute language.
Discriminatory incentives to waive rights (§ 999.336). Version 2.0 goes a step further than the previous version by prohibiting businesses from offering incentives unless they can calculate a good-faith estimate of the value of consumer data or demonstrate the reasonableness of the financial incentive, price or service difference. New examples of discriminatory and non-discriminatory practices are provided.
Calculating the value of consumer data (§ 999.337). Businesses have the flexibility to “consider” rather than “use” the methods listed in the regulation for calculating the value of customer data and may consider the value of the data of all-natural people.
Learn more by contacting any of the authors.
This article also appears on the IAPP's blog, Privacy Tracker.