February 12, 2020
Recently, the California Consumer Privacy Act (“CCPA”) regulations were modified by the California Attorney General.
The latest CCPA modifications were released on February 7, 2020, in an attempt to address issues that were raised during the public hearing and comment period that followed the release of the proposed regulations on October 11, 2019. The California Attorney General has announced a deadline of February 24, 2020, at 5:00 p.m. (PST) to submit written comments, in yet another attempt to clarify CCPA law.
How have the proposed regulations changed?
The California Attorney General has provided a redlined version of the CCPA regulations. Some of the proposed modifications that merit highlighting include:
- The definition of “categories of third parties” with whom businesses share personal information has been revised to require businesses to describe third parties with enough particularity so that consumers can understand what type of businesses those third parties are. Examples of categories of third parties include advertising networks, Internet Service Providers, data analytic providers, governmental entities, operating systems and platforms, social networks, and data brokers.
- The “personal information” definition has also been updated to explain that information will be deemed “personal information” only if it “is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” For example, an IP address will not be deemed “personal information” if that IP address is not reasonably linked to any particular consumer or household.
- The CCPA requires businesses to provide consumers with notice of the personal information that is collected from them at or before the point of collection. The modifications will allow businesses that collect personal information over the telephone or in-person to now orally provide the notice of collection over the telephone or in person.
- According to the modified regulations, data brokers that are registered with the California Attorney General will not have to provide consumers with notices of collection if they have included in their applications for data broker registration links to their online privacy policies that include instructions on how consumers can opt-out from the sale of their personal information.
- The new regulations clarify that businesses that do not sell personal information, and that explain this in their respective privacy policies, will not need to provide consumer opt-out notices.
- In addition to posting the opt-out notice, but not in lieu of this notice, the revised regulations now allow businesses to use the following buttons:
- The proposed regulations explain that businesses will no longer be required to use a two-step process for online requests to delete.
- Businesses that cannot verify the identity of a consumer who is exercising her/his request to delete may, under the revised regulations, notify the consumer that she/he cannot be verified (and, as such, the request to delete will be denied) and ask the consumer if she/he would like to opt-out of the sale of her/his personal information.
- Pursuant to the express language of the CCPA, businesses must comply with requests to opt-out no later than fifteen (15) business days from the date that businesses receive the subject requests. The proposed regulatory modifications now provide that if a business sells a consumer’s personal information after the request to opt-out has been received, but before that business has complied with the request, it must notify third parties that have received consumer personal information from the company in this interim period that the consumer has elected to opt-out and that these third parties may no longer sell that consumer’s personal information.
- Previously, businesses that, alone or in combination, bought, sold, shared or received for commercial purposes, the personal information of four million or more consumers in a calendar year, had to provide metrics regarding the processing of requests to know, delete and opt-out, and the median or mean number of days within which they responded to those requests in their respective privacy policies. The consumer threshold has been changed in the modified regulations from four million to ten million consumers.
Compliance with CCPA Law
The CCPA went into effect on January 1, 2020. The California Attorney General is scheduled to begin CCPA enforcement on July 1, 2020. Until then, businesses should be working diligently to ensure that their privacy policies are up to date and that all required CCPA notices are compliant with evolving CCPA law regulations. If you are interested in learning more about this topic or require assistance in connection with consumer data privacy compliance for your business, please email us at email@example.com, or call us at (646) 713-1684.
The material contained herein is provided from informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Related Blog Posts: