The California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020, granting Californians new privacy rights concerning their personal information. Among those are the rights to know what personal information is being collected by businesses, access that information upon request, opt out of the sale of that information, and to not be discriminated against if they chose to exercise any of these rights. The California Attorney General, Xavier Becerra, is charged with enforcing these rights under the CCPA, with enforcement set to start on July 1, 2020. The CCPA authorized the Attorney General to adopt regulations to implement, interpret, and enforce the provisions of the CCPA.
With that deadline looming, interest in the California Attorney General Office’s (“CA AG”) regulations is intensifying. The latest round of changes to the CCPA regulations, the third version to be circulated, was released on March 11, 2020 (“Version 3”). Below are some changes worth noting as businesses prepare for CCPA compliance.
Definitions
Version 3 changed the definitions of “financial incentive” and “price or service difference” to include payments or a price change or rate related to “collection, retention, or sale of personal information”; and has deleted the words “disclosure” and “deletion.” While this change may seem minor, it appears to signal a broadening of the CA AG’s control in regulating the space around any discrimination under the CCPA. The addition of the word “collection” specifically increases and broadens the circumstances where the CA AG may choose to involve its’ office to enforce the anti-discrimination provision within the CCPA. For a regulation where the CA AG has signaled it plans to act aggressively in enforcing the law, such a broadening is worth noting.
Guidance Regarding the Interpretation of CCPA Definitions
This section is deleted in Version 3, likely because it limits further regulation of definitions surrounding “personal information” as defined in the CCPA.
Notice at Collection of Personal Information
The latest regulation also clarifies that if a business does not collect personal information directly from a consumer, that business does not need to provide a notice at collection so long as that business does not sell the consumer’s personal information. Thus, where a business receives consumer information from another business, and not from the consumers themselves, the business would not have to provide notice of that receipt to the consumer at the time the information is collected, but only if it does not itself subsequently sell the information to others. The CCPA defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another. This change does not appear to alter the requirement for the business initially collecting consumer information to provide notice of that collection at the time of collection and to provide notice that the information is provided to the other business. This section also explicitly excludes businesses from having to link to a privacy policy where they are collecting employment-related information.
Opt-Out Button or Logo
Version 3 also removes discussion of the appearance of the “Opt-Out Button” that was required by businesses to be included on their website to allow consumers to opt out of the sale of their information. This is an odd deletion as the text of the CCPA specifically indicates that details about the requirements of this Opt-Out Button would be provided in the regulations.
Privacy Notice
The requirements of the privacy policy required by the CCPA have been amended to bolster the disclosure requirements. In the latest version of the regulations, businesses are now required to identify the categories of sources from which the personal information is collected and in a way that provides consumers with a “meaningful understanding of the information being collected.” They are also now required to identify the specific business or commercial purpose for collecting or selling the personal information they collect again, in a meaningful way that allows consumers to understand why the information is collected or sold.
Service Providers
Service providers, a business that provides services to a person or organization that is not a business and otherwise meets requirements for service providers in the CCPA, are given a few exceptions from the requirement not to retain, use or disclose personal information obtained in the course of providing services. These exceptions allow for the retention of personal information for processing and maintenance on behalf of the business requesting the service as specified in a written agreement. Another exception allows service providers to process and maintain personal information where the personal information is used to build or improve the quality of services so long as consumer profiles are not built or modified to use in (i) providing services to another business or (ii) correcting or augmenting data acquired from another source.
Requests to Opt-Out
While businesses were initially prohibited from pre-selecting privacy control options on communications to the consumer and requiring consumers to select their preference, Version 3 allows businesses to communicate those controls to the consumer with certain privacy controls having already been selected. This change requires consumers who disagree with the businesses’ choice of privacy controls to change the selection, likely decreasing the likelihood that such changes would be made.
Training and Record-Keeping
Version 3 adds a scienter standard to the recordkeeping obligations of the CCPA. Scienter is a legal standard which here provides that business should “know or reasonably should know” they are in compliance with the CCPA for recordkeeping purposes. This language creates a legal obligation for businesses to compile metrics related to requests by consumers to exercise their rights under the CCPA and the business’s response to those requests once any business, cumulatively, has bought, received, sold, or shared the information of 10 million consumers in one calendar year.
General Rules Regarding Verification
Version 3 provides that a consumer’s authorized agent does not have to pay for the verification of the consumers' request to know or request to delete. An “authorized agent” means a natural person or a business entity registered with the Secretary of State of California that a consumer has authorized to act on the consumer’s behalf subject to the requirements set forth within the CCPA. This poses obstacles for businesses in promulgating requirements for valid authorization according to the CCPA. As the law currently states, businesses may not require consumers to provide a notarized affidavit to verify identity unless the business compensates the consumer for the cost of notarization. The changes in Version 3, however, introduce a variable amount of cost and liability on businesses while forcing them to make decisions regarding the lengths they will go to in thoroughly verifying requests according to the CCPA.
Non-Discrimination – Value of Consumer Data
While it is a small change, Version 3 provides that a price or service difference that is the direct result of compliance with state law, in addition to federal law, shall not be considered discriminatory. A not so small change to this provision in Version 3 limits a business’s ability to calculate consumer data to all natural persons in the United States instead of all natural persons. This would have a substantial effect on the average and aggregate value to businesses of the sale, collection, or deletion of consumers’ data divided by the total number of consumers. It would also significantly increase the amount of revenue derived from the sale, collection or retention of consumers’ personal information given it is limiting the denominator to a smaller number of consumers. Projections in calculating the value of consumer data would be relative across the board under this change in Version 3, but it is important to consider the change in scale.
Businesses should monitor these regulations closely and look for a final version of the Regulations to be released by the Attorney General’s office. Version 3 may look substantially similar to the final version of the Regulations for the enforcement of the CCPA. Therefore, businesses should begin to learn how they can incorporate these into practices and processes for CCPA compliance since enforcement by the Attorney General’s Office is starting July 1, 2020.
Many businesses have expressed concerns about their ability to be prepared for the Attorney General’s enforcement deadline given the COVID-19 pandemic. But the CA AG has made clear that it is are moving forward with enforcement as scheduled. Moreover, businesses must recognize that the CA AG even can enforce the Proposed Regulations as soon as they are finalized, even if that date is before July 1, 2020.