CCPA Regulations Continue to be Massaged by AG
Only in California - Compliance deadline of January 1, 2020 is still in place despite rules of compliance still being written.
The Office of the Attorney General noticed a second set of revisions to the regulations governing the CCPA. This comes on the heels of the close of the comment period to the first set of proposed changes, which closed on February 27.
Here is a link to the first set of proposed changes, which came out on February 7. Here is a link to the second set of proposed changes, which came out on March 11. The first set of proposed changes are still identifiable in the second set.
This second set of proposed changes are subject to a comment period until March 27. CCPA is already the law and the AG's office is still planning to start enforcement in July 2020.
Some of the key proposed changes (unless otherwise indicated, citations are to Title 11, Chapter 20 of the California Code of Regulations):
Deletion of Guidance on Definition of “Personal Information.” The Attorney General’s last round of proposed regulations added a new section 999.302, which explained that, to qualify as personal information, the information must be reasonably capable of being associated with a consumer or household. The regulation also explained that IP addresses that cannot be linked to consumers or households do not qualify as personal information. The second set of modified regulations now delete section 999.302.
Notice at Point of Collection. The regulations now state that “[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.” This addition resolves (assuming there are no other changes) a glaring omission in the modified regulations with respect to the provision of notices by entities that do not interact directly with consumers. (See § 999.305(d).)
Clarification of permitted use of personal information by service providers. Provided additional language regarding the fulfillment of service contracts. (See§ 999.314(c)(1) and (3).)
Employee Notices. Employee notices are no longer required to provide a link to any privacy policies (either online privacy policies or employee privacy policies). (See § 999.305(f)(2).)
Deletion of Opt-Out Button/Logo. The much-maligned opt-out button/logo has been deleted. The opt-out logo/button was first introduced in February and met with substantial criticism from privacy advocates who faulted it for being unclear or misleading. Presumably, the Attorney General’s deletion is in reaction to that criticism. The second set of modified regulations now delete subsection 999.306(f).
Responding to Requests to Know. The regulations still forbid businesses from disclosing certain types of personal information such as Social Security numbers and biometric information. However, the regulations now require businesses to inform consumers with sufficient particularity that the business has collected that type of information. For example, a business shall respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data. (See §§ 999.313(c)(4).)
Responding to Requests to Delete. Business still needs to inform a requestor whom they are unable to identify of their right to opt out of the sale of personal information. This despite the AG being informed that such an offer would be confusing (i.e. how can the business opt me out while not being able to identify me?). (See§§ 999.313(d)(1) and (7).)
If covered entities--be it in California or elsewhere--have not already, now is the time to do the following:
Assess what “personal information” is collected based on the broad definition under the CCPA.
Determine where that personal information is coming from - internal, external, email, website, telephone, in person, applications, sign-up sheets, etc.
Determine where and how that personal information is being stored.
Revise website home pages.
Prepare consumer notifications.
Consider how to verify consumer requests.
Consider means of safeguarding the personal information your are collecting including by encryption and redaction.
Review and assess “reasonable security procedures” in place to protect personal information.
Comply with training requirements.
Review record keeping policies and requirements.
Determine if business is collecting personal information of minors (as special rules apply).
Review nondiscrimination issues to provide consumers with the right to equal service and price.
Review and update incident response plans.
Prepare employee notifications, if applicable.