Revised Proposed Regulations
Just when you exhaled after the January 1, 2020, effective date of the California Consumer Privacy Act, on February 10, the California attorney general released modifications to the draft of the proposed regulations for the law that it had previously released in October 2019. Comments to the modified regulations are due on February 25, 2020. While the California AG may still circulate additional drafts, it is anticipated that the final regulations will become effective by July 1, 2020, the same date the state AG indicated enforcement would begin.
Do Not Hyperventilate, and Other Practical Measures to Take Now to Prepare for Compliance. The modified proposed regulations, just like the original proposed regulations, are just that for now – proposed regulations. They have not yet been adopted as final. That said, an analysis of the modified regulations provides insight into the requirements and practices that will eventually come into force. In this article, we provide an overview of notable changes in the modified regulations, practical guidance on how to best prepare for compliance, and our take on the business impact of the CCPA. (See also our earlier alert: "Countdown to CCPA Compliance: 10 Essential Things to Do Now Despite the Uncertainty.")
Where the Rules Stand Now – The Most Significant Changes in the Modified Regulations
While the final regulations may still change from the current version, many of the basic requirements in the modified regulations did not change from the October draft. Subsequent revisions are likely to leave these basic provisions in place. That said, the modified regulations impact CCPA compliance requirements in several important ways. Here are six key ones:
- IP addresses and other identifiers are not "personal information" in some circumstances (§ 999.302). The CCPA includes IP addresses within the definition of "personal information," creating a potentially significant impact on mobile technology and advertising technology by over-inclusively applying to all communications (including deidentified or pseudonymized ones) delivered to a phone, computer or other connected device. The modified regulations create flexibility by proposing that whether information constitutes personal information under the CCPA "depends on whether the business maintains information in a manner that 'identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.'" Specifically, the modified regulations provide an example in which IP addresses of website visitors collected by a business are not "personal information" because the business does not link the IP address to any particular consumer or household, and could not reasonably do so. That said, the modified regulations do not provide relief for companies that use IP addresses to identify specific consumers or households without consent (e.g., potentially impacting retargeting other similar forms of online targeted communications).
- Clarified requirements for privacy notices. The modified regulations provide proposed guidance in several key areas related to privacy notices, including:
- Improved guidance on how to provide notice at collection (§ 999.305). The modified regulations now provide an example explaining that an online business may provide notice at collection by posting a "conspicuous link to" its privacy notice on the introductory page and on all webpages where personal information is collected. A business that collects information through a mobile app may provide a link to the notice on both the app's download page and within the application's settings menu. A business that collects information by phone or in person may provide oral notice.
- The modified regulations align with FTC notice guidelines on just-in-time notices and require a business to provide notice and obtain consumer consent for new uses of personal information that are materially different from the purposes disclosed in the notice at collection (§ 999.305). Likewise, the modified regulations require businesses to provide just-in-time notices when a business collects personal information that a consumer would not reasonably expect to be collected given the context. For example, a flashlight app that collects location information must provide just-in-time notice when the consumer opens the app.
- Businesses cannot sell personal information they collected before providing an opt-out notice absent affirmative authorization of the consumer (§ 999.306(e)). The modified regulations add an explicit statement that a business "shall not sell" personal information it collected while it did not have a "right to opt-out notice posted unless it obtains the affirmative authorization of the consumer." Businesses may need to go back and get opt-in consent from consumers as a result.
- Streamlined mandatory disclosures in privacy notices (§§ 999.305, 999.308, 999.317). The modified regulations reduce the requirements for various "per category" disclosures related to the collection of personal information. Under the modified regulations, businesses would no longer be required to give notice of the categories of sources and the business or commercial purposes for which each category of personal information was collected. Additionally, the threshold requiring businesses to post detailed metrics about consumer requests proposed in the first draft of the regulations was raised in the modified regulations from personal information of 4 million to 10 million consumers.
- Obligations of Service Providers could be made more business-friendly (§ 999.314).
- Use of customer data to improve service provider products and services. Under the CCPA, a service provider can use personal information only for the specific purposes specified in an agreement with the contracting party. This requirement implied that the common practice whereby a service provider uses the personal information of its customers to improve its products and services was prohibited. Under the modified regulations, service providers are permitted to use personal information acquired while providing others' services to build or improve the quality of their own services and products "provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source." While more business friendly, this limitation may not help service providers that use artificial intelligence and machine learning on such personal information to build data lakes and train models (without specific consumer targeting, uses or sharing/sales).
- Service providers would not be obligated to provide contact information of customers to honor consumer requests. Under the modified regulations, a service provider who receives a request to know or delete from a consumer must now either act on behalf of the business (its customer) in responding to the request or inform the consumer that the request cannot be acted on because it was sent to a service provider. The previous draft of the regulations required a service provider to explain why it denied a consumer request and, when feasible, provide the consumer with contact information for the business.
- The modified regulations provide additional guidance involving consumer requests (§§ 999.313, 999.315, 999.318):
- Complex consumer request and verification procedures. While the CCPA gives businesses an initial 45 days to respond to consumer requests to know or delete, the previous and modified regulations are far more prescriptive. For example, under the modified regulations, a business would have to (1) acknowledge receipt of such a request within 10 business days and provide information about how the business will process the request; (2) follow detailed verification procedures (such as matching identifying information provided by the consumer to personal information already maintained by the business or using a third-party identity verification service); (3) provide an individualized response to each consumer's access request in most cases; and (4) keep records of all requests (including their outcomes) for at least 24 months.
- Potential new request verification and response guidance. When handling consumer requests, the modified regulations: (1) allow businesses to deny consumer requests if they cannot verify the consumer within the 45-day response time period (e.g., the consumer does not provide personal information to be matched with information stored by the business); and (2) do not require businesses to search for personal information if the businesses do not sell the information and other conditions are met.
- Anticipate development of new browser-based privacy controls. The previous draft of the regulations required businesses to treat user-enabled privacy controls, such as browser plugins or privacy settings, as a valid sale opt-out request for that browser. This requirement introduced speculation that businesses would be required to treat existing Do Not Track signals as sale opt-outs. The modified regulations seem to preclude this interpretation by requiring that a "privacy control...shall clearly communicate or signal that a consumer intends to opt out of the sale" and "require that the consumer affirmatively select their choice to opt-out." In addition, under the modified regulations, a browser-based privacy control would take precedence as an instruction that a consumer intends to opt out of the sale of personal information, even if it conflicts with another privacy setting (although a business may follow up with the consumer about the conflict).
- Businesses without a direct consumer relationship that register with the Attorney General as data brokers (Civil Code section 1798.99.80) need only to provide notice of personal information collection and consumer rights in their data broker registration (§ 999.305). Under the modified regulations, a data broker – defined as a business that collects and sells personal information of consumers with whom it does not have a direct relationship, can satisfy its notice obligations by including a link to its online privacy policy in its data broker registration submission. The privacy policy must include instructions on how a consumer can submit an opt-out request to the broker.
- New consumer data valuation requirements in connection with use of financial incentives (§999.336). The CCPA forbids businesses from discriminating against consumers who exercised their privacy rights, but expressly allows businesses to offer financial incentives as compensation for agreeing to provide information and consenting to the information practices of such businesses. Under the modified regulations a business is now prohibited from offering a financial incentive if it cannot calculate a good-faith estimate of the value of the consumer's data or show that the incentive is reasonably related to the value of the consumer's data. The modified regulations also provide three new illustrative examples (in addition to a previously-presented example) distinguishing between discriminatory and non-discriminatory practices.
10 Essential Measures to Take Now to Prepare for Compliance
Given the potentially complex CCPA requirements represented by the modified regulations, and what may be in the final regulations, based on our knowledge of industry initiatives and what we have seen others doing in this time of uncertainty, the following represent practical measures you can take now to prepare for the CCPA on a risk basis and in line with evolving industry practices:
- Sit on the fence, but do not be still – there may be policy and operations work to do while waiting for final regs. Overall, the notice requirements stayed relatively consistent between the different drafts of the regulations, and we think it is unlikely these requirements will change significantly before becoming final. If you have not yet done so, now is the time to identify the required disclosures for your privacy policy, whether in the main body of the policy or in a separate California-specific notice. Further, many companies have not yet implemented CCPA policies and procedures (or at least ones applicable to business-to-business and human resources). Companies should consider areas that will materially impact your business and immediately consider operational solutions to comply including planning, budgeting and potential compliance vendor evaluations.
- Reconsider/confirm your approach for customer acquisition and your decision as to whether your company sells personal information under the CCPA. Based on the potential treatment of IP addresses and other identifiers, and the potential for having to get opt-in consent from some consumers, companies are reevaluating their initial decisions to disclose that their routine business, marketing and/or data handling practices constitute a "sale" under the CCPA. Many are also considering new marketing and sales approaches for customer acquisition that are less dependent on retargeting and interest-based advertising in case such activities are considered sales of personal information under the CCPA, either by the final regulations or subsequent California AG enforcements.
- Implement a "Do Not Sell" approach and function now. "Do Not Sell" opt-outs require faster turnaround and more complex handling than other types of requests. If your business is selling personal information, now is the time to operationalize your opt-out request handling procedures. Options include leveraging industry approaches such as the Internet Advertising Bureau (IAB) CCPA Compliance Framework or the Digital Advertising Alliance (DAA) Framework, implementing vendor tools including OneTrust, TrustArc, and BigID, or developing your own manual techniques.
- Build compliant procedures for verifying and handling requests to know and delete. The modified regulations require a business to "establish, document, and comply with a reasonable method" for verifying consumer requests, as well as describe the general verification process in its privacy policy. Now is the time to decide how your business will verify and respond to these requests based on the information you collect and/or can access, and build out the internal procedure documents and data inventories to be able to operationally meet the numerous requirements described in the modified regulations in a timely manner. This will not only reduce identity theft, but also will streamline the process and minimize burden on your organization in managing and responding.
- Prepare to respond to consumer requests. Many organizations concerned about their handling of initial consumer and other forms of consumer requests (and potential volume of HR and business-to-business requests starting January 1, 2021) are taking two novel approaches to prepare:
- Developing a "playbook" which contains procedures and templates for confirming receipt of requests, verifying the requests, providing requested information and fulfilling consumer options
- Conducting tabletop exercises with the appropriate stakeholders to ensure that the business is ready to address requests, and make sure that call centers, support centers, receptionists and chat functions have scripts and know where to direct consumer requests
- Consider other tools and methods to track data subject requests. Upgrade your data management capabilities to meet the increased burdens imposed by the modified regulations. These modified regulations specifically state that a ticket or log format can be used to maintain records related to consumer requests. Many companies are customizing Jira, ZenDesk or other ticketing systems or considering new tools offered by Transcend, Clarip, Informatica or ones incorporated into larger tools offered by TrustArc, NYMITY and OneTrust.
- Review your Data Protection Addendums (DPAs) and vendor contracts with respect to data control. Evaluate where your business's data practices stand with respect to the modified regulations involving service providers and the potential that a service provider can use the personal information of your customers to improve its products and services (and not be considered a third party unable to have limited liability as a service provider under the CCPA). Whether receiving from or providing data to a vendor, companies should review and update their template and executed DPAs in light of the modified regulations allowing service providers to use personal information of customers for product and service enhancements.
- Justify financial incentives involving consumer information. The modified regulations forbid financial incentives if the business is unable to estimate the value of the consumer's data or cannot show that the incentive is reasonably related to the value of the data. Conduct an inventory of your business's financial incentive programs now (including any data-driven dynamic pricing or discount programs, loyalty programs or demos tied to disclosure, deletion or sale of user data) and compare these programs to the examples provided in the modified regulations so you can develop conforming pricing guidelines.
- Adopt "reasonable security" standards across your business. The CCPA provides "reasonable security" as a safe harbor defense against class actions. The modified regulations additionally require "reasonable security" in other contexts, such as when verifying consumers and responding to and maintaining records of consumer requests. You should select and implement appropriate standards defining reasonable security for these contexts. Many organizations are preparing for the CCPA by performing gap assessments in view of the CIS20, ISO/IEC 27002:2013, NIST Cybersecurity Framework, or other security frameworks. At a minimum, many companies are mapping their security controls to the CIS20, a safe harbor defense against class actions under the CCPA. See "Five Steps to Mitigate CCPA Class Action Risk: What Companies Need to Do to Increase Data Security" and "Let's Be Reasonable: Clearer Guidance for Minimum Information Security Standards."
- Consider making public comments in response to the modified regulations. The modified regulations are detailed and have many operational and unintentional business impacts. From our discussions with clients, many companies believe the promise and benefits of machine-learning and artificial technology to innovative businesses (such as safer connected cars and autonomous vehicles, digital health/personalized medicine and just-in-time, relevant and customized advertising) may be delayed if consumers opt out as a general trend over the next couple of years. Let the AG know your business's take on the modified regulations. Any public comments must be submitted by February 25, 2020.
*Kyra Baffo is an intern at Fenwick & West and contributed to this article.