Attorney General Xavier Becerra Releases Modified CCPA Regulations
February 18, 2020
On February 10, 2020, the California Attorney General’s office released its latest version of the regulations implementing California's new data privacy law, the California Consumer Privacy Act (CCPA). These regulations modify the initial draft of CCPA regulations released by the Attorney General on October 10, 2019. The modified regulations are not final and focus on implementing some of the public feedback received by the Attorney General following the publication of the initial draft last year. After further feedback, the Attorney General’s office is expected to release final regulations in the next few months.
The CCPA is the strictest privacy law in the nation. It imposes significant obligations on companies with respect to the personal information of California residents. The law took effect on January 1, 2020, with enforcement delayed until July 1, 2020.
Some of the major changes to the proposed regulations include:
- Notice Requirement for Changes in Use: Setting a more lenient standard that notice is now required only if the new use of the consumer’s information is “materially different” from the purpose originally disclosed.
- Narrowing the Scope of “Personal Information”: Providing further guidance that data is not “personal information” covered by the CCPA simply because it falls within one of the categories enumerated in the statute; in any event the data must still be reasonably associated or reasonably linked to a person. The regulations provide a clarifying example that an IP address is not “personal information” when a business collects it from its own website visitors, but does not link it to any particular customer or household and could not reasonably link it with a particular customer or household.
- Clarifying the Definition of “Household”: The definition of “household” is now limited to a person or group of people who (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier. The amended proposed regulations also provide new requirements that businesses must meet before responding to requests to access and requests to delete originating from a household that does not have a password-protected account with that business, including that all members of the household must jointly make the request, that the business verify the identity of each member of the household and that the business verify that each member making the request is a current member of the household;
- Opt-Out Button Design: Introducing the following design of an opt-out button, which businesses may use in addition to posting a notice of a consumer’s right to opt out of the sale of their personal information:
- Opt-Out and Third Parties: Modifying the requirement to pass opt-out requests only to third parties to which the business sold personal information after the consumer’s request has been made.
- Notice Requirement for Mobile Users: Requiring that when a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it must provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection.
- Service Provider Requirements: Outlining five exceptions under which service providers may retain, use, or disclose personal information obtained while providing services; describing other compliance requirements—such as prohibiting service providers from selling data on behalf of a business after a consumer has opted out of the sale of their personal information with the business—and giving guidance for responding to a consumer’s request to know or delete personal information; and clarifying that a service provider can use personal information to build or improve the quality of the service provider’s services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.
- Email Only For Data Subject Requests For Exclusively Online Business: Allowing a business that operates exclusively online and has a direct relationship with a consumer to provide only an email address for submitting requests to know, while requiring all other businesses to provide two or more designated methods for such requests.
- Financial Incentives: Describing several scenarios of when refusing a request to delete or terminating a consumer’s participation in a loyalty or other financial incentive program offered by a brick-and-mortar or online because of a CCPA request may be discriminatory.
- Search Obligations—Denying Consumers’ Requests: Introducing an exception as to when a business is required to search for a consumer’s personal information in response to a consumer’s request. The exception applies if the business satisfies four conditions: it does not maintain the personal information in a searchable or reasonably accessible format; it maintains it solely for legal or compliance purposes; it does not sell or use it for any commercial purpose; and it describes to the consumer the categories of records that may contain personal information that the business did not search because such personal information meets the preceding three conditions.
The modified regulations address some concerns of industry and clarify some ambiguities, but they will likely generate additional comments and concerns. In particular, the modified regulations do not provide specific guidance on what constitutes a sale and how the ad tech industry should implement policies and procedures to comply with the CCPA.
The Attorney General is accepting written comments on the modified regulations. All written comments must be submitted by 5:00 p.m. on February 25, 2020.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Steve Bunnell, an O’Melveny partner licensed to practice law in the District of Columbia, Lisa Monaco, an O’Melveny partner licensed to practice law in the District of Columbia and New York, Randall W. Edwards, an O’Melveny partner licensed to practice law in California, Daniel R. Suvor, an O’Melveny partner licensed to practice law in California, Scott Pink, an O’Melveny special counsel licensed to practice law in California and Illinois, Amit Itai, an O’Melveny associate licensed to practice law in California, and Aleksander (Sasha) Danielyan, an O’Melveny staff attorney licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2020 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.