The most recent revised proposed regulations to the CCPA were released on February 10, 2020. As communicated in the “Information about the rulemaking process” issued by the Office of the Attorney General previously, if any changes were made to the proposed regulations, they would publish “another draft for more public comment” and “give the public at least 15 days (or longer, depending on the extent of the revision) to comment.” That comment period has now ended.
Prior statements by Attorney General Becerra led us to expect regulations in January, so it appears the timeline may be extending at some point, but how this will impact the enforcement date is unknown. Currently, there has been no indication that the enforcement date of July 1 will be pushed back at all.
Both the redlined and clean versions are published online. One of the more controversial proposed elements previously was that businesses unable to verify a request for deletion would treat that unverified request as a “Do Not Sell” request (§ 999.313(d)(1)). That has been removed along with the requirement to indicate which method of deletion was performed – deleted, de-identified, or aggregated. Another concerning proposed element was that a request for deletion had to go through a two-step process. Now, the two-step confirmation is suggested, but not required (§ 999.312(d)).
A controversial requirement that was removed was one requiring businesses to communicate a consumer’s opt-out of sales to any parties to whom the business sold the data in the prior 90 days (§ 999.315(f)). Under the new proposed regulations, businesses are required to process opt-outs within 15 business days and if there is a sale made during that time, the business must contact those third parties and direct them to remove the consumer’s data.
Key clarifications include the definition of “household” (§ 999.301(k)) “means a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier. Previously the definition was “a person or group of people occupying a single dwelling.” The new definition better accommodates the reality of the knowledge a business may have about households.”
Another key clarification came with the new section 999.302 on Guidance regarding the interpretation of CCPA definition. This new section of the proposed regulations provides:
Whether information is “personal information,” as that term is defined in Civil Code section 1798.140, subdivision (o), depends on whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”
This is welcome news to many companies as it may change the conversation around cookies. It does not end the conversation, but it does change some of the recent focus.
Other information that was added included guidance around when mobile apps should provide just-in-time notice (§ 999.305(a)(4)), accessible notices (various sections), and that “do not sell my personal data” link is not required in the notice at the collection of employment-related information (§ 999.2305(e)).
Where are we now?
The comment period has ended and we expect the next version will be the issuance of the final regulations. We may be surprised again with a new round of proposed regulations, but that is not expected. Next, according to the “Information about the rulemaking process,” the Office of the Attorney General will prepare and submit the final rulemaking record to the Office of Administrative Law (“OAL”) for approval, including the summaries and and responses to each public comment received. The OAL has 30 working days to determine if all of the procedural requirements are met and if so, the regulations will be filed with the Secretary of State.
Will enforcement start July 1, 2020?
At this time, enforcement remains slated to start on July 1, 2020.
To speak with a privacy expert about the California Consumer Privacy Act and how to comply, schedule a consultation today. In addition, TrustArc discusses the CCPA in its Serious Privacy podcast with Peter Stockburger, partner at Denton’s who practices in the area of Data Privacy.