California Attorney General Releases Third Draft of CCPA Regulations
12 March 2020
Technology & Regulation in the Spotlight
The Attorney General of California (“AG“) has released a third draft of CCPA proposed regulations for public consultation. The new proposed regulations include a series of technical and material modifications to the previous draft, released just a month ago (see our related update), and are available for written comments until 27 March 2020.
One of the interesting changes made, is the deletion of the guidance regarding the interpretation of personal information under the CCPA, which excluded IP, not linked to a particular consumer, from being considered as personal information. The new draft does not offer any new guidance as a replacement regarding this issue. Additionally, the AG has chosen to remove all references to the opt-out button that were set out in the last draft regulations, since the button came under public scrutiny. Commentators raised concerns that the icon looked deceptively as though it was an actual toggle switch, and when combined with its red color, could be misrepresented as being in off state.
The AG also changed the exemption allowing service providers to process personal information in order to perform the services specified in a written contract with the business that provided the personal information. The new modified exemption allows service providers to process personal information, not only on behalf of the business that provided the personal information, but also on behalf of the business that directed the service provider to collect the personal information, provided that it is in compliance with the written contract. In addition, the internal use of the service provider exemption now requires that the personal data will not be used to build or modify consumer profiles that are intended for providing services to other businesses.
In terms of disclosures: according to the new draft regulations, in addition to data brokers, unregistered businesses that do not collect personal information directly from a consumer, will not be required to provide a notice of collection if they do not sell the personal information which was collected. The new draft also restored the obligations to identify the categories of sources from which personal information is collected, and in addition, to identify the business and commercial purposes for collecting and selling personal information that was removed from the second draft. The new draft only requires a general disclosure, without the need to specify each category of personal data. In addition, the requirement to disclose metrics when buying, receiving, selling or sharing personal information of more than 10 million consumer in a calendar year, shall only apply to businesses who know or should reasonably have known, that they meet the threshold.
Lastly, the AG amended the definition of “financial incentive” under the CCPA. According to the new definition, financial incentive is a program, benefit or other offering, including payments to consumers, that is related to the collection, retention or sale of personal information.
Earlier last year, we published our CCPA Compliance Playbook in order to assist in preparing for the upcoming regulatory change.
The changes presented in the draft regulations may require further adjustments to internal and external privacy policies and procedures. Please feel free to contact us if you have any questions regarding the effect and implications of the CCPA, and how the new proposed regulations may impact your compliance efforts.
Feel free to contact us with any further question or comments regarding the update and subjects detailed above.
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation
Herzog Fox & Neeman