California Attorney General Releases Updated CCPA Draft Regulations
26 February 2020
Technology & Regulation in the Spotlight
The Attorney General of California has released the updated CCPA Proposed Regulations for public consultation. The new Proposed Regulations contain a number of material modification to the previous draft released October 2019 and are available for written comments by 25 February 2020.
One of the significant changes in the Proposed Regulations concerns the interpretation of the definition of “personal information”. According to the new Proposed Regulations, as to whether information will be considered as personal, depends not only on the nature of the information, but also on whether the business maintains information in a manner that identifies, relates to, describes or is reasonably capable of being associated or linked to a particular consumer, whether directly or indirectly. As an example, the Proposed Regulations state that the mere collection of a website visitors IP address, without reasonably being able to link it to any particular consumer or household, shall not be considered as giving rise to a collection of personal information.
The Proposed Regulations provide additional clarity regarding the CCPA notice requirements. In this regard, they set out specific instructions on how businesses should implement notices for mobile apps. The “notice at collection” requirement is to be met by providing a link to the notice on the app’s download page and the app’s settings function. Additionally, apps that are collecting personal information for a purpose which the consumer would not normally expect, will need to provide a “just-in-time” notice containing a summary of categories of personal information that have been collected, as well as a link to the full collection notice. Moreover, businesses that do not collect personal information directly from consumers, will not be required to provide notice at collection or notice before sale, as was required under the previous draft of the Regulations, as long as they are registered with the attorney general as data brokers and included a link to the relevant information in their registration submission.
Under the new Proposed Regulations, businesses will be required to provide CCPA notices and policies to consumers with disabilities, in an accessible manner, by adhering to recognized industry standard for accessibility, such as the Web Content Accessibility Guidelines, version 2.1 for online notices.
The new Proposed Regulations also address issues regarding compliance with consumer requests. Under the new draft, businesses may deny a “request to know” if they cannot verify the identity of the requestor. Moreover, businesses will not be required to comply with such a request if the personal information is not maintained in a searchable or reasonably accessible form and is retained solely for legal and compliance purposes.
The Proposed Regulations also clarify the timeframe for acknowledging and responding to consumer requests. According to the new draft, the respective 10 and 15 day timeframes to confirm receipt of request to delete or to know and to comply with a request to opt-out will be calculated on the basis of business days (rather than calendar days). Conversely, the 45-day timeframe to respond to requests to delete and the optional 45-day extension, will be calculated as calendar days.
Under the new Proposed Regulations, the Attorney General also provides guidance on the design, size and location of the “Do Not Sell My Personal Information” button that was introduced in the previous draft. According to these Proposed Regulations, the button must be similar in size to other buttons on the business page and be located to the left of the “Do Not Sell My Personal Information” link, which is required under CCPA. In addition, businesses shall not sell personal information collected before posting the right to opt-out notice, unless an affirmative authorization has been obtained from the consumer.
Earlier last year, we published our CCPA Compliance Playbook in order to assist in preparing for the upcoming regulatory change. Please feel free to contact us if you have any questions regarding the effect and implications of the CCPA and how the new Proposed Regulations will affect your compliance efforts.
Feel free to contact us with any further question or comments regarding the update and subjects detailed above.
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation
Herzog Fox & Neeman