CCPA Regulations Update from March, 2020
We’ve been closely following the progress of the CCPA – the California’s Consumer Privacy Act. In February of this year, a new draft of CCPA regulations was released. Then another series of modifications was released in March, 2020.
Below is a list of some of the major changes proposed in the latest set of modifications:
The previous guidance around personal information, which stated the IP addresses which were not, and could not be, linked to a particular consumer or household would not be considered personal information under the CCPA, has been deleted without explanation. This, of course, begs the question as to whether unlinked IP addresses are to be considered personal information or not. There is no concrete answer to this question to date.
Notice at Collection
The latest draft confirms that businesses that do not collect information directly from consumers are not required to provide a notice at collection so long as they do not sell consumer information.
This means that businesses that otherwise fall into the scope of the CCPA are not required to provide a notice at collection for personal information that they do not collect directly from the consumer. An example would be a business that offers CRM solutions where users collect personal information about non-users (sales prospects or clients, for example) and then enter it into the business’s platform. From the business’s standpoint, the non-user information is collected indirectly in that it’s the user (and not the non-user) who is the source of the information. Under the CCPA, that business does not have to provide the relevant non-users with a notice at collection. This makes sense because the business in this example has no control over how/when/where non-user information is collected, and therefore no real way to provide a notice at collection. The responsibility would fall instead on the direct collector of the information to provide notice at collection to its own users.
Do Not Sell Button
The strange and much complained about, “Do Not Sell button” from the previous draft of the regulations has been removed.
Under the previous draft of CCPA regulations, businesses were required to list in their privacy policies, for each category of personal information being collected, the categories of information sources, business or commercial purposes for collection and the categories of third parties to whom the information is disclosed. Under the latest draft, privacy policies no longer have to include categories of third parties to whom personal information is disclosed and they no longer have to break down information sources and business purposes by category of information collected.
Basically: the necessity of breaking down this information into categories is no longer required; however, the base information is still required.
The new draft widens the net of who will be considered a service provider under the CCPA. Now, businesses that collect personal information directly from a consumer, or about a consumer, on behalf of a third party, will be deemed a service provider.
Certain obligations of service providers have been removed, for example, service providers no longer have to explain their reasons when they deny a consumer’s requests to delete information. Service providers are also no longer required to inform consumers making denial requests to submit those requests directly to the third party business on whose behalf they are collecting the information.
The changes also expand the purposes for which a service provider may retain, use or disclose personal information. For example, service providers may now use personal information to build consumer and household profiles so long as they do not use those profiles to provide services to another business.
Under the CCPA, global privacy controls which communicate or signal the consumer’s choice to opt out of the sale of their personal information are considered legitimate Opt-Out requests. The previous draft of CCPA regulations stated that such privacy controls must require the consumer to affirmatively select their choice to opt out, meaning that these controls could not be in the form of default settings. The latest modifications remove this requirement and state only that such controls “shall clearly communicate or signal” the consumer’s intention to opt-out – without explaining what suffices as a clear communication or signal.
What does this mean for Do Not Track signals?
It’s hard to say what the effect of CCPA regulation language will be, as the major web browsers, Firefox, Chrome, Safari, etc., do not currently have “Do Not Sell” privacy settings. Most web browsers, instead, offer the users the option to send Do Not Track (DNT) signals, which are signals that ask websites not to track user behavior online.
California’s Online Privacy Protection Act of 2003 or CalOPPA, already requires websites collecting information about California residents to disclose how they respond to web browser DNT signals. Importantly, the law does not require websites to honor these signals, it just requires them to disclose whether or not they do.
Since tracking online behavior and selling personal information are two different concepts, however somewhat related, it would be hard to argue that a browser’s Do Not Track settings clearly communicate a consumer’s intention to opt out of the sale of their information. So, for now it’s probably safe to say that businesses are still not required to honor Do Not Track settings.
Requests to Know
The latest modifications have also changed requirements around consumer’s “requests to know.” If a consumer is requesting certain types of sensitive information that a business has on them – such as government issued IDs, social security number, biometric data or the like – the business must not disclose the specific information but instead must confirm or disconfirm that they have the information.
For example, if a consumer submits a request to know whether a business has his or her social security number, the business must tell the consumer whether or not it has the social security number, but must not disclose what the social security number is.
Currently, the Attorney General cannot bring an enforcement action under the CCPA until July 1st, 2020 at the earliest. Odin Law & Media will continue to closely watch developments for the proposed regulations.