CCPA Regulations Update from February, 2020
Much to businesses’ delight, the California Attorney General’s Office released an updated draft of its CCPA regulations on February 10, 2020. In attempts to un-muddy the waters, the new version of the regulations attempts to clarify definitions and notice requirements as well as provides examples for the mandated practices. The following updates are regulations gaming companies should be especially aware of.
The Test for “Personal Information”
Under the CCPA, “personal information” encompasses a broad spectrum of unique identifiers. Along with the more traditional pieces of information (names, email addresses, etc.), the Act includes things like geolocation, educational information, and consumer preferences. The Act requires businesses, subject to the law, to reasonably protect such information. In spite of such a broad definition, businesses were still left wondering: “What exactly is personal information?”
The updated regulations attempt to provide a clearer test for businesses in determining whether their collected data falls under this sweeping category:
If a business maintains its customers’ data in such a way that makes it easy to identify or associate that data with a particular consumer or household, then that data is considered “personal information.”
The regulation provides the following example: “[I]f a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’”
Essentially, if your business does not manage customers’ data in such a way that the business could connect that data to a particular customer or household, then the information is not considered “personal information.”
What is a household?
The regulations define household as a group of persons who (1) live at the same address; (2) share a common device or business service; and (3) are identified as sharing the same group account or unique identifier. For an interactive online business, this would be information related to a shared, group account (think a single Netflix log-in with multiple user profiles).
This definition broadens the consumer data the CCPA protects, and thus increases the number of businesses that must comply with the new law.
Notice Requirements: What to provide
Prior to collecting customers’ data, the Act requires a business to notify the consumer of its data collection practices. The regulations mandate specific points of information a business must include in its notice:
- a list of personal information categories the business collects;
- the commercial purposes for collecting that data;
- (if the business sells customer data) a link to a webpage on how a consumer can opt-out of the sale of their personal information; and
Notice Requirements: How to provide it
The regulations also provide examples for how online and mobile app business can comply with the Act’s notice requirements:
- For companies that collect consumers’ information online, the regulations allow for the business to post a conspicuous link to the notice on its homepage and any other page where data is collected.
- For mobile apps, the regulations allow for a link to the notice on the initial download page and within the app’s settings menu.
- For businesses that collect information from a customer’s mobile device, and that information is not the type of information the customer can reasonably expect the business to be collecting, the regulations require that the business provide a pop-up notification about the information being collected. (The example being a flashlight app collecting geolocation would be required to notify customers of the collection of the geolocation data via a pop-up notice.)
Additionally, the proposed regulations require all notices and privacy policies to be reasonably accessible to consumers with disabilities. For online notices, the reasonableness is defined by existing industry standards.
The Right to Opt-Out: Notices, Buttons, and Incentives
The Act provides consumers with the right to opt-out of the sale of their personal data. Companies that sell consumers’ personal information must notify its customers of this opt-out right in at least two “designated methods.”
One of the required “designated methods” is a link titled “Do Not Sell My Personal Information” or “No Not Sell My Info” on the business’s website or mobile app. A business may also place an opt-out button on its website, and the regulations even provide model designs, with specific requirements that the button be to the left of any writing.
From the time the regulations go into effect, companies cannot sell customers’ personal information until they notify customers of their opt-out rights.
A company can provide a financial incentive to its customers for the collection of their personal information. However, the regulations warn that a company cannot financially penalize customers because of their opt-out status, or any other exercise of their CCPA rights. Such a practice would be discriminatory under a different state statute.
Businesses that wish to create an incentive program must ensure such an incentive is not because of a customer’s opt-out status but rather for allowing the company to collect the customer’s personal information. The value of such an incentive must be reasonably comparable to the value of the customer’s data, and the regulations provide numerous examples on how to calculate such value.
While only a few of the 29 pages of regulations, these contain important changes from the original draft of the regulations.
If you have any questions about compliance with the CCPA, reach out to us at Odin Law and Media.