CCPA Marches On: California Attorney General Proposes Further Revisions to CCPA Regulations, Industry Pleads for Enforcement Delay Amid COVID-19 Crisis

While the world seems to have ground to a halt in so many ways, time still marches on, and along with it, the California Consumer Privacy Act (“CCPA”) enforcement date (July 1, 2020) inches ever closer.   On March 11, 2020, the California Attorney General (“AG”) released the third turn of proposed California Consumer Privacy Act (“CCPA”) regulations.  The AG’s revisions make only moderate changes to the last round of regulations issued in February 2020.  Businesses will not need to dramatically change compliance plans as the proposed revised regulations seek to refine requirements in prior drafts rather than introduce any wholesale changes to the regulatory framework.  Here are some of the highlights from the AG’s March 2020 revisions to the proposed regulations:

  • Removal of guidance about the interpretation of CCPA definitions (§ 999.302 in the February 2020 proposed regulations).  Previously, the AG had clarified the scope of the definition of “personal information” in the CCPA by making clear in the February 2020 proposed regulations that unlinked information is not “personal information” under the California statute.  However, the AG’s March revised proposed regulations has deleted this further clarification of scope of the definition and, critically, no longer makes clear that  IP addresses  will not be considered “personal information” for CCPA purposes when businesses do not themselves link IP addresses they collect (e.g., through their websites) to a particular consumer or household.
  • Deletion of the optional “opt-out” button or logo (§ 999.306 in the February 2020 proposed regulations).  The widely anticipated opt-out button or logo (called a “toggle”) was initially unveiled in February proposed regulations as an optional supplement to a “Do Not Sell My Personal Information” link.  In the prior version, the simple and low-tech toggle was allowed only where provided alongside a tagline.  However, the opt-out toggle was removed in the AG’s March revised proposed regulations.
  • Restoration of privacy policy disclosures (§ 999.308).  Among other disclosure requirements, privacy policies must identify (i) the categories of sources from which personal information is collected from consumers, and (ii) the business or commercial purpose for collecting or selling personal information.  Businesses must describe these categories and purposes in a manner that provides consumers with a meaningful understanding of the information being collection and why such information is collected or sold.  Importantly, these disclosures are required by statute, and commentators correctly predicted that the AG would include them again after the disclosures were deleted in the AG’s February proposed regulations.  However, the current framing does support a more simplified disclosure structure.  Language from an earlier draft that prompted widespread use of granular charts to repeatedly reiterate information per category of personal information has not made a reappearance.
  • Responses to a request to know must identify, to a certain extent, the data that a business cannot disclose (§ 999.313).  When responding to an access request, the revised regulations clarify that a business must “inform the consumer with sufficient particularity” the type of data it has collected about the consumer.  However, and importantly, the business remains prohibited from disclosing particularly sensitive consumer information, including Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics.  The AG’s revised March 2020 proposed regulations provide an example of how a business may respond to a request to know that may include biometric information.  Specifically, in that instance, a business must respond to the consumer that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
  • Enhanced requirement of proactive notification of opt-out rights when denying a request to delete (§ 999.313).  If a business denies a consumer’s request for the deletion of personal information and sells personal information that the consumer has not already submitted a request to opt-out of sale, the business must include additional information in its response to the consumer’s deletion request.  More specifically, the March 2020 proposed regulations now require the business’s response to ask the consumer if they would like to opt out of the sale of their personal information and must include either the contents of, or a link to, the notice of right to opt-in to such sale.  This enhanced requirement represents a potentially important expansion of the obligation to proactively notify requestors of their opt-out rights, as previous drafts of the proposed regulations had required notification only if a business could not sufficiently verify a consumer for a deletion request.  However, a business that does not sell personal information will be unaffected by this additional requirement.
  • Guidance on user-enabled global privacy controls (§ 999.315).  The March proposed regulations now allow future global privacy controls (e.g., a browser plugin or privacy setting, device setting, or other mechanism) to communicate or signal the consumer’s choice to opt of the sale of their personal information and select “Do Not Sell” as an automatic or default setting.  Previous drafts of the AG’s proposed regulations tempered the impact of potential automated privacy controls by requiring consumers to exercise their opt-out rights each time they wanted to direct a business not to sell their personal information. It is still not clear how, from a technological perspective, such signals would work in all contexts or how all sites or applications (or other online operators) will be able to respond to such signals, but standardization may evolve in the coming months.

Additionally, several anticipated additions are missing from this latest draft of the AG’s proposed regulations.  For example, in the March proposed regulations, the AG did not offer guidance on the protection of trade secrets or procedures to standardize “household” requests.

The quick turnaround and relatively minor revisions included in the March 2020 proposed regulations may suggest that the AG’s office could be nearing the end of its rulemaking process.  Instead, the AG’s office may be focusing on preparing the extensive documentation that it will need to submit in April 2020 to the Office of Administrative Law in order to meet the July 1, 2020 deadline.  Comments to this latest round of proposed regulations were due on March 27, 2020.

As the march towards finalization of the regulations continues, several industry groups and entities, including the motion picture industry, insurers, theme park operators, car dealers, plumbers, the advertising industry as well as the California Chambers of Commerce, requested that enforcement be delayed until January 2021. However, there has been no indication to date that the AG’s office intends to stall enforcement, and according to a report from the International Association of Privacy Professionals, the AG’s office has confirmed that no delay is forthcoming.  Accordingly, businesses are left to push forward implementation as many compliance offices are working from home and managing extraordinary needs in light of the COVID-19 crisis.

For more resources and information on CCPA compliance planning, visit Sidley’s CCPA Monitor.