CCPA Update: Amendments Signed and Draft Regs Released
On October 11, 2019, California Governor Gavin Newsom signed into law several legislative proposals to amend the California Consumer Privacy Act (“CCPA”). The CCPA amendments clarified several important issues, including:
- AB 1355 – exempts deidentified or aggregate data from the definition of “personal information.” It also creates a one-year exemption for certain business to business (B2B) communications or transactions, pushing the compliance date for B2B information to January 1, 2021.
- AB 25 – modifies the CCPA so that the law does not cover the collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors until January 1, 2021.
- AB 1202 – requires data brokers to register with the California Attorney General.
The next opportunity to amend the CCPA will occur during the 2020 legislative session.
The day before the amendments were signed, California Attorney General Xavier Becerra released proposed implementing regulations for the CCPA, which are now subject to public comment prior to finalization. The proposed regulations shed light on how Attorney General Becerra is interpreting and will be enforcing key sections of the CCPA.
The new regulations cover several topics:
- Notice. The proposed regulations detail the notice required to be provided at the time of data collection, and distinguishes between online and in-person collection. The regulations outline the notice that must be provided to consumers about how to exercise an opt-out request. For those businesses offering financial incentives or price of service differences, a description of the specific notice that must be provided about those offerings is also detailed.
- Handling Consumer Requests. The draft regulations propose extensive, standardized procedures businesses should have in place to process consumer requests to exercise their rights under the CCPA. The regulations outline a two-step process for the exercise of certain consumer rights, including deletion and opt-out. They require businesses to confirm receipt of such requests within 10 days, in addition to responding to the request within 45 days from the date of receipt. The proposed regulations also require that businesses treat user-enabled privacy controls, such as browser plugins or privacy settings, as a valid request to opt-out.
- Verification Procedures. Businesses are required by the proposed regulations to establish a reasonable method to verify – “to a reasonable degree of certainty” – that the consumer making a request is the individual about whom the business has collected information, including that the business satisfy a minimum number of verification points depending on the type of information involved. The proposed regulations tie the level of verification required to the sensitivity of the data.
For a request made by an authorized agent, the proposed regulations provide that the business may require written permission from the consumer and that the consumer verify their own identity directly with the business, unless the consumer has provided the agent with power of attorney pursuant to probate laws.
- Service Providers: The proposed regulations clarify that a service provider shall not use personal information it collects from a business or consumer in connection with its provision of services to another person or entity. However, a service provider may combine personal information to the extent necessary to detect data security incidents or protect against fraud or illegal activity.
- Training and Record-Keeping. The proposed regulations require that all individuals responsible for handling consumer inquiries receive training about CCPA requirements. Businesses are required to retain records of all consumer requests, including all responses by the business to the consumer, for at least 24 months. The record-keeping requirements are more onerous for businesses that buy or sell personal information of four million or more California consumers.
- Special Rules Regarding Minors. The CCPA requires that minors under 13 years of age must affirmatively opt-in to the sale of their personal information. The proposed regulations require that businesses establish a reasonable method for verifying the identity of a parent or guardian of a child who would be exercising the opt-in on behalf of their child. The regulations also set out special requirements for notices to minors under 16 years of age. Businesses will need to marry the regulations with current compliance with federal requirements.
- Non-Discrimination: The draft regulations provide additional guidance on how to comply with the CCPA’s non-discrimination provisions. In particular, the regulations provide detail on calculating the value of consumer data for purposes of determining whether a price or service difference is “reasonably related” to the value of the consumer’s data.
The CCPA will take effect January 1, 2020, and enforcement by the Attorney General will begin six months after the final implementing regulations are published, or on July 1, 2020, whichever comes first.
Chair, Technology and Intellectual Property Section