One revision, two revisions … three revisions or more?: The California Attorney General Releases A Second Round of Edits to its Draft CCPA Regulations

By: Nicole Kardell

While the world is uni-focused on the Corona virus, companies doing business in California and impacted by the California Consumer Privacy Act must face another dizzying round of revisions to the California Attorney General’s draft implementing regulations. The AG released its latest set of revisions on March 11, providing an additional notice and comment period through March 27.

The latest round of revisions reveals the tension between business concerns and consumer advocacy groups’ priorities. The AG seems to be seesawing between the two. Certain business concerns were addressed in the first set of revisions (released February 10). The latest round of revisions has the AG backpedaling a bit in favor of consumer advocates’ concerns. Will the AG seesaw again before finalizing the regulations? Some believe that we are nearing the end of the drafting stage, but given the development and subsequent retraction of certain standards, it is hard to predict (1) when the AG will finalize and (2) whether any additional revisions will provide relief or additional burdens to businesses.

One of the disappointments from a business perspective is that the AG removed one of its February 10 clarifications to the definition of personal information. The February round of revisions added guidance to what constituted personal information, noting that data would not be classified as “personal information” if the business does not, and cannot, reasonably link it to a particular consumer or household. The proposed revision would have provided some relief to businesses that collected certain device details for purposes outside of building consumer profiles. But alas, that relief is no more (for now). See 11 CCR § 999.302 (now deleted).

The March revisions also restored requirements from the original draft regulations regarding privacy notice requirements. The February revisions had deleted the requirement that businesses provide detail on the sources from which the receive personal information and the purposes for which they collect or sell that information. The March revisions reinstitute these requirements, largely restoring the original language (absent disclosure of third parties). See 11 CCR § 999.308(c)(1)(e)-(f).

There are also some new and important limitations for companies acting as service providers under the CCPA framework. The March revisions remove and replace an exemption applicable to service providers regarding how they can use personal information to perform services generally. They are limited to uses outlined by the business from which they received the personal information and their contract with that business. A further clarification narrows service providers’ ability to retain, use or disclose personal information for internal use. Service providers cannot use to build or modify consumer profiles to use in services for other businesses. See 11 CCR § 999.314(c)(1)-(3).

Some other changes of note:

• Requests to Know Sensitive Information: where a business is withholding sensitive data, the March revisions would require the business to provide a description of the information withheld (e.g., not the actual Social Security Number, but that it has the Social Security Number, or, not the actual thumbprint, but that it has biometric data including a thumbprint). See 11 CCR § 999.313(c)(4).
• Request to Delete: where a business sells a consumer’s personal information and denies a deletion request, the March revisions would require the business to ask the consumer if he or she wants to opt out of the sale. See11 CCR § 999.313(d)(7).
• Do Not Sell: the March revisions remove the proposed standard opt out button and logo that was provided in the February revisions for businesses to adopt. See11 CCR § 999.305
• Privacy notice: businesses that do not collect personal information directly from consumers and do not sell that information, do not need to provide notice at collection under the March revisions. See11 CCR § 999.305.
• Redefining Financial Incentive: the March revisions clarify that a financial incentive relates to the collection, retention, or sale of personal information. 11 CCR § 999.301(j).
• Metrics Revisions for Businesses Collecting/Processing Data on 10M+ Consumers: the March revisions limit the requirement to disclose metrics when a business buys, receives, sells, or shares the personal of more than 10 million consumers in a calendar year only to where the business knows or should reasonably know

Given that the CCPA has been in effect since January 1 of this year and the Attorney General is slated to started enforcing the law as of July 1, businesses would be justified in frustration they experience or express.  But stay tuned as we await more comments through March 27 and a possible third set of revisions…