On March 11, The California Attorney General (CA AG) released a second set of modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA). These modifications update the initial draft regulations published on October 11, 2019 as well as the first set of modified draft regulations published on February 10, 2020 (as we previously covered here and here). The second set of modifications contain a small number of impactful changes, which we summarize below.
The CA AG will accept public comments on this second set of modified draft CCPA regulations until Friday, March 27, 2020 at 5 pm PDT.
Below is a summary of key changes:
- Revised the definition of “financial incentive” to mean a program, benefit, or other offering, including payments to consumers, “related to the collection, retention, or sale” of personal information (the previous definition covered programs, benefits, or other offerings “as compensation for the disclosure, deletion, or sale” of personal information).
Guidance Regarding the Interpretation of CCPA Definitions
- Eliminated entirely the guidance regarding how to interpret “personal information.”
Notice at Collection of Personal Information
- Exempted a business that does not collect personal information directly from a consumer from the obligation to provide notice at collection if the business does not sell the consumer’s personal information.
Notice of Right to Opt-Out of Sale of Personal Information
- Eliminated the uniform logo for the sale opt-out.
Responding to Requests to Know and Requests to Delete
- Added a requirement for businesses that are withholding certain types of sensitive information when fulfilling a request to know specific pieces of personal information (e.g., SSNs, government IDs, financial account numbers, etc.) to inform the consumer with sufficient particularity that it has collected the type of information being withheld.
- Clarified that a service provider can collect information “about a consumer” on behalf of another business, even if that information is not collected directly from the consumer.
- Revised two of the exceptions to the prohibition on a service provider from retaining, using, and disclosing personal information obtained in the course of providing services:
- A service provider may “process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA.”
- A service provider may use personal information for internal use to build or improve services, provided the use does not involve building or modifying profiles “to use in providing services to another business” or for “correcting” or augmenting data acquired from another source.
Requests to Opt-Out
- Removed the requirement that privacy controls (such as a browser plugin or privacy setting) require that a consumer affirmatively select their choice to opt-out and not be designed with any pre-selected settings.
Calculating the Value of Consumer Data
- Clarified that when calculating the value of consumer data, a business may consider the value to the business of the data of all natural persons in the United States, not just consumers (the previous draft permitted a business to consider the “value of the data of all natural persons”).
Redline and clean versions of the second set of modified draft regulations, along with the CA AG’s Notice of Second Set of Modifications and previous versions of the draft regulations are available on the CA AG’s CCPA Website.