Skip to main content
Mar 03, 2020

California proposals offer CCPA clarification

The newest proposed regulations to California’s data-privacy law address certain questions but leave others unanswered pending further guidance. Joseph Moreno provides an update on the nation’s most comprehensive regime for protecting consumer information

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, yet it did so with only initial draft regulations in place regarding its implementation and enforcement. Since then, California’s attorney general has issued modified proposed regulations to the data-privacy law, which towers in scope above anything else enacted at the state or federal level in the US.

But while the latest proposed regulations are helpful in clarifying certain issues, the CCPA remains a highly complex law with many new requirements for businesses that handle personal information belonging to California residents (consumers).

In response to industry comments to the initial draft regulations, the modified proposed regulations contain clarifications, many of which are helpful to businesses subject to the CCPA.

Definitions of ‘personal information’ and ‘household’ are revised
The definition of personal information is now limited to data maintained by a business that ‘identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.’

This means that, for example, the definition does not capture the collection of internet protocol addresses of website visitors where such addresses are not linked to a California resident or household. In addition, the definition of household was revised to apply only where a person or group is resident at the same location, shares a common device or service and is identified by the business using a shared account or identifier.

Notice at collection methods are clarified
The modified proposed regulations provide further context on what the CCPA requires regarding consumer notification at the time personal information is collected. For traditional websites, notice can take the form of a ‘conspicuous link’ to the business’ full data-privacy policy. For mobile applications, it can be a link to the notice on the download page and within the application’s settings menu.

For the first time, a new ‘just-in-time’ notice requirement for mobile applications will require businesses to provide real-time notification if an application would collect information that a consumer would not ‘reasonably expect’ to be collected. The example provided is a mobile flashlight application that collects geolocation information. For information collected via telephone or in person, verbal notice may be given at that time.

Notice at collection requirements are reduced
The initial proposed regulations required businesses to identify sources of collected personal information and disclose the business or commercial purpose for which each category of personal information was collected. The modified proposed regulations simplify this requirement by only mandating a more general description of how each category of personal information will be used.

Data brokers obtain relief
Registered data brokers – defined as businesses that collect and sell personal information of consumers with whom there is no direct relationship – are not required under the modified proposed regulations to provide notice at the time of collection.

Change-in-use notice requirements are relaxed
Under the initial draft regulations, businesses were required to notify consumers if they changed how they used personal information versus the original purpose disclosed at the time of collection. The modified draft regulations only require notice to be given if the new nature of the use is ‘materially different’ from the purposes disclosed in the notice at collection.

Opt-out pass-downs are simplified
The modified proposed regulations continue to emphasize that consumer opt-out requests be easy to execute, and they provide a graphical template for what an opt-out button must look like. They also clarify that global privacy controls elected by consumers must override any business-specific privacy settings, and that discrepancies between the two should be flagged for the consumer.

The modified proposed regulations add a new prohibition that businesses may not sell personal information collected without an opt-out notice posted unless they revert back to the consumer and obtain opt-in consent. But they ease the burden on businesses to pass along consumer opt-out requests for personal information that is sold to third parties. Where previously such requests needed to be conveyed for information that was sold in the previous 90 days, it now will apply only to information sold after the opt-out request was submitted but before it was implemented – a period of up to 15 days.

Access-request exceptions are modified
The initial draft regulations contained an exemption for consumer access requests if providing the personal information requested would be a security risk to the business. The modified proposed regulations deleted this exemption and replaced it with a narrower carve-out if several conditions are met, namely:

  • The business does not maintain the personal information in a ‘searchable or reasonably accessible’ format
  • The business maintains the personal information solely for legal or compliance purposes
  • The business does not sell the personal information or use it for a commercial purpose
  • The business provides the consumers with the categories of records containing personal information that meet these conditions.

Service provider rights are expanded
In addition to services specifically described in a contract with a business, the modified proposed regulations permit service providers to process personal information for several other purposes. This includes internal use to build or improve the quality of its services, detect fraud or cyber-security incidents, and retain and employ subcontractors, as well as to respond to federal or state law enforcement requests.

Enforcement actions under the CCPA will not begin until July 1, 2020, by which time final regulations will hopefully have been published. This means that although the regulations will likely continue to evolve, there will probably not be significant lag time between their final release and the point when compliance will be expected. As a result, data-privacy professionals are well advised to get comfortable with the CCPA’s latest proposed regulations now rather than scramble to get caught up at the 11th hour.

Joseph Moreno is a partner in the white collar defense and investigations group at Cadwalader, Wickersham & Taft