By June Coleman
Managing Counsel, Messer Strickler Ltd.
The California Attorney General issued updated proposed regulations this month that provide additional guidance for businesses required to follow the California Consumer Privacy Act (CCPA) to evaluate their data privacy policies and procedures.
The attorney general issued modifications to previously proposed regulations for the CCPA on Feb. 7, 2020 and shortly after updated those modifications on Feb. 10.
The CCPA applies to certain businesses that fall under one or more of the following criteria:
- Annual gross revenues of more than $25 million;
- Alone, or in combination, annually buy, receive, sell or share for commercial purposes the personal information of 50,000 or more California consumers, California households or devices;
- Derive 50% or more of annual revenue from selling consumers’ personal information.
In the updated proposed regulations, Regulation 999.301 clarifies the sources of information requirement by setting forth examples of categories of sources that could include advertising networks, internet service providers and data brokers. The attorney general also modified Regulation 999.301 to clarify that a third-party authorization may have a “wet” signature or an electronic signature that complies with California Civil Code section 1633.7, et seq., the California Uniform Electronic Transactions Act.
One very important clarification is contained in Regulation 999.302, which states:
“[I]if a business collects the IP address of visitors to its website, but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’”
When to Send a Privacy Notice
As a refresher, key requirements of the CCPA, according to the attorney general, include:
- Businesses must disclose data collection and sharing practices to consumers;
- Consumers have a right to request that their data be deleted, although there are exceptions that should apply to the collections industry;
- Consumers have a right to request what information is collected; and
- Businesses are required to provide a privacy notice prior to collecting information from a consumer.
However, if the privacy notice is online, the content must follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1, of June 5, 2018, from the World Wide Consortium to make the notice reasonably accessible to consumers with disabilities. Reference to the World Wide Consortium guidelines addresses Americans with Disabilities Act (ADA) compliance, which is a new litigation area that the collection industry should be aware of going forward.
Privacy Notice Contents
The California Attorney General also clarified the contents of the privacy notice required in Regulation 999.305 by allowing the notice to state the purpose of gathering all information, rather than the purpose for each category of information.
Requests to Know
Regulation 999.312 previously required two or more designated methods for submitting requests to know one being a toll-free number and the other being an online request form, if the business operated a website. The amendment to Regulation 999.312 keeps the toll-free number requirement, but allows the business to choose a second method, such as an email address, an online form, or a paper form to be submitted in person or by mail. And Regulation 999.313 has been amended to allow confirmation of a request for information or deletion to be made within 10 business days, expanded from 10 calendar days, if the business has not already responded to the request. Regulation 999.313 also clarifies that a business can deny a request if the business cannot verify the consumer’s identity within the 45-day response time period.
Regulation 999.313 also clarifies that a business need not search for personal information to respond to a request to know if the business does not maintain the personal information in a searchable or reasonably accessible format, the information is maintained solely for legal or compliance purposes, the business does not sell personal information or use it for any commercial purpose, and the business describes to the consumer the categories of records that may contain personal information that the business did not search. This would appear to relate to the inability to search collection notes for specific information, such as downloaded information from a credit report or prior phone numbers or addresses. The problem with this amendment is that credit report information and old phone numbers or addresses are not maintained solely for legal or compliance purposes.
More information on the text of the proposed regulations is available on the California Attorney General’s CCPA website.
Because of these modifications, there is a new comment period on the CCPA proposed regulations. All written comments must be submitted to the California Attorney General’s Office no later than 5 p.m. on Feb. 25, 2020, by email to [email protected], or by mail Lisa B. Kim, Privacy Regulations Coordinator, California Office of the Attorney General, 300 South Spring Street, First Floor, Los Angeles, CA 90013.
The following article was contributed by a member of ACA International’s Member Attorney Program (MAP) committee. ACA Daily will publish future legal analyses and thought pieces written by members of this important committee.