CCPA Update: Attorney General Releases Third Draft of Proposed CCPA Regulations
On Wednesday, the California Attorney General (AG) released a third draft of proposed CCPA regulations for public comment. The draft contains a series of technical corrections, along with a handful of substantive incremental modifications to the prior draft. The limited number of changes signals that the rulemaking process is reaching an end.
The following is a summary of key modifications the AG is proposing in the latest draft:
- Service Providers – The AG revised the exemptions to the general rule that service providers may not retain, use, or disclose personal information obtained in the course of providing services.
Second, the AG edited a clause that allowed a service provider to use personal information for internal purposes to build or improve the quality of its services. The AG clarified that the exemption does not allow a service provider to build or modify consumer profiles to use in providing services to another business; or correcting or augmenting data acquired from another source. These clarifications indicate that the AG seeks to limit a service provider from using personal information it obtains through providing a service to develop consumer profiles that it can resell.
- Removal of Opt Out Button – In the prior draft of the regulations, the AG proposed a standard opt out button and logo for the industry to adopt. But the opt out button came under scrutiny in comments submitted by Lorrie Cranor of Carnegie Mellon University, which highlighted usability issues presented by the color and appearance of the AG’s proposed button. Cranor's team noted that the icon looked deceptively like an actual toggle switch, and when combined with its red color, could be misinterpreted as indicating an off-state. "[A] consumer may misinterpret the [AG] toggle icon as an indication that they have already opted-out of the sale of their personal information,” Cranor’s team wrote. In the latest version, the AG removes all reference to the opt out button.
- Exemption from Notice at Point of Collection – A business that does not collect PI directly from a consumer is not required to provide a notice at the point of collection if that business will not sell the consumer’s personal information.
- Guidance on IP Addresses – The AG abruptly removed guidance indicating that an IP address that does not link to a particular consumer or household would not be “personal information.” The new draft does not include new guidance, however, leaving the prior guidance as the only interpretation issued by the AG on whether IP addresses are “personal information.”
- Privacy Policy Disclosures – The AG restored language from the first draft of the regulations requiring a business to identify the categories of sources from which personal information is collected and the business/commercial purpose for collecting or selling personal information, both in a manner that provides consumers a meaningful understanding of the information disclosed. The new language does not require these disclosures “for each” category of personal information.
- Sensitive Data Disclosures – The AG proposes that even if a business withholds sensitive data in response to a request to know, the business must still provide a description of the information withheld. For example, a business should not provide an actual social security number, but should state that it holds the consumer’s social security number.
- Denial of Deletion Request – When a business that sells personal information denies a deletion request, the business must ask the consumer if the consumer wants to opt out of the sale of their personal information.
- Definition of a Financial Incentive – The AG removed a confusing element of the definition of a financial incentive that had previously indicated that a program, benefit, or other offering, including payments to consumers, would be a “financial incentive” where a company compensated the disclosure, deletion, or sale of personal information. The AG clarified that a financial incentive relates instead to the collection, retention, or sale of personal information.
- Annual Privacy Policy Disclosures – The requirement to disclose metrics when a business buys, receives, sells, or shares personal information of more than 10 million consumers in a calendar year will now only apply to businesses that know or should reasonably know that they meet the threshold for such a disclosure.