The California Attorney General (AG) recently published modified proposed California Consumer Privacy Act (CCPA) regulations. Comments on the modified proposed regulations must be submitted by or before 5:00 PM (PST) on February 25, 2020.
The modified proposed regulations incorporate the recent amendments to the CCPA that were enacted after the AG issued the original proposed regulations on October 10, 2019. They also reflect the public comments that the AG received on the original proposed regulations.
Notices to Consumers
Changes to the original proposed regulations regarding the required notices to consumers include, in part, the following:
- To satisfy the requirement that the required notice at the point of collection must be accessible to consumers with disabilities, businesses providing online notices must follow generally recognized industry standards (e.g., the Web Content Accessibility Guidelines from the World Wide Consortium).
- When personal information (PI) is collected over the telephone or in person, a business may provide the notice required at the point of collection orally.
- A just-in-time notice is required when a business collects PI from a consumer’s mobile device for a purpose that the consumer would not reasonably expect.
- The modified proposed regulations provide a model opt-out button and specifically state how it should be displayed on a business’s webpage.
Business Practices for Handling Consumer Requests and Verification of Requests
Changes to the original proposed regulations regarding how businesses must handle consumers’ requests include, in part, the following:
- A business that operates exclusively online and has a direct relationship with consumers is only required to provide an email address for submitting requests to know.
- The modified proposed regulations also clarify the information that must be disclosed to consumers when a business responds to requests to know. Moreover, in responding to a request to know, a business is not required to search for PI if the business: (i) does not maintain PI in a searchable or reasonably accessible format, (ii) maintains PI solely for legal or compliance purposes, (iii) does not sell PI nor use it for any commercial purpose, and (iv) describes to consumers the categories of records that may contain PI that it did not search because it met the aforementioned required conditions.
- A business is prohibited from requiring a consumer to pay a fee for the verification of a request to know or request to delete (e.g., the business “may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization”).
- In connection with requests to delete, a business is no longer required to specify the manner in which the information was deleted. However, if the business sells PI and the consumer has not already made a request to opt out, the business must ask the consumer if they would like to opt out and include either the contents of or a link to the notice of right to opt out.
- A business that alone or in combination buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes PI of 10,000,000 or more consumers in a calendar year (originally 4,000,000) is subject to additional requirements.
Moreover, the modified proposed regulations: (i) revise the requirements for collecting PI from minors, (ii) clarify how a business can comply with the CCPA’s non-discrimination provisions, (iii) amend and add certain definitions, (iv) include additional illustrative examples for various requirements, and (iv) delete certain duplicative provisions. WBK covered the AG’s original proposed CCPA regulations here and the recent amendments to the CCPA here.