On March 11, 2020, the California Attorney General (AG) issued a second set of modified proposed regulations (2nd Modified Regulations) implementing the California Consumer Privacy Act (CCPA). The 2nd Modified Regulations walk back some of the proposed changes in the AG’s February 10, 2020 modified proposed regulations (Modified Regulations) to the October 10, 2019 initial proposed regulations (Initial Regulations) and further complicate what has been a rocky CCPA rollout process. The 2nd Modified Regulations were accompanied by a Notice of Modifications, which notes that written comments must be filed with the AG by March 27, 2020.
We discuss key changes and their potential impacts on companies below.
The 2nd Modified Regulations would:
- strike the Modified Regulations’ narrowed definition of personal information and revert to the broader statutory definition;
- eliminate the opt-out of sale button guidance in the Modified Regulations;
- clarify that businesses that do not collect personal information directly from consumers need not provide notice at collection unless they sell the personal information;
- reinstate the requirement to describe the categories of sources from which personal information was collected and the purpose for which personal information is collected or sold in privacy policies;
- expand the circumstances in which “user-enabled global privacy controls” must be considered requests to opt out of sales of personal information;
- confirm that “internal use” of personal information when providing services means that a service provider may use the information to build or improve the services but excludes “building or modifying household or consumer profiles to use in providing services to another business”; and
- broaden the definition of “financial incentive” to include incentives that “relate to” the collection, retention, or sales of personal information.
We address each of these changes in turn.
DEFINITION OF PERSONAL INFORMATION
The 2nd Modified Regulations strike the provision in the Modified Regulations that contextualized the scope of personal information under the CCPA. Under the Modified Regulations, personal information would have only included information that was maintained in a manner that identifies, relates to, describes, or could be reasonably linked to or associated with a particular consumer or household. This meant that a business that maintained an IP address but could not reasonably associate the IP address with a consumer or household did not need to treat the IP address as personal information.
The statutory definition still requires that personal information be reasonably capable of being associated with or linked to a consumer or household, but removing the manner in which the information is maintained from the analysis appears to expand the definition of personal information, such as for the many businesses that rely on IP addresses to provide services but do not otherwise link IP addresses to a consumer or household. This apparent walk-back suggests that the AG may interpret personal information expansively. In practice, this change makes it much more likely that unauthenticated website and mobile app use generates personal information.
OPT-OUT OF SALE BUTTON GUIDANCE
The 2nd Modified Regulations also remove the graphic guidance in the Modified Regulations on implementing the opt-out of sale button. The AG is required by the CCPA to establish rules and procedures “for the development and use of a recognizable and uniform opt-out button or logo,” so presumably that guidance remains forthcoming. Many companies will welcome this change as the guidance was unnecessarily prescriptive and, if implemented as depicted, seemed likely to cause confusion among consumers.
NOTICE AT COLLECTION
The 2nd Modified Regulations clarify that businesses that collect personal information from sources other than directly from consumers need not provide notice at collection if they do not sell the personal information collected indirectly. Under the Modified Regulations, only registered data brokers were exempt from the notice at collection requirement – businesses that did not sell information were not. This change removes that anomaly. Thus, companies that collect personal information indirectly (such as by searching the Internet) but do not sell the information no longer need to provide notice at collection to consumers with whom they have no direct relationship.
The 2nd Modified Regulations reinstate the requirements to describe the sources from which the personal information was collected, the purposes for which it was collected, and the purposes for which personal information is sold. These requirements were in the Initial Regulations until removed by the Modified Regulations last month.
Companies that posted privacy policies anticipating that the streamlined requirements from the Modified Regulations would be adopted in the final regulations should now assess whether further updates are required.
USER-ENABLED GLOBAL PRIVACY CONTROLS
Under the Modified Regulations, user-enabled privacy controls, “such as a browser plug-in or privacy setting,” must be treated as requests to opt out of the sale of personal information. The 2nd Modified Regulations delete the provision of the Modified Regulations that indicated such privacy controls “shall require that the consumer affirmatively select their choice to opt-out and shall not be designed with any pre-selected settings.” The requirement that such controls “clearly communicate or signal” a consumer’s intention to opt out of sales remains.
Under the Modified Regulations, it was not clear whether existing privacy controls, such as cookie blockers and “Do Not Track” settings, would qualify as requests to opt-out of sales. While the deletion in the 2nd Modified Regulations does not resolve this issue, as it remains unclear whether these controls clearly communicate an intent to opt out of sales, the removal of the affirmative selection requirement appears to lower the bar that must be cleared to demonstrate that intent. This likely will aid the development and adoption of user-enabled privacy controls, which will not only expand the list of the potential mechanisms that companies must be prepared to treat as opt-out requests, but also possibly increase the volume of these requests that companies must handle.
SERVICE PROVIDERS/INTERNAL USES OF PERSONAL INFORMATION
Under the Initial Regulations, a service provider was not permitted to use personal information received from one customer to provide services to another customer. The Modified Regulations clarified that a service provider was permitted to retain, use, or disclose personal information for the service provider’s “internal use” to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.
The 2nd Modified Regulations retain the permissible internal use for service providers and reiterate that this excludes building or modifying household or consumer profiles “to use in providing services to another business.” Services providers will be disappointed that this market practice could be prohibited by the final regulations. The 2nd Modified Regulations signal that the AG will closely scrutinize such practices and any arguments supporting them.
Bottom line: Internal uses to build or modify profiles for the service provider’s own use will be permissible, but the 2nd Modified Regulations will likely have a material practical impact on service providers who currently (or intend to) use those profiles to provide services to other customers.
DEFINITION OF FINANCIAL INCENTIVE
The Modified Regulations defined a “financial incentive” (that triggers certain disclosure requirements) as “a program, benefit, or other offering, including payments to consumers as compensation, for the disclosure, deletion, or sale of personal information.” The 2nd Modified Regulations broaden this definition to be “a program, benefit, or other offering, including payments to consumers, related to the collection, retention, or sale of personal information” (emphasis added). This is a significant change that, if adopted, could subject incentive programs to heightened scrutiny. Businesses should closely examine current incentives and advertising practices in light of this proposed change.
Given the CCPA’s rulemaking history, it is possible that there may be one or more rounds of further modified proposed regulations, even as the July 1, 2020 enforcement date rapidly approaches. With several key issues yet to be resolved, companies should continue their good faith compliance efforts while monitoring developments. We will continue to keep you apprised of key developments and guidance.
To learn more about how Goodwin can help your company address privacy and cybersecurity, contact Brenda R. Sharton, partner and Chair of the Privacy & Cybersecurity practice, or Karen L. Neuman, partner and privacy lead.
Goodwin's Chambers and Legal 500 ranked Privacy & Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients' data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include a globally known solution-oriented privacy practitioner and former Chief Privacy Officer of the U.S. Department of Homeland Security in the Obama administration; a Legal 500 “Leading Lawyer” and a “Next Generation Lawyer” in Cyber Law and Data Breach Response, as well as four other Legal 500 Cyber Law ranked partners, several former federal prosecutors, and multiple FTC, GDPR, CCPA, HIPAA, GLBA and COPPA experts. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed practical solutions and strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe.