California AG Issues Revised CCPA Draft Rules
On Friday, with just under five months to go until CCPA is enforced, California's Attorney General released a modified version of draft regulations for implementing the law.
While the California Consumer Privacy Act (CCPA) is already off the ground and in effect in the Golden State, how exactly the state's landmark privacy law will be enforced is still somewhat up in the air.
Much like the CCPA in the weeks and months leading up to the January 1, 2020 effective date, obligations and best practices under the legislation remain fluid.
California’s Attorney General Xavier Becerra released an updated set of draft rules (.PDF) on Friday designed to better inform organizations how to follow the law before it becomes enforceable on July 1.
The updates modify a set of draft rules released by California AG's Office last October and cover general provisions, notices to consumers including guidance about the right to opt out of the sale of their personal data, and further instructions to businesses for handling consumer requests.
The 32-page document includes a redlined version of the revised regulations. The changes are in red, proposed additions to the regulations are in red, double underline.
Looking through the document, there are dozens of changes.
Among the updates is a clarification around the interpretation of what the CCPA considers “personal information.” Using the example of IP addresses, the AG's draft rules say if a business collects the IP addresses of visitors to its website but doesn’t link it to a consumer or household, then the data would not be considered "personal information" under CCPA. One could frame this guidance to suggest that whether or not information is considered personal data depends on how a business stores it.
Under the CCPA data is considered personal if it “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
Also among the updates are clarifications around whether or not service providers should retain personal information it gathers. According to the updated guidance, it's only allowed when used to detect data security incidents, to carry out services within a written contract, and to improve the quality of its services while not building or modifying data profiles. Still, service providers can't sell this data after a consumer as opted out.
The update also tweaks the ways businesses can handle consumer requests. If a business operates online, it needs to provide an email address for consumers whose information it collects to submit requests. If a business interacts with consumers in person, it should consider providing an in-person method, like a printed form the consumer can submit, a tablet or portal which allows consumers to complete and submit online forms in person, or a toll-free number.
Whatever way a business decides to allow consumers to submit opt out requests, it should be "easy" and "require minimal steps."
"A business shall not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer's decision to opt out," the draft regulations read. Furthermore, businesses cannot require the consumer to pay a fee when it comes to verifying their request to know or delete.
Under the new draft rules, businesses have 10 business days to inform a consumer how it will process the request, then 45 calendar days to respond.
When it comes to responding to a consumer's request to either know or delete information, businesses are only required to search for personal information if each of the following conditions are met:
- The business does not maintain the personal information in a searchable or reasonably accessible format;
- The business maintains the personal information solely for legal or compliance purposes;
- The business does not sell the personal information and does not use it for any commercial purpose; and
- The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.
The guidance also clarifies the location - to the left of text - of buttons intended to go on sites next to "Do Not Sell My Personal Information" and "Do Not Sell My Info" links on business webpages:
While the modified proposed rules are a good example of how the CCPA continues to be in constant flux, it should help privacy stakeholders at least get an idea of what AG Becerra's final rules will look like.
Those interested in keeping track of the CCPA and the AG's rulemaking process should stay glued to the AG's CCPA site, which keeps track of iterations of the document throughout the process. Becerra has set a deadline, 5 p.m. PT on February 24, for organizations to submit comments on this updated draft.