California AG Issues Third Draft of CCPA and Holds Tight on July Enforcement
In mid-March, California Attorney General Xavier Becerra released the third set of California Consumer Privacy Act (CCPA) draft regulations. Around the same time, a number of business and trade organizations pleaded with the California AG to delay plans for enforcement due to the COVID-19 outbreak. Enforcement is currently scheduled to begin on July 1 of this year, the first day the AG is permitted to bring enforcement actions under the CCPA. Thus far, the California AG has resisted the movement to delay enforcement.
Whether enforcement ultimately gets delayed officially by the California AG or, more likely, due to scarcity of resources, the need to complete CCPA preparations and understand the new proposed regulations remains. Becerra has indicated that the AG's office is empowered to enforce non-compliance dating back to January 1, 2020, the CCPA's effective date. Businesses should anticipate enforcement on significant violations that occur between the effective date and the beginning of enforcement.
Businesses also need to increase their focus on cybersecurity. The CCPA's private right of action permitting consumers to sue on claims arising from a data breach is currently in effect. With numerous reports of wrongdoers taking advantage of peoples' fears relating to COVID-19, companies should reemphasize their employee training and messaging around phishing attacks. The CCPA draft regulations do provide some help on this front in that businesses are not required to disclose social security numbers, account numbers, passwords, biometric data, etc. in response to a request to know. Under the new draft, however, the business must inform the consumer with particularity that it has such data.
What's Different in the Third Draft
As to the other specifics in the third draft of the CCPA rules, there is a bit of semantics in the text and a few provisions to examine more closely. Deletion of §999.302 – Guidance Regarding the Interpretation of CCPA Definitions may initially cause alarm. That section in the second draft gave an example where IP address is collected but not tied to personal information. Because IP addresses are so widely collected, businesses are rightfully concerned that the definition of personal information could include any collection of IP addresses. While the language in the second draft provided some comfort on that issue, presumably it was removed because the CCPA itself specifically excludes from the CCPA's scope information that is not linked to an individual consumer or household.
Another welcome provision in the second draft was language permitting a service provider to "use personal information to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles . . ." The new draft clarifies that the building or modifying of profiles is only prohibited when used "in providing services to another business." That likely means that profiles can be used to improve a service that is sold to other businesses as long as the profiles themselves are not used by the other business.
In terms of privacy notices, the second draft deleted language requiring that categories of sources be listed for each category of personal information collected. That original language resulted in some complex disclosure matrices for businesses trying to fully map to the CCPA categories of personal information. While the second draft made this notice requirement a bit easier, the third draft did add that categories of sources need to be identified, at least in a manner that gives the consumer a reasonable understanding of the source. The new version also requires disclosure of the business or commercial purpose for collecting the information.
Service providers that are truly behind the scenes will welcome the addition of §999.305(d) providing that a business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer's personal information. Service providers will also find some relief in new language that allows a service provider to process personal information if "directed by" the business. The prior version required that the services be "specified in the written contract." A written contract is still required, but it can describe the services more generally.
Request to Delete
The first version of the regulations mandated that denial of a deletion request based on a failure to verify be treated as an opt-out of any sales. Some commenters pointed out that this could allow a bad actor to disrupt the relationship between the consumer and the business by submitting a false deletion request. Version two addressed this by requiring a business to ask the consumer if the consumer wanted to then opt-out. Version three moved this provision to its own paragraph but did not provide any clarity on timing. The opt-out option could cause practical challenges if response to a deletion request is not recorded and considered in connection with a later sale of information. §999.313(d)(7) requires a business that denies a request to delete to affirmatively ask the consumer if the consumer would like to opt-out of a sale if that consumer has not already made an opt-out request. Complying with this provision would require businesses to review past deletion rejections prior to any sale of personal information and provide the opportunity to opt out even if the sale occurs significantly later in time than the rejection.
With July 1 fast approaching, businesses should do their best to adopt to these regulations while they move through the finalization process.