On Feb. 7, the Office of the Attorney General of California issued a second draft of its California Consumer Privacy Act regulations, quickly fixed an omission from that draft Feb. 10, and set a Feb. 25 deadline for written comments. While "Version 2.0" of the regulations scales back several of the ways the first version exceeded the plain language of the statute, it keeps the do-not-sell signal requirement and adds proposed restrictions on service provider handling of personal information. 

Definitions

Notable clarifications include: (1) tightening the definition of “household” data as people who not only live at the same address, but also share a common device or service from the business, and are identified as sharing the same account or unique identifier; (2) adding examples of “categories of [data] sources” and “categories of third parties” that must be disclosed to consumers and specifying these “must be described with enough particularity to provide consumers with a meaningful understanding of the type of person or entity” (Sections 999.301 (d)(e) and (3) specifying whether information is “personal information” depends upon how the information is maintained so that if an IP address cannot reasonably link to a particular consumer or household, it is not personal information (Section 999.302). 

Notice

The “at collection” notice requirements have expanded somewhat from "Version 1.0." The regulation appears to require notices on “all webpages where personal information is collected,” as well as both on a mobile app download page “and within the app,” such as through the app’s download page or settings menu. Oral notice would be permissible when information is collected in person or over the phone (Section 999.305(a)(3)(d)). Also, a just-in-time notice requirement for mobile device personal information collection “that the consumer would not reasonably expect” has been added. 

On the other hand, and in line with U.S. Federal Trade Commission guidance, Version 2.0 qualifies a materiality standard Version 1.0’s opt-in consent requirement for uses of personal information that were not disclosed in the “at collection” notice. Without this change, all uses not disclosed in the initial privacy policy would have required opt-in consent (Section 999.303(a)(5)). This change would drive shorter, easier-to-read “how we use personal information” sections in privacy policies. Similarly, the short form notice appears to no longer require a separate disclosure of the purposes for which each category of personal information collected will be used.

Version 2.0 also simplifies compliance for data brokers that register with the attorney general under California’s data broker registration law (Civil Code Section 1799.99.80) and post a link to their privacy policy, which contains opt-out instructions (Section 999.303(d)). This requirement replaces the more difficult alternatives in Version 1.0 (i.e., either to contact the California consumer before reselling the information and providing the opt-out notice or to obtain an attestation from the data source with a copy of the collection notice that was displayed to the consumer. 

Do Not Sell Notice (Section 999.306)

The proposed regulations require opt-in consent, instead of a total ban, for sale of personal information collected when a “do not sell” notice is not posted. Also, Version 2.0 sets out an optional “do not sell” icon but requires the posting of a “do not sell” link regardless of whether the icon is posted.

Responding to requests to know and requests to delete 

Timing

The timeline for initial acknowledgement of a request to know or to delete would be extended to 10 business days.

Requests to know

Version 2.0 adds a consumer’s unique biometric information to the list of sensitive information that must not be disclosed in response to an access request and adds an exception to requests to know for information that is maintained solely for legal or compliance purposes and not otherwise used or disclosed.

Requests to delete

Under the proposed regulations, businesses no longer need to treat an unverified deletion request as an opt-out of sales. Instead, they are permitted to ask the consumer if they would like to opt out of the sale of the personal information. Businesses would also be permitted to retain a record of a deletion request for the purpose of ensuring the consumer’s personal information remains deleted from the business’s records. Version 2.0 also provides some clarity regarding the deletion exception for data stored on backup systems, explaining that personal information does not need to be deleted unless the data in the backup system is restored to an active system or is accessed or used for a sale, disclosure or commercial purpose.

Submitting requests

Version 2.0 also eliminates the previous requirement that businesses with a website must provide an online web form for submitting requests to know. Now, businesses operating exclusively online only need to maintain a consumer request email address for requests. All other businesses must provide a toll-free number and at least one other method for requests. Businesses should consider the method by which they primarily interact with consumers when choosing the additional method for deletion requests.

Service providers (Section 999.314)

The most significant revisions to these rules allow service providers to use personal information for their own internal purposes but bar using it to build consumer profiles, “clean” personal data or augment the data with data obtained from another source. None of these terms is defined, and their meaning is unclear. The revision also clarifies that a service provider, in possession of a request to delete or know, must either act on behalf of the business or inform the consumer they cannot process the request because they are a service provider. 

Requests to opt-out requests (Section 999.315)

The revised rules clarify the opt-out process should be easy to use and allow consumers to exercise their rights without being subject to multiple steps that are intended to or have the effect of burdening the submission of an opt-out. The mechanism must be designed to allow consumers to affirmatively opt out and cannot be designed with any pre-selected settings. Under the proposed regulations, companies would have 15 business days to act on a “do not sell” request upon receipt. They must also notify third parties they may have sold the consumer’s information from the opt-out request and direct them to not sell the consumer’s data during the processing time frame. This replaces the requirement of having to notify all third parties within 90 days prior to the receipt of the consumer’s opt-out.

Request to opt-in after opting out (Section 999.316)

The rule is modified to allow a business to obtain an opt-in, if the customer initiates a post-opt-out purchase of a service. In response to a sale initiated by the customer, the business can request an opt-in after it informs the customer the purchase or requested transaction requires the selling of personal information to third parties. 

Training and record-keeping requirements (Section 999.317)

The most significant change to the requirements under Section 999.317(g) is the modification that applies to businesses that buy, sell or use for commercial purposes the personal information of 10 million or more consumers within a single calendar year. The revision should reduce the application of this reporting obligation and allow more flexibility.

Requests to access or delete household information (Section 999.318)

The revisions add a verified joint request protection that shields the records of other household members from household accounts, unless the requester has the password for a password-protected account. The revisions also clarify that when members of a household are under 13, verified parental consent must be obtained before a business can fulfill requests for access or deletion of specific personal information.

Verification of requests (Section 999.318)

The revisions to the verification requirements prohibit businesses from charging fees to requestors. A fee would include costs that a business requires a consumer to incur to meet the business’s verification process, such as when a business requires a notarized affidavit. To the extent there are costs to consumers for complying with these types of requests, the revisions prohibit these “fees” from being imposed on consumers.

Verification for non-account holders (Section 999.318)

The examples for verifying consumers are revised to include a response to an in-app and (for retailers) providing a transaction amount or item purchased (instead of credit card number).

Authorized agent requests (Section 999.326)

Unlike the statute, the draft regulations allow authorized agent requests to delete and know. Version 2.0 allows the business to require the consumer to provide the agent with a signed permission to submit a request on the consumer’s behalf (mirroring the change in Section 999.315(g)) and directly confirm the authorization of the agent with the business. Version 2.0 includes new obligations on authorized agents: to implement and maintain reasonable security procedures and practices and restrict use of any information collected from or about a consumer except to fulfill the consumer’s request for verification or fraud purposes.

Minors under 13 years of age (Section 999.330)

Version 2.0 fixes a drafting error that would have required opt-in consent for collecting or maintaining personal information of children under the age of 16. It now requires opt-in for “sale” of personal information consistent with the statute language.

Discriminatory incentives to waive rights (Section 999.336)

Version 2.0 goes a step further than the previous version by prohibiting businesses from offering incentives unless they can calculate a good-faith estimate of the value of consumer data or demonstrate the reasonableness of the financial incentive, price or service difference. New examples of discriminatory and non-discriminatory practices are provided.

Calculating the value of consumer data (Section 999.337)

Businesses have the flexibility to “consider” rather than “use” the methods listed in the regulation for calculating the value of customer data and may consider the value of the data of all-natural people.

Photo by Wil Stewart on Unsplash