On June 1, California’s Office of the Attorney General submitted the final proposed regulations package for the California Consumer Privacy Act to the Office of Administrative Law for review. Included in this package is the Final Statement of Reasons, explaining the modifications from the initially proposed text of the regulations, as well as a summary of all the comments received during the rulemaking process and the OAG’s responses, attached as appendices A, C, and E to the FSOR.
For businesses or practitioners dealing with compliance issues, the OAG commentary is an important resource to consider.
The OAG’s responses address why certain modifications were made (or not) to the proposed regulations, confirm and clarify how it is interpreting certain CCPA provisions, and flag topics the OAG is still considering. They also appear to provide some insight regarding the OAG’s enforcement focus. There is substantial granularity, as the comments and responses are organized by the specific sections and subsections of each regulation. Together, Appendices A, C, and E total almost 500 pages. Reviewing a few of the regulatory provisions illustrates how this commentary may help inform compliance decisions.
The importance of notices, privacy policies and the “do not sell” link
Not surprisingly, the need to comply with the CCPA’s notice obligations are a focus of the OAG’s comments. The OAG repeatedly emphasizes the distinction between a business’ statutory obligation to provide different notices to consumers and simply having a privacy policy. For example, in Response 105/Appendix A, the OAG stated “[n]othing in (the CCPA) Section 1798.130 indicates that the online privacy policy constitutes notice at collection.” While a business may, at its discretion, include information regarding the notices in its privacy policy, “this does not absolve the business from complying with its statutory requirements to separately provide a notice at collection, notice of right to opt-out, and notice of financial incentive.”
The responses similarly stress the requirements regarding the right to opt-out. Response 267/Appendix A reiterates the CCPA requires a business selling consumers’ personal information to provide notice of the right to opt-out and “a clear and conspicuous link” titled “Do Not Sell My Personal Information” on its homepage, separate obligations from what must be disclosed in a privacy policy. Making sure businesses are providing the required “do not sell” link is expected to be a focus for the attorney general’s office based upon its July 1 news release and the comments by Supervising Deputy Attorney General Stacey Schesser of California’s Department of Justice during an IAPP Keynote session regarding CCPA enforcement.
The OAG rejected the suggestion of certain circumstances, such as an applicable exemption, that might limit a business’ obligation to provide information to consumers. In Response 264/Appendix A, the OAG emphasized the CCPA “requires a business to disclose certain information in the required notices and privacy policy.” It strongly stated, “CCPA-mandated disclosures are required even if the business is not required to comply with the consumers’ exercise of their rights.” In Response 311/Appendix A, the OAG disagreed with comments taking the position a business that does not sell personal information does not need to include an explanation of the right to opt out in its privacy policy. It noted the CCPA requires that “the privacy policy include a description of consumers’ rights, even when a business does not have to comply with the consumer’s request.”
No blanket exemption for trade secrets and intellectual property
Several of the comments raise the issue of the CCPA potentially requiring disclosure of proprietary and/or trade secret information. While CCPA Section 1798.185(a)(3) discusses the attorney general adopting regulations regarding “any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights ...,” there is no such exemption in the final proposed regulations.
For businesses concerned about this issue, the OAG’s responses to these comments are instructive.
Responses 323 and 901 in Appendix A address comments seeking an exemption from the CCPA for proprietary information, intellectual property or trade secrets. In a lengthy commentary, the OAG rejected these requests. It determined “the comments fail to show how an exemption for protection of intellectual property rights is necessary” as they “fail to explain how a consumer’s personal information collected by the business could be subject to the business’s copyright, trademark, or patent rights, or how a business could possibly patent, trademark or copyright a consumer’s personal information” (Response 901/Appendix A).
The OAG’s responses also noted that even if a consumer’s personal information could potentially be considered a trade secret, “neither federal nor state law provides absolute protection for trade secrets.” Importantly, the OAG concluded, “a blanket exemption from disclosure for any information a business deems could be a trade secret or another form of intellectual property would be overbroad and defeat the Legislature’s purpose of providing consumers with the right to know information businesses collect from them.”
There also were comments specifically challenging the obligation in the Notice of Financial Incentive, Section 999.307(b)(5), requiring businesses to provide a “good-faith estimate of the value of the consumer’s data” on the grounds disclosing the “description of the method the business used to calculate the value of the consumer’s data” as required by the regulation involves proprietary information. The OAG similarly rejected this position, finding the comments did not adequately demonstrate the information was a “trade secret,” referencing the definition in California’s Uniform Trade Secrets Act, Section 3426.1 (Response 247/Appendix A and Response 25/Appendix E).
The OAG again reiterated the protection of trade secrets is not absolute and allowing a broad exemption in this context “would be overbroad and defeat the Legislature’s purpose of protecting consumers’ privacy and prevent discrimination against consumers who exercise their privacy rights.”
Disclosing consumer request metrics is 'necessary' to assess compliance
The OAG commentary explains its position regarding the mandatory disclosures for businesses handling a large amount of consumer data. Section 999.317(g) of the proposed final regulations requires a business “that knows or reasonably should know” it buys, receives, sells or shares the personal information of 10 million or more consumers in a calendar year to compile and disclose specific information regarding consumer requests. The OAG disagreed with a comment requesting this provision be eliminated because it exceeded the scope of its authority, stating in Appendix A/Response 652, “the regulation is necessary” and “the value of public disclosure outweighs the burden.” In the FSOR, the OAG explained “the compilation and reporting metrics are reasonably necessary to measure compliance with the CCPA,” noting the benefit of assessing whether response times are complying with the required 45-day timeframe, understanding whether requests “are systemically being denied,” and having transparency regarding the number of requests being received.
In both the FSOR and other Appendix A comments, the OAG also noted the public disclosure of this information will allow “academics, consumer advocates, business groups, and others to research and analyze this data.”
The OAG increased the reporting threshold from 4 million to 10 million to lessen the burden on small businesses, as explained in the FSOR. Ten million consumers represent approximately 25% of California’s population. In response to comments expressing concern over the difficulty of following this reporting requirement, the OAG makes clear compliance is expected, stating “[b]usinesses that are managing the personal information of roughly 25 percent of California’s population shall make good faith efforts to develop systems that would track their compliance with the CCPA and these regulations” (Appendix A/Comment 658).
There may be additional regulations
Rulemaking for the CCPA was an involved process, with multiple rounds of revisions to the initial proposed regulations. The OAG responses suggest it may not be over, as it continues to look at particular issues raised by the comments. In many of its answers, the OAG stated it “has prioritized the drafting of regulations that operationalize and assist in the immediate implementation of the law. Further analysis is required to determine whether a regulation is necessary on this issue.”
Areas in which the OAG indicated it may be considering further regulation include:
Definitions
The first modified regulations proposed in February 2020 included a new provision, Section 999.302 Guidance Regarding the Interpretation of CCPA Definitions. It offered further guidance regarding whether the information is “personal information” and included a specific example of a business collecting IP addresses. The second set of modifications issued in March 2020 deleted this provision. However, in Response 9/Appendix E, the OAG stated “[f]urther analysis is required on this issue.” The OAG’s responses also indicate it may take a closer look at whether certain definitions, including “business,” “business purpose” and “sale” require regulation.
The opt-out button
CCPA Section 1798.185(a)(4)(C) refers to the attorney general adopting regulations related to “the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.” The first modified regulations included an opt-out button in Section 999.306(f) that was deleted in the second set of modifications. In Response 84/Appendix C, the OAG stated it deleted the proposed regulation “to further develop and evaluate” a uniform opt-out logo or button.
Templates/samples
Many of the comments asked the attorney general to provide models, sample language or templates for businesses to use. The OAG’s responses suggest it is considering these requests.
Conclusion
The OAG’s responses contain useful information regarding its rationale for the modifications to the regulations and its decision not to accept certain comments.
There are still unanswered questions, as identified here and in this piece for the IAPP’s Privacy Tracker by Husch Blackwell's David Stauss, CIPP/US, CIPT, FIP, and Malia Rogers, which analyzed the OAG’s comments with respect to cookies and tracking technologies. Additional regulations appear to be a real possibility and if the California Privacy Rights Act ballot initiative passes in November, this will further impact CCPA compliance and the regulatory framework.
The IAPP will continue to monitor and report on this changing landscape.
Photo via Good Free Photos