Insights

Another Round on the CCPA Carousel

Firm Thought Leadership

Modified Regulations to the CCPA issued by the California Attorney General on February 7, 2020. The deadline to submit comments is February 25, 2020.

On the heels of a January 1, 2020 effective date and in response to hundreds of public comments, the California Office of the Attorney General ("Attorney General") released updated Proposed Regulations on Friday, February 7, 2020 ("Modified Proposed Regulations"). With a short public comment period ending February 25, 2020, these Modified Proposed Regulations indicate strongly the direction of the final regulations, which are expected in July 2020.

The following is a summary of the key changes in the Modified Proposed Regulations:

Right to Opt-Out: Under the Modified Proposed Regulations, businesses must honor browser plug-ins, privacy settings, and other user-enabled privacy controls as opt-out requests. Moreover, the Attorney General added that businesses must make it "easy" with "minimal steps" to opt-out of the sale of personal information.

Sale of Personal Information: Under the initially proposed regulations, businesses that do not sell personal information could be exempt from posting a required link to exercise the right to opt-out provided the business affirmatively stated in a privacy policy that it does not and will not sell personal information - a requirement that many criticized as unfair and misleading. In response, the Attorney General removed the latter provision requiring a statement of future intent. With the update, the Modified Proposed Regulations now exempts a business that does not sell personal information from posting the required link provided it affirmatively states in a privacy policy that it does not sell personal information. However, if a business begins to sell personal information, it may not sell the personal information collected while there was no opt-out link unless it obtains affirmative authorization of the consumer.

Sale of Personal Information Graphic: The Modified Proposed Regulation has added a graphic of a sample opt-out button if a business chooses to use one in conjunction with the required link. The update further clarifies that a business collecting only employment-related personal information need not provide an opt-out link, as employment-related information is not subject to many of the CCPA's provisions if collected for certain purposes.

Methods of Submitting Consumer Requests: The Modified Regulations clarify the ways in which businesses may accept requests. If a business operates wholly online and has a "direct relationship" with a consumer, an email address for submitting consumer requests is an acceptable method (and no other method is necessary). All other businesses must still provide at least two methods for consumers to submit requests, but the updates removed the requirement that one of the methods must be accessible through the business's website if the business operates a website.

Right to Know Exception: A business need not search for personal information to respond to a request to know if a set of conditions are met. To meet this new exception, a business must maintain the non-searchable or non-accessible information solely for "legal or compliance purposes," the business must not sell the information or use it for any commercial purpose, and the business must describe to the consumer why the information was not searched.

Verification of Consumer Requests - Fees: The Modified Proposed Regulations clarify that a business is prohibited from charging consumers a fee to pay a third-party verification service provider.

Response to Consumer Requests - Timing and Manner: The Modified Proposed Regulations now provide a business ten business days to respond to a consumer request. It also clarifies that a business may confirm receipt in the same manner - and, if feasible, at the time of submission - as the consumer submitted the request (such as if the consumer submits a request in person or over the phone).

Unverifiable Consumer Requests: A hotly contested topic in the public comments, the Attorney General has removed the requirement that a business treat an unverified consumer request to delete as a request to opt-out of the sale of personal information. Instead, businesses must affirmatively ask the consumer if they would like to opt-out in the event a request is unverifiable.
Additional Consent: Under the CCPA, businesses must inform consumers of the categories of personal information that a business collects about them, along with the purposes for which the business will use each category. Under the Modified Proposed Regulations, explicit consent from the consumer is required for a business to use previously-collected personal information for a purpose that is "materially different" from what was previously disclosed to the consumer.

Non-Discrimination - Financial Incentive Exception: An exception to the CCPA's non-discrimination requirement allows a business to offer financial incentives in the form of rate differentials to consumers who agree to the collection and sale of their personal information. The rate differential, though, must directly relate to the value of the consumer's data. In response to significant criticism, the Attorney General explained that the "value" is the value provided to the business, and a business that is unable to calculate a good-faith value of a consumer's personal information or is unable to show how that value is directly related to the financial incentive simply cannot offer the financial incentive. The Attorney General, though, provided no additional guidance on calculating the value of the consumer's personal information to the business.

Although these regulations are still not final, the Modified Proposed Regulations highlight the key provisions that will likely remain untouched. Public comments for these updates will close on February 25, 2020, giving the public just over two weeks to reply.

For additional information, or support on your CCPA compliance initiatives, contact Cynthia Cole or Matthew Baker in the Baker Botts Privacy and Data Security group.

 

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 725 lawyers practicing throughout a network of 14 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy and technology sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.

Related Professionals