Over the past several weeks, the California Attorney General (“AG”) published revisions to its proposed regulations implementing the CCPA (the “Modified Regulations”), and then further revised the Modified Regulations (“Version 2”). Despite earlier warnings to the business community that AG’s initial draft of Regulations would not materially change, we’ve now seen it happen twice. The full redlines of both the Modified Regulations and Version 2 are available here. This article highlights what’s new, what remains the same, what we expect to have the biggest impact on businesses working toward compliance, and the lack of predictability of next moves given the growing global health crisis.
What’s New in Version 2
Although many of the revisions in Version 2 are minor, there are a few edits substantive enough to require another public comment period (which closes today, March 27). The major edits include:
- Guidance on the Interpretation of “Personal Information.” The Modified Regulations added illustrative language describing when personal information (in the example, an IP address) may not really be personal information under the law. Version 2 removed the guidance entirely, and businesses return to square one without guidance on the breadth of the AG’s definition of “personal information.”
- “Do Not Sell” Button. In an about-face, the AG in Version 2 deleted all reference to the “Do Not Sell” icon proposed by the Modified Regulations. But given the law’s explicit instruction that the AG provide rules and procedures for such a button, this is unlikely to be the final word on the logo.
- Requests to Know. A business must not disclose a consumer’s sensitive personal information in response to a request to know (including SSN, financial information, and biometric data the business may hold). Instead, the business should inform the consumer that it has collected that type of information with sufficient particularity, but without disclosing the underlying data.
- Requests to Delete. Instead of automatically treating requests to delete as including a request to opt-out, the business must now ask consumers requesting deleting if they would also like to opt-out of the sale of their personal information.
Modified Regulation Changes that Remain Intact
The Modified Regulations heavily revised the initial proposed regulations, and many of those revisions have survived the first comment period to remain in Version 2. Perhaps the most significant addition of the Modified Regulations is a four-point test for personal information that is not subject to search in response to a consumer request to know. With a narrowed interpretation of personal information, the Modified Regulations would have significantly lightened the burden of compliance for companies working with paper records or unstructured digital information. But without the guidance on interpretation of personal information, small and medium sized businesses will likely still struggle to determine what personal information is in “searchable or reasonably accessible format.”
- Loyalty Programs
On the other end of the spectrum, the Modified Regulations double-down on the restrictions applied to financial incentives and loyalty programs, scolding that “[i]f a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, that business must not offer the financial incentive or price or service difference.” New illustrative examples make clear that the AG expects businesses to be able to demonstrate a correlation between the value to the business in the consumer’s personal information, and the value to the consumer in the discount/incentive offered in exchange for that personal information. But revisions in the guidance for actually calculating that value are minimal – removing one category of information from consideration and opening up the calculation to all persons (not just consumers) – and no examples are provided to clarify. Version 2 does not provide any substantive changes on this issue.
- Methods for Submitting Requests
Aligning with the amendments to the CCPA that were enacted just after the initially proposed regulations were published, the Modified Regulations affirm that a business that operates exclusively online and has a direct relationship with a consumer need only provide an email address for submitting requests to know. For those businesses that do not operate exclusively online, they still need to provide two methods for a consumer to submit requests to know, but the webform requirement from the initial version of the regulations has been removed. The AG also gives some relief to brick-and-mortar businesses who, in the initial version of the regulations, were obligated to provide a third, in-person method of submitting requests. Here and in Version 2, businesses must consider the methods of primary interaction with consumers when determining the submission methods, but are no longer required to use that primary method of interaction. On requests to delete, the Modified Regulations make the two-step process (the request to delete, then the business separately confirming with the consumer making the request that they really do want to delete) optional instead of mandatory. Finally, the Modified Regulations remove the obligation that businesses that do not interact directly with consumers provide at least one online method to submit requests to know and delete.
- Responding to Requests
The Modified Regulations and Version 2 affect the substance of responses to consumer requests in several ways. The business is relieved of providing specific details on its verification process and manner of deletion, and no longer obligated to treat unverified requests to delete as requests to opt-out of sale. Instead, in responding to the request to delete, businesses that sell personal information as the consumer if they would like to exercise the right to opt-out. Strangely, the Modified Regulations struck (and Version 2 did not change) the restriction barring businesses from providing a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks. Finally, the substantive response obligations for verified requests to know categories of personal information have been revised to allow for more generalized responses.
For requests to opt-out, businesses are still required to treat a privacy control as an opt-out, but now the draft regulations qualify this to be limited to global privacy controls. It is not clear what this qualification means, and Version 2 deleted a prohibition on pre-selected settings (that would have required affirmative action by consumers). If the global privacy control conflicts with a consumer’s business-specific settings the business can give the consumer the option to choose between the global privacy control and the business’s specific privacy controls.
Additionally, the Modified Regulations remind businesses that the steps a consumer must take in order to submit a request to opt-out must be minimal, language maintained in Version 2. Businesses should not, either by design or effect, subvert or impair a consumer’s ability to submit a request to opt-out. Helpfully, instead of requiring a 90-day look-back, businesses now need only notify third parties of the opt-out if the personal information was sold to that third party after the consumer submitted the request. The business must direct those third parties to stop selling that consumer’s information, but need not alert the consumer when this notification is complete.
More to Come?
The Modified Regulations revised every article of the proposed regulations and fill in some of the blanks left in the initial version, and Version 2 takes many of the changes in the Modified Regulations one step further. For the most part, the original Modified Regulations felt like a breath of fresh air for businesses working toward compliance with the CCPA, but Version 2 is more like a half-step backward due to the removal of the interpretation of “personal information.”
The AG issued Version 2 on March 11, 2020, just as the COVID-19 public health crisis was rapidly escalating. Indeed, California Governor Gavin Newsom issued an executive order less than 10 days later, on March 19, requiring all Californians (except those engaged in essential services) to stay at home. The same week, a coalition of dozens of business groups wrote to the AG seeking a temporary deferral in enforcement of the CCPA. On March 23, California Chief Justice Tani G. Cantil-Sakauye issued a statewide order suspending all jury trials in California’s superior courts for 60 days and allowing courts to immediately adopt new rules to address the impact of the COVID-19 pandemic.
Notwithstanding these developments, the AG issued a public statement this week that it is “committed to enforcing the law upon finalizing the rules or July 1, whichever comes first.” Even more surprising than the AG’s refusal to forbear from immediate enforcement beginning July 1 is the claim that that office can take enforcement action before that date. The CCPA itself, as codified in Civil Code Section 1798.185(c), states that ”The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.”
As with so many things right now, the future is extremely unclear. We will continue to monitor these events. In the meantime, we hope that all of you and your families stay safe and at home.
 Cal. Civ. Code § 1798.185(a)(4)(C)
 §999.313(a), (d)