Back to the Drawing Board? The Top Ten Impacts of the California AG’s Modified CCPA Regulations (Part 1 of 2)

Last Friday, the California Department of Justice released a modified version of the Department’s proposed CCPA regulations. Although the California Attorney General said in December that the original version of those regulations—released in October 2019—was mostly set and that businesses should not expect any major changes, this latest version includes quite a few impactful revisions to key provisions. 

In this two-part series of posts, we present the top ten most important changes to the proposed regulations. You can find the second post here.

#1: Narrowing the scope of the definition of “personal information”—and consequently what organizations qualify as a business

The CCPA defines the term “personal information” in part by reference to a list of examples of data types. A reasonable reading of the statute would suggest that those examples automatically qualify as personal information—without regard to whether a business might use the data to identify a consumer. The inclusion of IP addresses as an example in that definition was particularly concerning because one of the thresholds for qualifying as a “business” under CCPA is receiving for the business’s commercial purposes the personal information of 50,000 or more consumers. If IP addresses are automatically “personal information,” any operator of a website that does business in California and collects IP address from an average of 137 daily unique California visitors could qualify as a “business” under the law.   

The modified regulations take a more reasonable approach. They clarify that whether information is “personal information” depends on whether the organization “maintains information in a manner that ‘identifies, relates to, describes, is reasonably being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household,’”—not just whether the information falls within the list of data types in the CCPA’s definition. The modified regulations go on to provide specific relief with respect to IP addresses: “[I]f a business collects the IP addresses of visitors to its website but does not link the IP address with a particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be personal information.”

If these revisions make it into the final regulation, they could be a game-changer for many organizations. Instead of a hard-and-fast rule stating that the definitional examples always qualify as personal information, organizations will have some flexibility to make that determination on their own. In particular, depending on how they use and maintain IP addresses collected through their websites, some organizations may be relieved to find themselves outside the CCPA’s scope altogether. Others that aren’t so lucky may still be able to narrow the scope of their compliance efforts.

#2:  Major changes to the rules for businesses that indirectly collect personal information

The CCPA generally requires a business to provide the consumer with a privacy notice at or before the collection of personal information. The law defines “collect” broadly to include the receipt of a consumer’s personal information from a party other than the consumer herself. That makes it difficult, if not impossible, for businesses that receive a consumer’s personal information from a third party to comply with the CCPA’s “notice at collection” requirements.

The original regulations provided a workaround. A business that did not collect information directly from consumers was not required to provide a notice at collection if the business did one of two things before selling the information. The first option was contacting the consumer directly to provide notice that the business intends to sell the consumer’s personal information and enable the consumer to opt out of sales. In the alternative, the business could contact the source of the personal information, confirm that the source provided a compliant privacy notice at collection, and obtain an attestation from the source to that effect.

Under the modified regulations, the Department scrapped its previous approach, replacing it with an exception for data brokers. Under the new approach, if a business indirectly collects personal information and has registered with the California Attorney General under the state’s data broker registration law, the business need not provide a privacy notice to the consumer at or before collection, provided the registration submission includes a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out of sales.

This new approach will help “data brokers”—that is, businesses that indirectly collect and sell personal information to third parties. But it is puzzling that the Department decided to leave non-data brokers in the lurch. These businesses—if they collect personal information only indirectly but don’t qualify as data brokers—are once again confronted with the possibility that they cannot meet their privacy notice obligations under the CCPA.

Given this development, businesses should scrutinize whether they sell personal information, whether they can or should register as a data broker, and whether there is a viable way to provide notice to consumers at collection.

#3:  New guidance and requirements for mobile devices

The modified regulations include several new provisions relating to mobile apps. For example, they clarify that a business can provide a “notice at collection” in a mobile app by providing a link to the notice on the mobile app’s download page “and within the application, such as through the application’s settings menu.”

The modified regulations also provide that, when a business collects personal information “from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection.” To illustrate this concept, the regulations allude to the FTC’s 2013 enforcement action against Goldenshores Technologies, in which a flashlight application surreptitiously collected users’ geolocation information, as an example of when a just-in-time notice would be required. Even with this example, however, the consumer-expectation test is vague and rests on the assumption that the privacy notices and polices that are mandated by the CCPA aren’t sufficient to inform consumers what information will be collected and for what purpose. Which raises a question: What’s the point?

Additionally, this new requirement is not limited on its face to information collected through the business’s mobile app. It would also apply to information collected by a website through a mobile device’s web browser. As a result, businesses would need to ensure that their websites distinguish between mobile and non-mobile devices when collecting personal information for a purpose that a consumer “would not reasonably expect.”

#4:  Clarification on when browser signals should be treated as do-not-sell requests

The original regulations required businesses to treat user-enabled privacy controls, including browser plugins and privacy settings, as valid opt-out requests. This requirement created the prospect that businesses would need to treat “do not track” signals—which websites providers rarely respond to—as valid opt-out requests under CCPA.

The modified regulations helpfully clarify that, to qualify as an opt-out request, user-enabled privacy controls must “clearly communicate or signal that a consumer intends” to opt out of the sale of personal information and that the consumer must affirmatively select his or her choice, rather than relying on pre-selected options. This revision suggests that a do-not-track signal, at least as it currently exists,  would not qualify as an opt-out request.

#5:  Incorporation of the Web Content Accessibility Guidelines into existing accessibility requirements

The original regulations imposed a general requirement that notices and privacy policies be accessible to consumers with disabilities, but they did not offer guidance on how to comply with that requirement. The modified regulations provide that businesses must follow “generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium.” For offline notices and policies, businesses will need to provide information on how disabled consumers may access them in an alternative format. Businesses should familiarize themselves with the Web Content Accessibility Guidelines and revise relevant documentation accordingly.

Check back tomorrow for the rest of our top-ten list.