Back to the Drawing Board? The Top Ten Impacts of the California AG’s Modified CCPA Regulations (Part 2 of 2)

Last Friday, the California Department of Justice released a modified version of the Department’s proposed CCPA regulations. Although the California Attorney General said in December that the original version of those regulations, released in October 2019, was mostly set and that businesses should not expect any major changes, this latest version includes several important revisions to key provisions.

This is the second in our two-part series of posts on the top ten most important changes to the proposed regulations. You can find the first post here.

#6:  Relaxing the requirement to specify purposes and sources of collection in privacy policies

The original regulations required a business to disclose—for each category of personal information collected—the purposes for collection, the sources of collection, and categories of recipients of any sales or disclosures for a business purpose. Strict compliance with that requirement could require a privacy policy to include complicated and redundant lists or tables, an approach that would hardly seem to promote the regulations’ asserted aim of making privacy policies “easy to read and understandable to consumers.” Perhaps as a result, many businesses did not include these granular disclosures in the initial CCPA updates to their privacy policies.

Here, the modified regulations reward those businesses that took a “wait and see” approach. The modified regulations eliminate the requirement to identify the sources and purposes of collection of consumers’ personal information on a category-by-category basis. As a result, a business can separately list the categories of personal information collected, the sources from which the business collects them, and the business or commercial purposes for collecting or selling them.

The modified regulations do still require a business to specify—for each category of personal information disclosed or sold—the categories of third parties with whom the business shares that personal information. And those categories must be described “with enough particularity to provide consumers with a meaningful understanding of the type of third party.” 

#7:  Some relief for service providers

The original regulations strictly limited service providers’ ability to use personal information received from a customer “for the purpose of providing services to another person or entity.” A narrow exception to that rule allowed service providers to combine information received from multiple customers “to the extent necessary to detect data security incidents, or protect against fraudulent or illegal activity.” That rule could prohibit the practice, which is common among software and technology companies, of using data processed on a customer’s behalf to develop and improve a service provider’s products and services.

The modified regulations offer some relief here. They provide that a service provider may retain and make internal use of personal information obtained in providing services “to build or improve the quality of its services,” provided that use does not involve “building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.” 

That change will be a welcome development for business-to-business software and technology providers. That’s especially true for providers in data-driven fields like analytics and artificial intelligence that rely on customer data to improve the algorithms and technologies that power their products and services.

#8:  Some guidance on notices at collection for employees

In October 2019 California enacted an amendment to the CCPA that exempted personal information a business collects from applicants, employees, and contractors from most of the CCPA’s requirements. Provided a business only uses that personal information in the context of those individuals’ roles with the business, the business need only to comply with the obligation to provide a “notice at collection” to them. No other CCPA obligations, such as offering a right to opt out of sales or to access or request deletion of personal information, apply to those individuals’ personal information.

The modified regulations account for that amendment in the requirements for notices at collection. They provide that the notice at collection a business must provide to employees, contractors, and applicants must follow the same requirements for notices at collection to other consumers, with two exceptions. First, the employee notice need not include the business’s do-not-sell link. Second, the employee notice “may include a link to, or a paper copy of, the business’s privacy policies for job applicants, employees or contractors in lieu of a link or web address to the business’s privacy policy for consumers.”

The modified regulations’ insistence that notices at collection to employees must include a link to the business’s privacy policy is puzzling, given that the CCPA exempts their personal information from the obligation to provide a privacy policy. But under the exceptions, businesses that maintain separate privacy policies for employees can link to those privacy policies instead of policies that address other consumers.

#9:  Eliminating the 90-day lookback for communicating do-not-sell requests to third parties

The original regulations would require a business to pass along any do-not-sell request that it receives from a consumer to any third parties to whom it sold the consumer’s personal information in the preceding 90 days. The business would also have to instruct those parties not to further sell the information. That requirement—which would retroactively apply to already-sold personal information—had no basis in the text of CCPA and generated concern from industry. From an industry standpoint, it would disturb the bargains struck between data sellers and purchasers, and lead to consumer confusion about the meaning and implications of a do-not-sell request.

The modified regulations eliminate the lookback requirement for previously sold data. They only require the business to communicate do-not-sell requests to third parties if the requesting consumer’s personal information was sold to the third party after the business received the request, but before the business implemented that request.

#10:  Expanding the exceptions for responding to requests to know and delete

One of the most operationally challenging aspects of the CCPA is the broad requirements for businesses to locate and provide, or delete, personal information in response to consumer requests. Perhaps recognizing the burden that those requirements will impose on businesses, the modified regulations provide for some narrow—but still useful—exceptions.

First, the modified regulations absolve a business of the obligation to search for personal information in response to a consumer’s request to know if that information is:

  • Not maintained in a searchable or readily accessible format;
  • Maintained solely for legal or compliance purposes; and
  • Not sold or used for any commercial purposes.

In that case, the business must instead describe to the consumer the categories of records it did not search.

Second, the modified regulations expand an exception to the business’s obligation to delete personal information from the original regulations. Under the original regulations, a business would not have to delete personal information on archived or backup systems “until the archived or backup system [was] next accessed or used.” That exception would not be especially helpful, as businesses might often “access or use” backup or archival systems for purposes unrelated to a consumer’s personal information.

Under the modified regulations, a business need not delete personal information stored on archived or backup systems until the system is “restored to an active system” or “next accessed or used for a sale, disclosure, or commercial purpose.” 

Again, neither of these exceptions will eliminate the significant work a business must do to locate a consumer’s personal information in response to a CCPA request and process that request in accordance with the many and complex requirements set out in the CCPA and the modified regulations. But they may narrow the scope of that task and make life easier for those charged with carrying out individual rights responses on the business’s behalf.

*             *             *             *

The modified regulations are currently subject to a comment period that will last until February 25. At the end of that period, the Attorney General’s office could make additional revisions, or could simply submit the modified regulations for approval and adoption by the Secretary of State. Either way, as the CCPA’s July 1 enforcement date draws near, businesses would do well to evaluate the effect of these latest changes on their CCPA compliance programs.