CCPA update: Seven impactful changes in the AG’s new draft regulations February 12, 2020
On Friday, Feb. 7, the California Attorney General (AG) published revised draft regulations for the California Consumer Privacy Act (CCPA). Quickly thereafter, the AG released yet another version of the regulations on Monday, Feb. 10 with a statement that Friday’s version had accidently omitted revisions. The public now has until Feb. 25, 2020 to submit comments on the updated draft regulations. Despite previous statements by the AG that he did not anticipate many changes to the draft regulations, the updated draft regulations have significant and meaningful changes.
Here are the seven most impactful areas of change:
The updated draft regulations no longer require privacy policies to include the sources of personal information. Additionally, privacy policies no longer have to identify on a per-category basis how the business will use the personal information. If a business has sold personal information, then it must provide the categories of third parties to whom it sold for each category of personal information.
3. Consumer requests
The updated draft regulations have clarified that businesses do not need to maintain three methods for receiving consumer requests. Online-only businesses only need an email address for receiving requests to know and delete. All other businesses must provide two methods to receive requests, but a business only needs to consider having one method reflect the way in which it primarily interacts with consumers. Therefore, the draft regulations no longer mandate in-person methods for receiving requests.
Businesses now have longer to confirm receipt of a request to know or delete as the regulations extended the deadline from 10 days to 10 business days. The draft regulations also extended the timeline to comply with a request to opt-out from 15 days to 15 business days. Additionally, businesses may now deny a request to know or delete if the request cannot be verified within 45 days. If a business cannot verify a request to delete, it no longer must treat the unverified request as a request to opt-out. The updated draft regulations provide further exceptions for complying with a request to know when the business does not maintain personal information in a reasonably accessible or searchable format and the information is used solely for legal or compliance purposes.
4. Selling information collected from a third party
5. Service providers
Service providers may now use their customers’ personal information for additional purposes without inadvertently becoming a third party. Specifically, a service provider may use customer personal information for retaining a subcontractor, improving their services, complying with law or legal obligations, and defending or pursing legal claims. The updated draft regulations no longer require service providers to fulfill requests from consumers. Instead, service providers may simply inform the requesting consumer that it cannot fulfill the request.
6. Accessibility guidelines
The updated draft regulations require all online notices and privacy policies for CCPA to follow the Web Content Accessibility Guidelines version 2.1 from the World Wide Web Consortium. This new requirement is to address accessibility for consumers with disabilities.
7. Opt-out button
Businesses may now include the following opt-out button to the left of the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link.
Moving forward with CCPA compliance
While some of the changes are positive for businesses, the unexpected shift means that many businesses will need to re-evaluate some aspects of compliance. For example, many privacy policies that were already posted contain information which is now unnecessary under the updated draft regulations. The unfortunate reality is that businesses who heeded the AG’s warnings that they should start compliance on Jan. 1, 2020 have spent time, money, and effort for requirements that no longer exists. Given that the updated regulations are still in draft form, businesses now face a choice on when to update compliance documents: now or only after final regulations are published. California has provided a prime example of why requiring compliance with a law prior to releasing final regulations can lead to frustration and confusion.
For more information on this topic, or to learn how Godfrey & Kahn can help, contact our Data Privacy & Cybersecurity Practice Group.