California AG Updates Implementing Regulations for Consumer Privacy Act
V&E Cybersecurity & Data Privacy Update, February 12, 2020
On February 7, 2020 (with an update to correct an error on February 10), the California Attorney General modified its proposed regulations (the “Modified Regulations”) related to the California Consumer Privacy Act (“CCPA”) to address comments received from the public regarding the proposed regulations published on October 11, 2019 (the “October Regulations”), and clarify and conform the regulations to the CCPA and amendments to the CCPA. In particular, the Attorney General attempted to narrow the definition of “household,” qualified exceptions for service providers, updated requirements related to consumer requests to know, recommended website accessibility guidelines, and provided a uniform “opt-out button” and additional guidance on how to display the button.
1. Narrowing the Definition of Household
Under the October Regulations, "household" was originally defined as “a person or group of people occupying a single dwelling.”1 Comments submitted to the Attorney General raised concerns about the dangers of such an expansive and ambiguous definition. For example, concerned businesses commented that an apartment complex, a retirement home, and an entire college dormitory could constitute “a single dwelling,” thus permitting people with no real connection to obtain personal information about their co-habitants. Other associations and businesses argued that the use of the word “occupying” could have encompassed temporary guests of a household. For example, businesses contended that a guest that uses a household’s Wi-Fi could fall within the definition of a person occupying a single dwelling, thus permitting the guest to request private information about the actual residents of that household. Finally, businesses raised concerns about the improper disclosure of private information stored on one household member’s (e.g., a spouse) device to another household member (e.g., the spouse’s partner) who does not have access to the device.
To address these concerns, the Attorney General changed the definition of household to “a person or group of people who: “(1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.” (emphasis added.)2 The new definition is intended to be limited to a person or group of people who permanently reside at an address, thus eliminating guests or people with no actual connection from the definition.
2. Qualifications for Service Providers
The Modified Regulations state that a service provider can use personal information internally “to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.”3 However, the Modified Regulations do not define the ambiguous terms “cleaning or augmenting.” In addition, the Modified Regulations state that a service provider that receives requests to know or delete from a consumer must “either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider.”4
3. Removal of Interactive Webform Requirement
The October Regulations required a business with a website to provide “an interactive webform accessible through the business’s website or mobile application” for requests to know.5 The Modified Regulations removed the unqualified webform requirement. Instead, “[a] business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests to know.”6 All other businesses are required to provide a toll-free number and at least one other method for requests that “consider[s] the methods by which it primarily interacts with consumers.” (emphasis added.)7 Businesses can use a webform as that method but are no longer required to do so.
5. Format for an “Opt-Out Button”
The CCPA requires a business to “[p]rovide a clear and conspicuous link on the business’s Internet homepage, titled ‘Do Not Sell My Personal Information,’ to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.”11
If a business decides to use an opt-out button in addition to the link, the Modified Regulations require the button to “appear to the left of the ‘Do Not Sell My Personal Information’ or ‘Do Not Sell My Info’ link” and to be “approximately the same size as other buttons on the business’s webpage.”12 The Modified Regulations include the following example:
As a reminder, “[a] business shall not sell the personal information it collected during the time the business did not have a notice of right to opt-out notice posted unless it obtains the affirmative authorization of the consumer.”13
6. Ambiguities Related to Mobile Devices
In the process of clarifying and conforming the Modified Regulations to existing laws, the Attorney General may have introduced new uncertainty into the regulations. For example, “[w]hen a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection.” (emphasis added.)14 The Attorney General provided the example of a flashlight application that collects geolocation information about the consumer as a “purpose that the consumer would not reasonably expect.”15 However, it might be less clear to businesses with more sophisticated applications whether a consumer would reasonably expect the business to collect specific information from the consumer’s mobile device. Without further guidance or clarity from the Attorney General, businesses could be forced to guess whether they should provide a just-in-time notice.
What this Means for You
The official comment period regarding the modification to the proposed regulations is between February 10, 2020 and February 25, 2020. Companies are encouraged to provide comments or consider joining industry organizations that are providing comments to give them a method to express their concerns. Although changes may be made to the proposed regulations before they are finalized, companies should begin folding guidance on items such as the use of the “Opt-Out Button” and accessibility of notices and privacy policies into their CCPA compliance program.
Visit our website to learn more about V&E’s Cybersecurity & Data Privacy practice. For more information, please contact Vinson & Elkins lawyers Devika Kornbacher or Sean Belding.
1 October Regulations § 999.301(h).
2 Modified Regulations § 999.301(k).
3 Modified Regulations § 999.314(c)(3).
4 Modified Regulations § 999.314(e).
5 October Regulations § 999.312(a).
6 Modified Regulations § 999.312(a).
7 Modified Regulations § 999.312(c).
8 See, e.g., October Regulations § 999.306(a)(2)(d).
9 See, e.g., Modified Regulations § 999.306(a)(2)(d).
10 Web Content Accessibility Guidelines (WCAG) 2.1, § 0.2, available at https://www.w3.org/TR/WCAG21/.
11 CCPA §1798.135(a)(1).
12 Modified Regulations § 999.306(f).
13 Modified Regulations § 999.306(e).
14 Modified Regulations § 999.305(a)(4).