On February 10, 2020, the California Attorney General’s Office released modified California Consumer Privacy Act (CCPA) regulations. There are some notable differences in the regulations from the first draft, which can be seen in this redlined version. This article will highlight some of the new language added in the latest draft of the regulations.
What’s not Personal Information?
The first important clarification comes with respect to the definition of personal information. For example, Section 999.302(a) of the regulations states that if a business collects the IP addresses of visitors to its website, but does not link that IP address to any particular consumer or household and could not reasonably link the IP address with a particular consumer, then those IP addresses collected would not be considered personal information for CCPA purposes.
Accessibility
The regulations continue to emphasize accessibility as a critical component of consumer rights. The accessibility language in the regulations is repeated in several sections addressing various consumer rights. The regulations specify that notices must be reasonably accessible to consumers with disabilities and that for notices provided online, businesses shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium, which are incorporated into the regulations.
Processes for Handling Consumer Requests
The regulations clarify that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address to which consumer requests concering personal information can be submitted. The regulations add that the time period for businesses to confirm receipt of a consumer request to delete personal information is within ten (10) business days. The regulations also state that if a business is unable to verify the identity of the consumer within the 45-day time period, that the business may deny the request.
In providing examples with respect to the verification of non-account holders, the regulations eliminate the use of a consumer’s credit card security code as a method of verification. Instead, the regulations now (wisely) suggest that if a retailer maintains a record of purchases made by the customer, the business may require the consumer to identify items recently purchased from the store or the dollar amount of their most recent purchase to verify identity. The regulations also state that if a business has no reasonable method by which it can verify identity of any consumer, the business shall explain why it has no reasonable verification method in its privacy policy.
Employment Information
The regulations also state that a business collecting employment-related information does not need to include the link or web address to the link titled “Do Not Sell My Personal Information.” The notice at collection for employment-related information may include a link to, or paper copy of, a business’s privacy policies for job applicants, employees, or contractors in lieu of a link or web address to the business’s privacy policy for consumers.
Opt Out Button
The regulations provide an example of an opt out button that, if used, should be displayed to the left of the statement, “Do Not Sell My Personal Information.”
Record-Keeping Requirements
The regulations require that businesses must maintain records of responses to consumer requests and how the business responded to the requests for at least twenty-four (24) months. New language included in the regulations also specifies that businesses must implement and maintain reasonable security procedures and practices in maintaining such records.
It is important to note that the regulations still provide that a violation of the regulations shall constitute a violation of the CCPA, and may be subject to the remedies provided therein.
The deadline to submit written comments to this latest version of the regulations is February 25, 2020, at 5:00 p.m. (PST).