On March 11, 2020, the California Attorney General released a new set of proposed modifications to the California Consumer Privacy Act (“CCPA”). This follows the Attorney General’s proposed regulations released on October 10, 2019, which we’ve previously discussed here, as well as the California Attorney General’s February 7, 2020 modifications, which we’ve previously discussed here.
The March 10, 2020 modifications include the following noteworthy changes:
- The modifications removed Section 302, which clarified the degree to which information must be identifying and provided an IP address as an example of information that may not be “personal information” depending on how it is maintain. This section specifically stated that “whether information was ‘personal information’ … depends on whether the business maintains information in a manner that ‘identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.’” This section was a welcome modification for many businesses, and it is unclear whether its removal was based on policy reasons or objections relating to the Attorney General’s ability to regulate beyond the text of the statute itself.
- The modifications removed the example opt-out button in Section 306(f).
- The modifications added Sections 308(c)(1)(e) and (f). These sections require more information to be included in the privacy policy about sources of information and the commercial purposes for collecting or selling personal information. This appears to revert, at least in part, to the original regulations, which led those attempting to comply with the regulations to present the information in a format linking each category of information to a specific source and purpose. The March 10, 2020 modifications appear to strike a balance on how to present the information. Section 308(c)(1)(e) requires that the categories of sources of collection of personal information be identified (though not for each type of personal information), and Section 308(c)(1)(f) requires that the business or commercial purpose for collecting or selling personal information be identified and the purpose be described “in a manner that provides consumers a meaningful understanding of why the information is collected or sold.”
- The modifications added the language in Section 313(c)(4) requiring a description about the types of sensitive information collected where the personal information itself cannot be disclosed in the request.
- The modifications deleted the language in Section 313(d)(1) regarding the treatment of deletion requests where the business cannot sufficiently verify the requestor.
- The modifications added the language of “or about a consumer” in Section 314(b), which may significantly expand that paragraph. The paragraph previously was limited to businesses directing a person or entity to collect personal information directly from a consumer. Now, the paragraph also includes persons or entities collecting information about a consumer. The modifications also changed the language of “person or entity” to “second business.”
- The modifications changed Section 317(g) on compiling and disclosure of metrics to add where a business “reasonably should know” that it collects personal information exceeding the threshold and raised the threshold to ten million from four million.
- The second revisions to the Proposed Regulations are \noteworthy because they indicate that the California Attorney General is focused on the CCPA and crafting the necessary regulations with public input. They also illustrate the perils for businesses of attempting to comply with the moving target that is the CCPA.
The deadline to submit written comments on the California Attorney General’s Second Set of Modifications to Proposed Regulations is March 27, 2020, at 5 pm. A comparison copy of the Second Set of Modified Regulations as compared to the First Set of Modifications Regulations is available on the California Attorney General’s website.
Libby Casale is an associate in Thompson Coburn’s Business Litigation group. Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about the California Consumer Privacy Act (CCPA).