Updated on March 27, 2020 — The California AG came out with a modified modified draft of the CCPA regulation on March 11, 2020. Most notably, a few of the changes in the February 7 draft were walked back. I will discuss the details below.
On Friday, February 7, 2020, the California AG dropped a new modified draft CCPA regulation. Comments are due by February 24, 2020 at 5 PM Pacific Time.
Here are some notable changes:
(1) IP Addresses Can Somehow Escape from Being Personal Information
New text of the regulation:
§ 999.302. Guidance Regarding the Interpretation of CCPA Definitions
(a) Whether information is “personal information,” as that term is defined in Civil Code section 1798.140, subdivision (o), depends on whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”
This last sentence about IP addresses was stricken in the new modified CCPA regulation of March 11.
(2) Just-in-Time Notice
The regulation, at § 999.305(a)(4), include this example for using just-in-time notice:
When a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection. For example, if the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the application, which contains the information required by this subsection.
Paul Schwartz and I propose a similar rule in our ALI Data Privacy Principles — we call it “heightened notice.”
(3) Notice to Employees Regarding Their Data
At § 999.305(e), the regulation provides:
(e) A business collecting employment-related information shall comply with the provisions of section 999.305 except with regard to the following:
(1) The notice at collection of employment-related information does not need to include the link or web address to the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info”.
(4) Weird Opt Out “Button”
There is a new confusing opt out “button” that’s not really a button but a toggle. From § 999.306(f):
This confusing “button” was removed in the new modified CCPA regulation of March 11.
(5) Notice of Financial Incentive Exception
Pursuant to § 999.307(a)(1):
A business that does not offer a financial incentive or price or service difference related to the disclosure, deletion, or sale of personal information is not required to provide a notice of financial incentive.
(6) Exception to Requirement of 2+ Methods for Submitting Requests to Know for Exclusively Online Businesses
The CCPA regulation, § 999.312(a), now contains a new exception to the requirement that businesses provide people with two or more methods for submitting requests to know:
A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests to know. All other businesses shall provide two or more designated methods for submitting requests to know, including, at a minimum, a toll-free telephone number. Other acceptable methods for submitting these requests include, but are not limited to, a designated email address, a form submitted in person, and a form submitted through the mail.
(7) Exceptions for Responding to a Request to Know
At § 999.313(c)(3), a new addition to the regulation states:
In responding to a request to know, a business is not required to search for personal information if all the following conditions are met:
a. The business does not maintain the personal information in a searchable or reasonably accessible format;
b. The business maintains the personal information solely for legal or compliance purposes;
c. The business does not sell the personal information and does not use it for any commercial purpose; and
d. The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.
(8) Addition of Biometric Information as Exclusion from Right to Know Disclosures
At § 999.313(c)(4), biometric data was added:
A business shall not at any time disclose in response to a request to know a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics.
(9) Easy Opt Out
The following provision was added at § 999.315(c):
A business’s methods for submitting requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.
(10) Financial Incentives and Data Valuation
The regulation at § 999.336(b) adds the following restriction:
If a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference.
The regulation adds a number of examples. The following example captures best the concept that the regulations are trying to articulate:
A grocery store offers a loyalty program whereby consumers receive coupons and special discounts when they provide their phone numbers. A consumer submits a request to opt-out of the sale of their personal information. The retailer complies with their request but no longer allows the consumer to participate in the loyalty program. This practice is discriminatory unless the grocery store can demonstrate that the value of the coupons and special discounts are reasonably related to the value of the consumer’s data to the business.
I foresee that considerable attention will be given to data valuation – how to ascribe a value to particular pieces of personal data — so that businesses can justify the financial incentives they offer in exchange for people’s data. The regulation offers the following factors to be considered (most of these are from the original draft):
(1) The marginal value to the business of the sale, collection, or deletion of a consumer’s data;
(2) The average value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data;
(3) The aggregate value to the business of the sale, collection, or deletion of consumers’ data divided by the total number of consumers;
(4) Revenue generated by the business from sale, collection, or retention of consumers’ personal information;
(5) Expenses related to the sale, collection, or retention of consumers’ personal information;
(6) Expenses related to the offer, provision, or imposition of any financial incentive or price or service difference;
(7) Profit generated by the business from sale, collection, or retention of consumers’ personal information; and
(8) Any other practical and reasonably reliable method of calculation used in good-faith.
* * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the annual Privacy + Security Forum events.
See our courses of many lengths and types, as well as our training materials