California’s Data Privacy Rules Get Clearer
This story was originally published in VentureBeat as a guest post
On Friday, February 7, the California Office of the Attorney General (CAG) published a “notice of modifications” to the California Consumer Privacy Act (CCPA), followed by an update on Monday, February 10. Although the CCPA is now law, the rulemaking process is still ongoing, with a final draft of the law expected sometime before the anticipated enforcement date of July 1, 2020. The CAG is now accepting public comments on these proposed modifications until Tuesday, February 25.
While the latest update doesn’t provide us with the final regulations, it offers much needed clarity in several key areas.
1. The scope of data & businesses subject to CCPA processes is clearer
One of the critical lessons from December’s CCPA hearings was that the law required further clarification on terms essential to the operationalization of the CCPA. This month’s updates do a decent job of alleviating some of the uncertainty by providing definitions, examples, and additional clarifying language. Some highlights include:
Clarification on the definition of “personal information.” A new section titled “Guidance Regarding the Interpretation of CCPA Definitions” (§ 999.302) has been created. Currently, there’s only one subsection (a), which defines what qualifies as personal information (PI) under the CCPA using IP addresses as an illustration. The key takeaway is that whether data is classified as PI depends on if it is — or can be — linked to a consumer or household. Given the title of the section, other terms may be clarified in this fashion at a later point.
New communication methods for accepting data requests are specified. Section 999.312, “Methods for Submitting Requests to Know and Requests to Delete,” now clarifies that businesses should consider making consumer requests for data available through “the methods by which it primarily interacts with consumers.” Subsection (a) states that online-only businesses need only provide an email for customers to submit requests to know. The language around how to accept delete requests, however, remains largely the same.
Exclusions now exist for fulfilling consumer requests to know. New language in subsection (c) of § 999.313, “Responding to Requests to Know and Requests to Delete,” excludes businesses from having to search for PI to fulfill a consumer request for data if several conditions are met. The business must not maintain the PI in a searchable or reasonably accessible format, and the PI must only be maintained for legal or compliance purposes. Finally, the business cannot sell the PI or use it for commercial purposes. If a business informs consumers of these reasons, then it can be exempt from having to include PI meeting these conditions within a consumer request for data.
Explicit details now exist for how service providers can use PI. Section § 999.314 (Service Providers) goes into greater detail about what any entity defined as a service provider can and cannot do with PI. Specifically, subsection (c) has been completely rewritten to list five exceptions where service providers are permitted to retain, use, or disclose personal information. One of the exceptions allows service providers to use data to improve the quality of their services or clean and augment data.
In addition to these highlights, the proposed changes also elaborate on the scope of the CCPA as it applies to entities like authorized agents, who can make requests on a consumer’s behalf, as well as data brokers and other third parties.
2. We now have more details on how opt-out requests and do not track will work
New language in § 999.315, “Requests to Opt-Out” suggests that regulators intend for consumer opt-out requests to be as painless as possible. Subsection (c) seems to be worded explicitly to address the problem of UX “dark patterns” within privacy controls, stating “… a business shall not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.” Given that dark patterns are suspected of helping companies circumvent parts of the GDPR, the new CCPA subsection makes sense, though it’s not clear how it’ll be enforced.
Additionally, subsections (d)(1) and (d)(2) discuss the role that global privacy controls, such as browser settings like do not track, will play in opt-out requests. Privacy controls that function in accordance with the CCPA are to be treated as opt-out requests, even in the instance they conflict with a consumer’s business-specific settings. Businesses, however, may notify consumers of the conflict and how it might impact their service.
3. The rules on how to provide consumer notices have new detail
The CCPA requires that companies inform consumers about company practices as well as customer’s rights at specific points in the customer’s interaction. The new modifications have specified that online CCPA-required notices should follow industry-recognized accessibility standards like the Web Content Accessibility Guidelines, version 2.1.
Sections for specific notices, like the notice at collection of personal information (§ 999.305) and the notice of right to opt-out of sale (§ 999.306), now include details about where notices should be displayed. For example, the modifications in § 999.305 (4) state that if PI collection happens in a mobile application for a purpose not reasonably expected by a consumer, a “just-in-time” notice with a summary of the collected PI should be provided. Modifications in § 999.306 say that opt-out notices within mobile applications may be provided through a link in the application’s settings menu. For a more thorough understanding of how notice requirements have changed, organizations should take a deeper look at these sections.
What’s next for privacy compliance?
From now until February 25, the CAG will be accepting comments on the current round of CCPA modifications via email or mail. From there, we’ll likely see the process for the final rulemaking record begin. Once the AG prepares the final rulemaking record and the Final Statement of Reasons, these will be submitted to the Office of Administrative Law (OAL) for approval. After 30 working days, the OAL will decide whether to approve the record. If approved, the final record will go to the California Secretary of State. All of this will likely take place sometime before July 1, leaving any stragglers with little time to make significant changes.
Although the CCPA is currently on everyone’s mind, the California law is merely a bellwether of an emerging change taking place within the compliance landscape. Beyond the CCPA, organizations should watch for The California Privacy Rights Act of 2020 (CalPRA), dubbed “CCPA 2.0.” The group Californians for Consumer Privacy is hoping to get the act on November’s ballot. Nebraska, New York, and a handful of other states also seem intent on joining California in implementing privacy legislation. Finally, developments in other countries — India, for example — illustrate how the demand for privacy legislation is growing abroad.
Privacy compliance does seem to be a trend that’s here to stay. Organizations that take the time to thoroughly ensure CCPA compliance today will likely have the systems in place needed to ensure compliance with future legislation.