On June 1, California Attorney General Xavier Becerra submitted the final CCPA regulations to the California Office of Administrative Law for review. The final regulations are substantively identical to the most recent draft published on March 11.
Below is a summary of the fundamental changes from the initially proposed regulations to their final form.
Definitions
- “Financial incentive” is clarified to mean a program, benefit or another offering, including payments to consumers, “related to the collection, retention, or sale” of personal information. The previous definition covered programs, benefits or other offerings “as compensation for the disclosure, deletion, or sale” of personal information.
- The guidance regarding how to interpret “personal information” was entirely eliminated.
Notice at Collection of Personal Information
- Businesses that do not collect personal information directly from consumers are exempted from the obligation to provide notice at collection if the company does not sell the consumers’ personal information.
- A business collecting employment-related information does not need to provide a link to the business’s privacy policy in the notice at collection.
Notice of Right to Opt-Out of Sale of Personal Information
- The uniform logo for the sale opt-out was eliminated.
Responding to Requests to Know and Requests to Delete
- Businesses that are withholding certain types of sensitive information when fulfilling a request to know (e.g., SSNs, government IDs, financial account numbers, etc.) must inform the consumer with sufficient particularity that it has collected the type of information being withheld.
Service Providers
- A service provider can collect information “about a consumer” on behalf of another business, even if that information is not obtained directly from the consumer.
- Two of the exceptions to the prohibition on a service provider from retaining, using and disclosing personal information obtained in the course of providing services were revised:
- A service provider may “process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA.”
- A service provider may use personal information for internal use to build or improve services, provided the method does not involve building or modifying profiles “to use in providing services to another business” or for “correcting” or augmenting data acquired from another source.
Requests to Opt-Out
- The regulations removed the requirement that consumer privacy controls require that a consumer affirmatively select their choice to opt-out and not be designed with any pre-selected settings. This allows for the use of “do-not-track” mechanisms.
Calculating the Value of Consumer Data
- When calculating the value of consumer data, a business may consider the cost to the business of the data of all natural persons in the United States, not just consumers in general.
Along with the final regulation text, the AG also issued a Final Statement of Reasons that explains the changes between the first draft and the final regulations and provides Appendices that respond to each public comment received throughout the rulemaking process.
The AG has requested an expedited review of the final text, which would allow the regulations to become effective by July 1, which is still the date his office plans to begin enforcing the CCPA. Prudent businesses should proceed with updating their CCPA compliance programs ahead of the upcoming enforcement start date.
Our Privacy, Cybersecurity and Data Management team will continue to monitor the latest CCPA developments and provide insights as we continue to monitor the ever-changing, ever-shifting legal landscape on this particular regulation.