In light of the rapidly changing coronavirus (COVID-19) situation, Troutman Sanders and Pepper Hamilton have postponed the effective date of their previously announced merger until July 1, 2020. The new firm – Troutman Pepper – will feature 1,100+ attorneys across 23 U.S. offices. Read more.
On February 7, 2020, the California Attorney General released modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA), the state’s sweeping privacy law that took effect on January 1. The modifications provide additional clarity about the level of transparency expected by the California Attorney General, but also leave many unanswered questions regarding the scope of a business’s obligations under the law. The modifications:
The California Attorney General released an updated copy of its modified regulations on February 10. The updated version extends the public comment period by a day and increases to 10 million per year the number of consumers for which a business must sell or share information for commercial purposes in order to be subject to additional recordkeeping and disclosure requirements as a data broker.
“Personal information” is defined very broadly under the CCPA as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an individual or household. The ubiquity of big data and analytics techniques that could potentially allow for identification of individuals with relatively little data left businesses to wonder where the line is between personal information and de-identified information. For example, many businesses collect information such as IP addresses from visitors on their websites that could potentially be associated with individuals or households. The modifications to the proposed regulations clarify that IP addresses of visitors to a website are not personal information under the CCPA if the business that collects the IP addresses does not link and could not reasonably link the information to a consumer. This clarifies that businesses must take into account only their own practices and capabilities with respect to associating information with consumers and not state-of-the-art analysis and re-identification techniques that may be available.
The modifications make a few changes to the proposed regulations’ requirements regarding notices and responses to consumer requests. The modifications:
The original draft of the proposed regulations left some doubt as to whether service providers could use personal information for their internal service development and enhancement purposes. This meant that businesses needed to be on guard against providing these rights to service providers of hosted solutions and other services, in addition to passing down other CCPA-mandated provisions to service providers. Failure to do so would have risked taking the relationship outside of the “service provider” definition in the CCPA, meaning that the transfer of personal information would potentially qualify as a “sale” under the CCPA. The modifications clarify that a service provider may use personal information that is provided to it by a business for the service provider’s own internal use to build or improve the quality of its services, so long as that use is not building or modifying household or consumer profiles or cleaning or augmenting data acquired from another source. The modifications also clarify that service providers may use personal information in connection with the retention of subcontractors and to detect security incidents and prevent fraud.
The modifications reinforce that any method by which consumers request to opt out of the sale of their information must be easy to use. Moreover, these methods must require minimal steps to allow for the opt-out, and the business may not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt out.
The modifications make clear that a business must not require a consumer to pay a fee for the verification of their request to know or delete. For example, a business cannot require a consumer to provide a notarized affidavit to verify the consumer’s identity unless the business compensates the consumer for the cost of the notarization. Given the need to minimize the collection of additional information outside what is already collected, verification will likely continue to be burdensome, especially with respect to requests from non-California residents trying to invoke rights under the CCPA.
The modifications also add an additional way a business may verify an authorized agent — requiring the consumer to directly confirm with the business that he or she provided the authorized agent permission to submit the request.
While the regulations are still not final and the modifications are subject to a public comment period until February 25, the California Attorney General will begin enforcement of the CCPA at the earliest by July 1, 2020. Thus, businesses should:
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.