The California attorney general’s office has released the second draft of its implementation regulations for the California Consumer Privacy Act.
The updated regs, published late Friday, take into consideration feedback received during a 45-day comment period that ended in December. The AG is accepting comments on the amended proposed regulations until Feb. 25 (extended from Feb. 24).
Although the law has been in effect since Jan. 1, the AG can’t start bringing enforcement actions until July 1. The purpose of the implementation regs is to provide businesses with practical information they can use to operationalize the law between now and then.
Click here to read a redline version of the revised regs that shows all of the changes between the first draft and the second. There’s a lot in there, but here are some of the main takeaways and clarifications as the regs wend their way toward completion.
Personal info
The draft regs clarify when personal information is considered personal and when it isn’t, which depends on the manner in which the information is maintained. If a business collects the IP addresses of visitors to its site, for example, but doesn’t, and couldn’t reasonably, take the extra step of linking that IP address to any individual consumer or household, then the IP address isn’t “personal information” under the law.
The button
Consumers have the right to opt out of the sale of their personal information, and businesses need to inform consumers of that right and give them the ability to opt out, either through a link to a privacy policy and/or a voluntary opt-out button that also links to the notice.
The first version of the AG’s regs didn’t provide any guidance on what this button should actually look like, but the second draft does, and behold!
The button, which looks like an on/off toggle, has to be roughly the same size as other buttons of the company’s site. But, considering the button is optional – it may be used in addition to, but not as a substitute for, the notice of a consumer’s right to opt out – it’s unclear how many businesses will decide to implement it.
Do Not Track
Businesses that collect personal information from consumers online will need to honor global user-enabled privacy controls, such as a browser plug-in, privacy setting, device setting or other mechanism that signals a consumer’s choice to opt out of the sale of their personal information.
If a global privacy control conflicts with a consumer’s business-specific privacy setting, the business still needs to honor it, but is also allowed to alert the consumer of the conflict and give the person a chance to either confirm their choice or change their mind.
Do Not Track is alive and well in California.
Setting expectations
Apps that collect the sort of info from mobile devices that a consumer would “not reasonably expect” it to collect will be required to provide just-in-time notifications with a summary of the categories of personal info being gathered and a link to the full privacy notice at the time of collection.
The regs offer a practical example. Say a business has a flashlight app that collects geolocation data. That business will have to provide a real-time notice about what it collects right when consumers open the app.
Sounds like another nail in the coffin for background data collection.
Service providers
There’s a little more info in the regs on what service providers can and can’t do with personal information.
Service providers, which are akin to data processors under Europe’s General Data Protection Regulation, can use a business’s personal information internally to build or improve the quality of their services – but not for profiling. They cannot build or modify household or consumer profiles or clean or augment data acquired from another source.
Data from before
Businesses that don’t and don’t intend to sell personal information during a certain time period are exempt from providing consumers with a notice of their right to opt out during that time period. But what about personal information that was collected before the CCPA went into effect?
The regs state that businesses aren’t allowed to sell personal information collected during a time when they didn’t have a notice posted and that, if they want to, they’ve got to obtain a consumer’s “affirmative authorization,” aka, an opt-in.
The regs are unclear, however, if businesses need to get an opt-in on data they collected before Jan. 1, 2020. If they do, CCPA compliance just got a lot more complicated.
