Advertising Law Blog

The California Consumer Privacy Act (CCPA) Revised Draft Regulations Provide Additional Guidance and Raise Questions for Businesses

As many businesses may be aware by now, California recently enacted sweeping new laws governing the collection, use and management of personal information. The California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020 has many businesses struggling to understand the application of the law and exactly what a business needs to do to comply. In an effort to clarify some aspects of the law, California issued draft regulations in October 2019 that provided some guidance to businesses, and those draft regulations continue to be revised as late as March 11, 2020. While still not finalized, the revised CCPA draft regulations offer some clarification, and open up more questions, on certain issues.

Some of the changes/clarifications in the revised CCPA draft regulations include:

• Clarification that the collection of IP addresses without linking the IP addresses to any particular consumers is not, in and of itself, the collection of “personal information”
• Specific reference to the method by which a privacy notice needs to be accessible to consumers with disabilities
• A provision relating to the collection of personal information from a mobile device and a requirement that the collection of certain personal information will require a “just-in-time” notice prior to the collection of such information
• A requirement that data brokers who do not collect information directly from consumers provide a link to the California Attorney General through which consumers can visit the data broker’s website and submit an opt-out request
• Clarification that a business that does not collect personal information directly from a consumer does not need to provide notice at time of collection if the business does not sell the consumer’s information
• More disclosure requirements for businesses that sell personal information of minors under 16 years of age
• Examples of customer loyalty programs and how a business can still run such a program and be in compliance with the CCPA, which prohibits discrimination against a consumer who exercises his/her rights under the CCPA
• Additional specific guidance regarding required provisions for service provider agreements

Many of the changes to the revised draft regulations include suggested methods by which businesses must verify consumers who submit consumer requests to know or to delete under the CCPA. Before a business provides a consumer with a copy of that consumer’s personal information, the CCPA requires the business to verify that the consumer is actually who he/she claims to be. For a business that operates a website with password-protected accounts, the verification of consumers may be relatively simple as a business can use the same verification methods a business currently employs for verification (i.e., entry of a password, sending a code to a mobile device, having a verification question for a consumer to answer).

When a consumer does not have a password-protected account with a business, however, verification can be much trickier, and the current draft regulations describe several methods through which a business can verify a consumer making a consumer request. Depending on the nature of the information a consumer is seeking, or the nature of the information a consumer is asking to delete, verification of the consumer can be cumbersome and time consuming, requiring such things as confirming three data points of verification and providing a notarized statement under penalty of perjury.

Takeaway:  The revised draft regulations, and the CCPA in general, makes clear that businesses must take the privacy of individuals seriously, and it may take some effort to make sure a business is in compliance with the law.  A business must continue to evaluate its data collection and sharing practices in light of evolving compliance obligations.