It’s likely that many businesses complained that this messaging would give consumers the wrong impression about a business, so this section helps to clarify that CCPA is going to be flexible enough in deployment to not provide false signals of data sales. Subsection (a)(4) was added to address instances in which a business collects personal information from a consumer’s mobile device for purposes that the consumer would not reasonably expect. The AG also stated that July 1, 2020, is the expected date of final regulations and enforcement. There are numerous sections of the CCPA guidance that attempt to provide guidance about when a consumer must be notified about the collection of personal information — and one important part of these regulations could basically implode the entire outdoor kiosk/POS mobileID tracking schemes here in California. In the final statement of reasons, the DOJ says: “determining the appropriate verification standard is fact- and scenario-specific.” The Final Regulations include additional revisions, which are important for businesses to consider as they move forward with the CCPA compliance. .. Subsection (c ), which requires a business to consider the methods by which it interacts with consumers when determining which methods to provide for submitting requests to know and requests to delete, has been modified in four ways. These details are being released at a time when COVID mobile tracking data has become the newest privacy outrage for users — and several aspects of the guidance reads as a direct rejection of the guidance issued by the online advertising and analytics industry groups NAI and IAB, who previously gave their members a blessing to share/sell COVID mobile tracking data to other businesses, researchers and the government to support the pandemic tracking efforts. (a), 1798.130, subd. This additional guidance benefits consumers by requiring that businesses provide enough information for consumers to understand their data practices. (b)(2).) The change also benefits consumers by not overwhelming them with notices for every minor change, which may result in notice fatigue. The modification also preserves the consumer’s right to delete when the business discloses or commercially benefits from access or use. Another way to put this, a business can let you Request to Delete your data, and require that you submit pieces of information to confirm your identity that the business *did not have before you submitted the form* and then the business can hold that information for 24 months. At long last, though, the final … These restrictions are necessary because the consumer could have reasonably relied on the notice when interacting with the business and allowing it to collect their personal information. The final implementing regulations take effect immediately. (See Sections 999.301, subd. While the alternative of allowing a subsequently posted notice of right to opt-out to apply retroactively would be less burdensome to businesses, it would not be as effective in informing the consumer of their right at the point of collection, when the consumer may be most aware of what personal information the business is collecting from them. & Prof. Code, § 22757, subd. Subsection (e) is necessary to prevent a business from unilaterally and retroactively changing its policy to sell personal information that it collected during a time period when it expressly assured consumers that it did not sell such information. Consistent with this legislative intent, the regulation provides guidance for instances in which a consumer’s attempt to exercise their CCPA rights is not submitted through a business’s designated methods or is deficient for a reason unrelated to the verification process. Thus, the intent of the CCPA is to prohibit a service provider from using personal information collected from one business for its own business purposes or to then provide services on behalf of a different business. Code, §§ 1798.185, subd. Furthermore, simply putting up a new notice on a website after a consumer has already provided personal information, when that consumer may be unlikely to revisit the website (and even more unlikely to revisit the notice), is not meaningful consumer notice. Furthermore, based on the OAG’s technical expertise in this area and understanding of business practices, treating a consumer’s request as properly received or informing the consumer of the proper method of request is not unduly burdensome. These changes appear in the Attorney General’s Addendum to Final Statement of Reasons, which can be found here. Code, § 1798.140, subd. The subsection also adds the term “previously collected.” This change is necessary to clarify that the subsection applies when a business seeks to use previously collected personal information for a use that is materially different than what was previously disclosed to the consumer, not for new personal information that it seeks to collect. This subsection is necessary to provide transparency into business practices that defy consumers’ reasonable expectations, particularly when those uses are not reasonably related to an application’s basic functionality. Both IAB and NAI encouraged members to share any data valuable against fighting COVID in the Senate hearing that was not on video, via their written statements for the hearing “Enlisting Big Data in the Fight Against Coronavirus.”, It’s clear that organizations who buy/sell/share user data, need to get much more serious about user consent, the categories of collection they undertake, and their potential legal exposure from not requesting user consent for a material change in collection purpose — and the CCPA guidance makes it clear that “simply putting up a new notice on a website after a consumer has already provided personal information, when that consumer may be unlikely to revisit the website (and even more unlikely to revisit the notice), is not meaningful consumer notice.”. The OAL approved the final version along with an updated Addendum to the Final Statement of Reasons. (See Sections 999.301, subd. It appears unlikely that the CCPA regulations will be approved within the expediated time frame requested by the California Attorney General’s office. The CCPA Reasons also provide some clarity for organizations that operate primarily offline and some assurances to consumers that the primary method they engage with a business needs to have a way to for them to utilize their rights. Thus, it is difficult to say with certainty how these changes might impact the AG’s enforcement of the CCPA. (See Civ. (Civ. If you are a business with significant user data (10+ million consumers in a calendar year), you don’t get to start every month coming up with new monetization strategies for your existing user data without getting permission from users to use their existing data for materially different efforts — and with the new categories of sources being clarified by the CA AG to now include: “Advertising Networks, Internet Service Providers, Data Analytics Providers, Operating Systems and Platforms, Social Networks, and Data Brokers” — things are about to get much more serious for organizations who have treated user consent like a blank check for future user data monetization efforts. Code, §§ 1798.100, 1798.105, 1798.110, 1798.115, 1798.120 [imposing obligations on businesses].) (a)(4)©.) Code, §§ 1798.115, subd. By requiring businesses to describe categories of third parties in a manner that is easily understood by consumers, these modifications implement a performance-based approach. “Categories of sources” has been clarified to mean “types or groupings of persons or entities” from which a business collects consumers’ personal information, not just “types of entities.” The definition has also been modified to require a business to describe its categories of sources “with enough particularity to provide consumers with a meaningful understanding of the type of person or entity.” The following examples have also been added to the definition: advertising networks, internet service providers, data analytics providers, operating systems and platforms, social networks, and data brokers. Subsection (e) was added to state that a business cannot sell personal information it collected during any time it did not have a notice of right to opt-out posted unless it obtains the consumer’s affirmative authorization for the sale. There is a long history of browsers, publishers, and advertising companies trying to agree on global opt-out signals, and CCPA urges this process to continue and for consensus to be made so that consumers can opt-out via global privacy controls. 21.) It also benefits businesses, particularly smaller businesses that lack privacy resources, by clarifying the information they must provide to consumers. Most organizations provide an “opt-out” through simple immediate mechanisms, but if an organization is working with 3rd parties to sell consumer information, then a series of very important deadlines are triggered when a consumer requests to opt-out of this process. The OAG considered alternative ways to address this situation and determined that requiring businesses to obtain affirmative authorization is the most effective way to carry out the purpose and intent of the CCPA to give consumers notice and control, at the point of collection, over the sale of their personal information. h�bbd```b``Y"W�I~�|D2u�ّ`�,� V�a��`RL��S`��@�%S ɸLH�O4g`bd`��������7@� {�. (See, e.g., Gov. (See Civ. The OAG weighed these various comments and determined that 15 business days appropriately balances the right of consumers to opt out at any time with the burden on businesses to process opt-out requests. (q)(3), 999.308, subd. In light of the comments received from the public, the OAG further supplements its statement of reasons in support of subsection (d) as follows. The subsection also includes an example that illustrates this requirement and provides guidance as to what may be considered a purpose that a consumer would not reasonably expect. 623 0 obj <> endobj Other comments advocated for requiring compliance “immediately” or within 24 hours of receipt of the request due to the immediate nature of the collection and sale of personal information online. Even in defining the term “service provider,” the CCPA makes clear that a business’s disclosure of personal information must be for a business purpose that is stated in the parties’ written contract. These modifications benefit businesses and consumers by providing clarity and transparency about businesses’ baseline obligations: businesses that state that they sell personal information must post a notice of right to opt-out, and businesses that do not sell personal information will affirmatively state so. Code, § 1798.140, subd. Subsection (d)(5) has been modified in three ways. It is not intended to allow consumers to know or delete personal information collected by a non-business merely because the non-business outsources tasks to a service provider. The California AG has now released the final CCPA regulations, as approved by the Office of Administrative Law (OAL). Like businesses, public and nonprofit entities outsource operational needs through service providers that essentially perform tasks as if the public or nonprofit entity was doing the task in-house themselves. Such an approach would allow businesses to engage in passive notice updates without allowing consumers any agency to control how their personal information is used. Given the ease and frequency by which personal information is collected and sold when a consumer visits a website, consumers should have a similarly easy ability to request to opt-out globally. The subsection has been modified by changing “other than” to “materially different than.” This change was made in response to numerous comments urging that the restrictions be limited to uses that are “materially different” from those disclosed in the notice and is necessary to make the language of the regulation consistent with privacy best practices. (See ISOR, pp. (t)(2)©.) The final regulations are substantially similar to the most recent draft regulations issued in June, with a few notable changes discussed below. (a)(7), 1798.185, subd. The CCPA dumped responsibility for preventing that to the DOJ. (See Fed. All businesses subject to the CCPA must now comply with both the statute and the regulations. Second, the phrase “in general” has been added to clarify that a business’s confirmation of receipt of request simply needs to provide a general description of the business’s verification process. Code, § 1798.110 [merely requires the disclosure of “categories of third parties” with whom a business shared personal information].) Subsection (f) now states that a business shall “comply” with a request to opt-out as soon as feasibly possible but no later than 15 “business” days from the date the business receives the request. The final implementing regulations are similar to 8–9.) This change was in response to comments seeking guidance on whether businesses can maintain a suppression list. The modification that a business comply with the request within 15 business days was made after considering public comments from many businesses and consumer advocates. It benefits consumers by providing them with information to make privacy decisions while protecting them from the harms that could result from the unauthorized disclosure of this sensitive personal information. Additional links and CCPA resources can be found at the CA AG’s website. The record includes, among other documents, the final text of the proposed CCPA regulations and the Final Statement of Reasons, which summarizes and responds to each public comment received and explains the bases for the regulations. Such an approach would allow businesses to engage in passive notice updates without allowing consumers any agency to control how their personal information is used, including when it was collected under false pretenses. Section 999.306, subsection (d), also provides that a business that does not sell personal information does not need to provide a notice of right to opt-out if it states so in its privacy policy. Code, § 1798.100, subd. (l) (emphasis added).) This modification is necessary to clarify that a business has discretion to provide a link directing consumers to the notice in lieu of including the actual language of the notice in the application’s settings menu. It also provides businesses guidance on how to interpret Civil Code section 1798.135, subdivision (a)(5)’s 12-month prohibition on requesting that the consumer authorize the sale of their personal information for consumers who have enabled a global privacy control. This change was made in response to public comments that requested guidance regarding the level of detail required and that expressed concerns that specific descriptions of a business’s verification process would reveal information to bad actors that could be used to evade security procedures. Code, § 1798.140, subd. I’m not going to excerpt these sections because it’s going to be very hard to thread this needle without violating CCPA, and i’ll need to spend more time on these sections before providing any guidance or opinions about the impacts on various discounting strategies. h�b```�E,|Q� cb�H��������x��1�10T>��|@�� �!�u����'�gȷ�1Oml;���G��A܇k�Ӿ��V�t�9;\Hf�w��Jb}�$�(y`�� QvVf�ճ��:T�������� First, the regulation now correctly cites to “section 999.317, subsection (b),” which requires a business to maintain records of consumer requests and how the business responded for 24 months. This blog post is not meant to be an all-encompassing summary of how to get ready for CCPA or the frameworks for sharing and selling user data — there are far too many complicated aspects, largely due to the fact that most organizations who are large enough to need to comply with CCPA, would also have European users and need to comply with GDPR, the European data privacy law. A few highlights from the final CCPA regulations: Service providers: Per the California Attorney General’s Final Statement of Reasons, a service provider that processes information in breach of the provisions of the agreement between the “business” and such service provider is subject to direct enforcement by the Attorney General, even if the business is not inclined to enforce. . ]Z����ܾ��=��@FQ%�]�/ŀĭ%ݱ����&f/�]��v��9�I�n ��փ�=��op���P�b����X��-�� ��b2��ɱ %f;�$���8/�z�&B:n�C�m�&f�g ���pϖ��L]W�p��1 �����u%Y��>J�1H� J ��vG3� q�EPD ̓h`�`��`�h ɀ2 � ,@.��h�Vo�@��3i�Uu�t1�A��M:����@.����&�8� f�a`�� 9`�đ �`�%@�6u���-@Z �E���f��X���T� Ť�����#�n��jK�ܻ�m�3H��2�C2I#{��^��@�����3�f����:��,��b� 0 �2I The CCPA guidance goes on to further highlight mobile tracking situations that require unique disclosures, particularly any new use of consumer data that is “materially different than” the original purpose, writing: Former subsection (a)(3) has been renumbered and is now subsection (a)(5). It empowers the consumer to actively choose whether they want to maintain their relationship with the business. Mobile apps will be able to include a shorthand reference in their menu and provide links to read more about how the business collects personal information, instead of any required length or specific text. Accordingly, the definition of “categories of third parties” has been modified to clarify this point. Key changes to the final regulations The clarification of “business days” addresses business holidays and lessens the burden on businesses. Code, § 6250 et seq.) Brief disclaimer: I’m not a lawyer — i’m a longtime digital strategist who has a significant interest and experience with user data privacy frameworks (i’ve also got my CIPP/US privacy certification from the IAPP). I believe the California Attorney General’s office, if they haven‘t already, should clarify to businesses that users should be provided with choice (or businesses flat banned) from merging the data submitted in a Right to Know/Delete into larger customer data profiles, at least without user consent. In addition, the AG issued a Final Statement of Reasons that (1) explains the changes between the first draft and final regulations, and (2) is accompanied by Appendices that respond to each public comment received throughout the rulemaking process – including written comments submitted in response to each draft of proposed regulations and those provided at the four … Thus, the modifications make the language of the regulation consistent with the language in the CCPA and harmonize this subsection with section 999.306, subsection (d). Consumers exercising their rights to make requests under the CCPA should not be hindered by unreasonable delays, and 45 calendar days provides businesses with sufficient time to provide the required response, especially considering that they can extend the time to respond by another 45 calendar days. (v).) Together with the final regs, the OAG also published a Statement of Reasons (SOR) on June 1, which provides responses to all the comments received during the rule-making process. (b)(2).) The subsection requires the business to respect the global privacy control signal, but allows the business to notify the consumer of the conflict and ask the consumer to confirm their business-specific privacy setting or participation in the financial incentive program. These and other interesting insights into the reasoning and thinking of the California AG for the revisions made to the regulations can be gleaned from the Final Statement of Reasons submitted to the California Office of Administrative Law, together with the final version of the … The reference to a “download page” in these CA AG Reasons could almost be interpreted to require disclosures on App Descriptions before someone installs an app — basically apps need to not only link to privacy policies, but also link to separate pages expressly on how that business collects or sells personal information under the CCPA frameworks. June 3, 2020 – Alerts By Odia Kagan. Rather, as discussed above, services providers are expressly limited from retaining and using personal information. But one thing is clear, if you’re trying to provide discounts to consumers for ad-free experiences or to sell their data, you should read those sections and consult an Attorney to help you craft the right pricing options and disclosures. Feel free to respond to the post below or drop me a note on twitter @ thezedwards, Enlisting Big Data in the Fight Against Coronavirus, Final Statement of Reasons can be viewed here, When “YES” means “NO” or the trouble with consent to the use of our data, Americans Might Be Getting a Comprehensive Federal Privacy Law Soon, The CCPA Proposed Regs’ Data Valuation Calculation Provisions Provide Flexibility, But Raise…, A Closer Look at the CPRA’s Privacy Protection Agency (Plus Some Fact Checking), 2021 update: A New York “BIPA” in the making…, Recommendations for the California Privacy Protection Agency, A Roadmap for California Privacy and Data Security. Notification at or before the final version is essentially identical to version of... They move forward with the business must obtain affirmative consent found at the CA AG ’ s mobile.... Keypoint: Some additional changes to the CCPA more conspicuous in instances in which their personal may. On the appropriate way to respond to requests, and enforcement began July 1, –. Treats a request as properly received, the word “ primarily ” has been renumbered commercially benefits from access use... Guidance benefits consumers by making notices more conspicuous in instances in which their personal information to! Days ” addresses business holidays and lessens the burden on businesses ]. enforcement began July 1, –! Final CCPA regulations were made before they were filed with the authority to adopt regulations as necessary further! On “ Severability ” was removed from the public, the OAG ’ s addendum to Statement. June 3, 2020, and how quickly these need to be another section that will eventually encourage and! To public comments and is necessary so that the language used in the actual application changes might impact AG! Below,... CCPA-specific registry managed by the California online privacy Protection Act CCPA! Language. sections in the CCPA compliance they move forward with the language included in the.. Requiring that businesses operating a website must provide an interactive webform has been... Oag ’ s office of a request as properly received, the word “ ”! Subject area understand their data practices to respond to requests, and enforcement began July,. Year to batch delete any customer requests such an assumption s addendum to the CCPA preserves the consumer to choose... Public comments and is necessary to eliminate confusion by businesses that primarily interact with consumers in person to providing... 999.313, subd they want to maintain their relationship with the language used in the provides... Guidance on whether the time period was calendar or business days of Reasons ( instead rules! Are necessary because entities with whom businesses share personal information whom businesses share personal information a! A business decides to change their practice midstream, the OAG further supplements its Statement of can! On standards, instead of rules, for verifying consumers d ) a... Been added requiring businesses that lack privacy resources, by clarifying requirements for to. E ), 1798.185, subd affirmative consent already stated, the business treats request... Preventing that to the CCPA regulations are issued by December 6, 2019 requirement benefits consumers making. ( a ) ( 7 ), 999.313, subd time frame requested by the online. The purposes of the California online privacy Protection Act ( CCPA ) regulations package has submitted final! In the regulation is consistent with the language included in the regulation benefits both businesses innovators... ) - ( B ) has been modified to clarify the meaning the! A valid request to opt-out December 6, 2019 ) ( a ) ( 5 ), 999.308 subd! Unlikely that the request was denied is unlikely to lead to such an assumption ) ( 5,... That further the purposes of the subsection interacts ” to clarify this point privacy controls as a valid request opt-out. Throughout the rulemaking process been a source of confusion and debate throughout rulemaking... Provide enough information for consumers to understand their data practices must obtain affirmative consent consumer privacy Act CCPA. Changes to the CCPA dumped responsibility for preventing that to the final Statement of Reasons “! Of final regulations and a final Statement of Reasons ( instead of rules, for verifying consumers CCPA now. Impact the AG submitted the regulations two ways standards, instead of another round of )... Regulations package the rulemaking process in response to comments seeking guidance on the appropriate way respond! An in-person method for submitting requests enforcer of the CCPA regulations will be within! To comply with both the statute and the regulations how quickly these need to done... By publicly identifying specific businesses that lack privacy resources, by clarifying the information they must provide an interactive has... Online to treat user-enabled global privacy controls as a valid request to opt-out keypoint: additional. Businesses share personal information may also collect personal information is being collected for purposes reasonably... This change was made in response to comments seeking guidance on the OAG with the CCPA gives OAG. Below,... CCPA-specific registry managed by the Secretary of State and became effective comments seeking guidance on parameters. Ag also stated that July 1, 2020 before the “ point at which ” a business that personal... Have been a source of confusion and debate throughout the rulemaking process businesses to consider providing an in-person method submitting. Been inserted before “ interacts ” to clarify the meaning of the CCPA dumped responsibility for preventing that to CCPA... Confusion and debate throughout the rulemaking process accessing it once a year to batch delete any customer requests year... Designated CCPA-request process, particularly smaller businesses that primarily interact with consumers in other contexts must communicated! Businesses to comply with CCPA specifically discussed otherwise below,... CCPA-specific registry by... “ primarily ” has been modified in three ways the purposes of subsection... Language included in the actual application is based on these sections should remove any doubt these! Properly received, the request proceeds through its designated CCPA-request process how to calculate the 45-day requirement the business or!