Privacy policy and request to know changes are among updates to proposed CCPA regulations open for public comment through Feb. 25.
2/20/2020 14:00
By June Coleman
Managing Counsel, Messer Strickler Ltd.
The California Attorney General issued updated proposed regulations this month that provide additional guidance for businesses required to follow the California Consumer Privacy Act (CCPA) to evaluate their data privacy policies and procedures.
The attorney general issued modifications to previously proposed regulations for the CCPA on Feb. 7, 2020 and shortly after updated those modifications on Feb. 10.
Most of the modifications are clarifying and not necessarily pertinent to the overall understanding of the CCPA. However, some clarifications are useful to the collections industry. For instance, the CCPA requires that a company identify the general categories of sources of information received about a California resident in both the privacy notice and the privacy policy, and upon verification of a request from a California resident.
The CCPA applies to certain businesses that fall under one or more of the following criteria:
- Annual gross revenues of more than $25 million;
- Alone, or in combination, annually buy, receive, sell or share for commercial purposes the personal information of 50,000 or more California consumers, California households or devices;
- Derive 50% or more of annual revenue from selling consumers’ personal information.
In the updated proposed regulations, Regulation 999.301 clarifies the sources of information requirement by setting forth examples of categories of sources that could include advertising networks, internet service providers and data brokers. The attorney general also modified Regulation 999.301 to clarify that a third-party authorization may have a “wet” signature or an electronic signature that complies with California Civil Code section 1633.7, et seq., the California Uniform Electronic Transactions Act.
One very important clarification is contained in Regulation 999.302, which states:
“[I]if a business collects the IP address of visitors to its website, but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’”
When to Send a Privacy Notice
While many collection agencies and collection law firms do not know whether their website collects IP addresses, it is probable that the agency or law firm does not match the IP address to a particular consumer. Therefore, the agency or law firm will not need to discuss IP addresses in its privacy notice, privacy policy, or in response to a request. And under these circumstances, the number of IP addresses should not count against the 50,000 limit to determine whether a business falls within the ambit of the CCPA.
As a refresher, key requirements of the CCPA, according to the attorney general, include:
- Businesses must disclose data collection and sharing practices to consumers;
- Consumers have a right to request that their data be deleted, although there are exceptions that should apply to the collections industry;
- Consumers have a right to request what information is collected; and
- Businesses are required to provide a privacy notice prior to collecting information from a consumer.
The modified CCPA Regulations 999.301 and 999.304 also make clear that the privacy notice must be provided at or before collecting information from a consumer. In more good news for the collections industry, the updated proposed regulations clarify that in addition to including the entire privacy policy on the initial letter, the initial letter could prominently direct consumers to an online version of the privacy notice.
However, if the privacy notice is online, the content must follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1, of June 5, 2018, from the World Wide Consortium to make the notice reasonably accessible to consumers with disabilities. Reference to the World Wide Consortium guidelines addresses Americans with Disabilities Act (ADA) compliance, which is a new litigation area that the collection industry should be aware of going forward.
Regulation 999.305 also clarifies that the privacy notice can be given orally if the information is being collected over the telephone. While this is a useful option to keep in mind, the privacy notice is probably too detailed to give verbally. Further clarification in the proposed regulation updates that would allow a business to provide information on how to access the privacy notice online would be helpful. However, if a consumer is providing information on the phone, it is difficult to imagine how referencing a privacy policy the consumer can review after the call will satisfy the goal of creating an informed consumer.
Privacy Notice Contents
The California Attorney General also clarified the contents of the privacy notice required in Regulation 999.305 by allowing the notice to state the purpose of gathering all information, rather than the purpose for each category of information.
Many businesses may not realize that the collection of information from a prospective employee, an employee, or an independent contractor, is also covered by the CCPA, effective Jan. 1, 2021. As such, Regulation 999.305 has been modified to exclude a link or reference to a Do Not Sell My Personal Information web address in the privacy notice and may include a paper copy of the business’s privacy policies, rather than a link or web address for the business’s privacy policy for consumer.
Regulation 999.308 has also been amended to include more guidance for reasonable accessibility for a business’s privacy policy posted on the internet. As with the privacy notice, the privacy policy posted on the internet must follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1, of June 5, 2018, from the World Wide Consortium make the notice reasonably accessible to consumers with disabilities. Regulation 999.308 also no longer requires the privacy policy to list the sources of information.
Requests to Know
Regulation 999.312 previously required two or more designated methods for submitting requests to know one being a toll-free number and the other being an online request form, if the business operated a website. The amendment to Regulation 999.312 keeps the toll-free number requirement, but allows the business to choose a second method, such as an email address, an online form, or a paper form to be submitted in person or by mail. And Regulation 999.313 has been amended to allow confirmation of a request for information or deletion to be made within 10 business days, expanded from 10 calendar days, if the business has not already responded to the request. Regulation 999.313 also clarifies that a business can deny a request if the business cannot verify the consumer’s identity within the 45-day response time period.
Regulation 999.313 also clarifies that a business need not search for personal information to respond to a request to know if the business does not maintain the personal information in a searchable or reasonably accessible format, the information is maintained solely for legal or compliance purposes, the business does not sell personal information or use it for any commercial purpose, and the business describes to the consumer the categories of records that may contain personal information that the business did not search. This would appear to relate to the inability to search collection notes for specific information, such as downloaded information from a credit report or prior phone numbers or addresses. The problem with this amendment is that credit report information and old phone numbers or addresses are not maintained solely for legal or compliance purposes.
More information on the text of the proposed regulations is available on the California Attorney General’s CCPA website.
Because of these modifications, there is a new comment period on the CCPA proposed regulations. All written comments must be submitted to the California Attorney General’s Office no later than 5 p.m. on Feb. 25, 2020, by email to [email protected], or by mail Lisa B. Kim, Privacy Regulations Coordinator, California Office of the Attorney General, 300 South Spring Street, First Floor, Los Angeles, CA 90013.
The following article was contributed by a member of ACA International’s Member Attorney Program (MAP) committee. ACA Daily will publish future legal analyses and thought pieces written by members of this important committee.
