March 17, 2020
While we recognize the COVID-19 coronavirus and its impact are top of mind for all of us,[1] we also want to keep you informed of time-sensitive developments that, as of this writing, are still moving forward: On March 11, 2020, California Attorney General Xavier Becerra released another set of revisions to the proposed regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”).[2] As Gibson Dunn noted last month, Attorney General Becerra previously released an initial set of proposed CCPA regulations on October 10, 2019; a first revised set of proposed regulations on February 7, 2020; and an additional amendment on February 10, 2020.[3] This latest set of changes was promulgated in response to comments received on the February modifications. Under California’s regulatory process, the public must have at least 15 days to comment on these changes, meaning, in this case, comments must be submitted by March 27, 2020.[4] After that point, if no other changes are made to the regulations, the Attorney General’s office will prepare a summary and response for each comment submitted. California’s Office of Administrative Law will then have 30 working days to approve the regulations, at which point, they would be finalized. Note, however, that the Attorney General is empowered to enforce the CCPA as of July 1, 2020, whether or not final regulations are in place before then.
Below, we briefly summarize the most impactful of the March changes.
Perhaps the most significant change in the March revisions is the removal of February’s guidance for interpreting the definition of “personal information” under the CCPA.[5] Last month, Attorney General Becerra proposed adding guidance that whether data constituted “personal information” depended on the manner in which a business maintained that data. Specifically, data such as IP addresses would only constitute “personal information” if it reasonably could be linked to an identifiable consumer or household. The March revisions, however, have deleted this guidance, raising concerns regarding the breadth of what might encompass “personal information” for CCPA purposes.
Under the February revisions, language was added further confirming that offering a “financial incentive” to consumers related to the value of that consumer’s data does not run afoul of California’s statutory ban on discriminatory pricing.[6] The March revisions, in turn, redefine such a “financial incentive” as a benefit “related to the collection, retention, or sale” of personal information, as opposed to “compensation for the disclosure, deletion, or sale” of personal information (the February definition).[7] This change is cross-referenced throughout the March revisions.[8] Notably, however, while the CCPA’s statutory text refers to “compensation” for the collection, sale, or deletion of personal information,[9] the regulations, as noted, refer to the potentially broader concept of a benefit “related to” such activities, and no longer mention “deletion” or “disclosure,” creating a potential ambiguity.
The March revisions have also removed draft provisions suggesting an “opt-out” button go alongside the “Do Not Sell My Personal Information” link on businesses’ websites.[10] This does not change February’s operative modification that allowed companies to obtain user consent to sell data that the business collected from that individual during a time in which it did not provide a notice of the right to opt-out, a change from the total ban of the sale of such data present in earlier versions of the proposed regulations.[11]
The March revisions state that businesses that do not collect personal information “directly” from a consumer do not need to provide notice at the time of collection to the consumer, so long as that company “does not sell the consumer’s personal information.”[12] This change should ease the burden on certain companies, although the term “directly” is not defined, creating some potential ambiguity.
One significant change in the March revisions is the reintroduction of the requirement to list in privacy policies “the categories of sources from which the personal information is collected,”[13] and the “business or commercial purpose for collecting or selling personal information.”[14]
Additionally, if a company has “actual knowledge” that it sells the personal information of minors under 16 years of age, then its privacy policy must include a description of the special rules and processes for providing the right to opt-in to the sale of personal information of minors.[15] Recall that businesses must gain affirmative authorization before selling the personal information of minors under 13 years of age and consent from consumers at least 13 and less than 16 years of age before selling their personal information.[16]
Under the February revisions and earlier versions of the proposed regulations, businesses were forbidden, in response to “requests to know,” from disclosing certain sensitive categories of information, including biometric data, Social Security numbers and financial account numbers.[17] The March revisions clarify that businesses “shall, however, inform the consumer with sufficient particularity that it has collected the type of information.”[18] For instance, a business should disclose, in response to a request to know, that it “collects unique biometric data including a fingerprint scan,”[19] without disclosing the actual fingerprint scan itself.
Adopting a provision that was previously only salient for “unverified” requests for deletion, the March revisions make clear that any time a company denies a request for deletion, it must inform the requestor that they also have a right to request the alternative relief of “opting out” of the sale of data (unless that consumer has already made such an opt-out request).[20]
The March revisions of the CCPA regulations provide additional clarification on certain ambiguities in the CCPA and previous iterations of the regulations. Moreover, the fact that this latest round of changes was less far-reaching than the February revisions suggests the regulations are nearing their final form. However, as the reversals from February’s amendments make clear, further change is still possible, and there remain important questions (such as, for instance, the meaning of a “sale” under the regulations) that have yet to be addressed with sufficient particularity for many impacted businesses.
Businesses subject to the CCPA should continue to monitor the proposed regulations as they evolve. It is also important to provide comments and weigh in by March 27, 2020 on issues of interest to particular companies that remain unclear. We are available to assist with your inquiries as needed.
____________________
[1] Gibson Dunn will continue to prepare updates regarding the impact of the COVID-19 coronavirus on a wide range of issues, including data privacy and cybersecurity, during this unprecedented moment. We also remain available to assist with these issues as our clients continue to navigate various legal and business challenges posed by COVID-19. See https://www.gibsondunn.com/coronavirus-covid-19-resource-center/.
[2] The entire text of the draft regulations, including the most recent revisions, is available at https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-second-set-mod-031120.pdf?.
[3] California Consumer Privacy Act Update: Attorney General Proposes Regulations Version 2.0, Gibson Dunn (Feb. 19, 2020) available at https://www.gibsondunn.com/california-consumer-privacy-act-update-attorney-general-proposes-regulations-version-2-0/.
[4] Department of Justice, Title 11, Division 1, Chapter 20. California Consumer Privacy Act Regulations (March 11, 2020), available at https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-notice-of-second-mod-031120.pdf?.
[5] Draft Regulations § 999.302 [DELETED].
[6] Draft Regulations § 999.336(b).
[7] Draft Regulations § 999.301(j).
[8] See, e.g., Draft Regulations § 999.301(o); § 999.307(a)(1).
[9] Cal. Civil Code § 1798.125(b)(1).
[10] Draft Regulations § 999.306(f) [DELETED].
[11] Draft Regulations § 999.306(e).
[12] Draft Regulations § 999.305(d).
[13] Draft Regulations § 999.308(c)(1)(e).
[14] Draft Regulations § 999.308(c)(1)(f).
[15] Draft Regulations § 999.308(c)(9).
[16] See Draft Regulations §§ 999.330-32.
[17] Draft Regulations § 999.313(c)(4).
[19] Id. (internal quotation omitted).
[20] Draft Regulations § 999.313(d)(7).
The following Gibson Dunn lawyers assisted in the preparation of this client update: Alexander Southwell, Ryan Bergsieker, Cassandra Gaedt-Sheckter, Dan Rauch, and Lisa Zivkovic.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, or any member of the firm’s California Consumer Privacy Act Task Force or its Privacy, Cybersecurity and Consumer Protection practice group:
California Consumer Privacy Act Task Force:
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Alexander H. Southwell – New York (+1 212-351-3981, [email protected])
Deborah L. Stein (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Please also feel free to contact any member of the Privacy, Cybersecurity and Consumer Protection practice group:
United States
Alexander H. Southwell – Co-Chair, PCCP Practice, New York (+1 212-351-3981, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Deborah L. Stein (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Europe
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0)20 7071 4250, [email protected])
Patrick Doris – London (+44 (0)20 7071 4276, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0)20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0)1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0)20 7071 4203, [email protected])
Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])
© 2020 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.