Back in October, we provided a summary of Article 2 of the California Attorney General’s Initial Proposed CCPA draft regulations, which specify certain notices that must be given to consumers at the time of collection of their personal information, including consumers’ rights to opt-out of the sale of their personal information, and notices of financial incentives a business may offer in exchange for consumers’ personal information. Article 2 also provides specific CCPA requirements for company privacy policies.
On February 10, 2020, the California Attorney General published updated proposed CCPA regulations. Below, we discuss several notable changes in the updated proposed CCPA regulations.
Guidance Regarding the Interpretation of CCPA Definitions – Clarification of “Personal Information”
A new Section 999.302 provides that whether information is “personal information” as defined in the CCPA depends on “whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” The new section goes on to provide an actual example of how businesses should analyze “personal information” that will be helpful to online businesses: “For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.””
Notices at Collection
- Mobile Applications, Telephone, and In-Person Notice Format: The updated regulations provide new illustrative examples for mobile application, telephone, and in-person notices: “When a business collects personal information through a mobile application, it may provide a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.” Telephone and in-person notices may be provided orally.
- Mobile Applications: The updated regulations give specific guidance about mobile application notices, with useful examples: When a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection. For example, if the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the application.
The updated regulations add a “reasonableness” qualifier to the requirement that notices be accessible to consumers with disabilities, and a new requirement to follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium.
Business that Do Not Collect Personal Information Directly from Consumers
Notice of Right to Opt-Out
Opt-Out Button – “Do Not Sell My Personal Information”
The updated draft regulations now include specific recommended visual buttons that businesses should use in different scenarios. The buttons have a toggle-like appearance, and the draft regulations also include instructions regarding text placement next to the buttons.
Businesses that do not offer financial incentives or price or service differences related to the disclosure, deletion or sale of personal information are no longer required to provide a notice of financial incentive. However, those that do offer financial incentives or price or service differences, now have an additional new requirement to include the value of the consumer’s data, and how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, in their notices.