On Jan. 1, 2020, the California Consumer Privacy Act kicked into effect. In short, the new privacy law gives consumers the right to know what types of personally identifiable information (PII) are being collected, stored, and sold by companies under the new law’s jurisdiction. It also lets consumers opt-out of having their data stored and request the deletion of data that had already been collected.
As ADCG has written before, many financial institutions are affected by these regulations, particularly companies that have revenue over $25M, receive data from more than 50,000 Californians, or earn at least half their revenue by selling the personal data of California residents.
Almost as soon as the law came out, businesses and organizations began pushing back, complaining that CCPA was impossible to implement and even conflicted with other state and federal laws. The original author of CCPA, Alastair McTaggart, of Californians for Consumer Privacy, went so far as to begin drafting a proposed amendment to CCPA. And a coalition of advertising associations urged California’s attorney general to make an exception to CCPA for advertisers – or at least to give advertisers and data brokers more time to comply.
California Attorney General Xavier Becerra responded, drafting a regulatory update which was announced on Feb. 7. Three days later, another revision was proposed which made clarifications on the initial regulations. Today, on Feb. 25, public comments have closed on the regulatory update. Here are the most important takeaways:
- The new regulations clarify that any information that cannot be reasonably linked to a particular consumer or household no longer qualifies as personal information. For example, an IP address collected by a business that cannot be traced back to a specific consumer or household is not subject to regulations placed on personal information for that business’s CCPA purposes. This means businesses do not need to consider whether a business with a different level of resources could link the information to specific consumers. As long as the business in question is unable to make the connection, such data is not “personal information.”
- CCPA originally stated that businesses could not use personal information for “any purpose” other than those disclosed upon collection. Now, those purposes must be “materially different” than those disclosed.
- Original regulations stated that the notice of collection must provide a list of categories of personal information that will be collected. Additionally, the business purposes for using personal information needed to be listed for each category. The update no longer requires businesses to list the purposes for using personal information separately in each category, allowing for a less complicated notice at collection.
- When collecting personal information over the phone, businesses can now deliver the notice orally.
While businesses can get away with paying less in the notice, there is an increased emphasis on accessibility in the update:
- The reworked regulations ensure that people with disabilities can access and understand the notice at collection. Thus, it is explicitly stated that notices at collection must now follow generally recognized industry standards, such as the World Wide Consortium’s Web Content Accessibility Guidelines.
- When businesses collect personal information from a mobile device, a just-in-time notice is required if the information is used for a purpose beyond what the consumer could reasonably expect. There are also new details regarding an opt-out button consumers could click at the point of collection, with specific suggestions as to how this button should be displayed online.
- The original CCPA regulations state that businesses that operate as a website need to provide an interactive forum where consumers can exercise their right to know about and delete personal information. This requirement has been lifted, allowing such businesses to give access to these rights through an email address or a mailed physical form instead.
- Initially, CCPA posed an issue for businesses that held personal information that was impossible to locate or retrieve for a concerned customer. Per the update, a business is not required to search for requested information if said information is not maintained in a reasonably accessible format, is maintained solely for compliance or legal purposes, and the business does not sell or use the information for any commercial purposes. If all three of these conditions are met, a business need not search for information so long as it describes to the requestor the categories of unsearchable records.
- Likewise, a business does not have to grant access to personal information if it cannot verify the identity of the requestor. In such cases, the business must communicate this, explaining why it cannot reasonably verify the requestor’s identity.
- Upon deletion, in all cases, businesses are no longer required to tell consumers exactly how personal information was deleted.
- The original regulations stated that additional requirements come into play for businesses that sell, share or receive personal information for commercial purposes for over 4 million consumers. Now, that number has been raised to 10 million.
- However, the deletion-related changes aren’t all relaxed. A new requirement is that businesses can no longer make consumers pay a verification fee upon requests to know or delete.
- Another stricter new rule says when businesses sell personal information, they must inform consumers of their right to opt-out and ask if they want to exercise it.
What Does This Mean For Your Business?
Starting July 1, the Attorney General will be able to bring an enforcement action against any affected business failing to comply with CCPA. While a lot of these modifications appear less strict, the transparency enforced by the original CCPA still stands. Even businesses that aren’t impacted yet should review these modifications and start working on data collection practices that comply, as CCPA will likely set the tone for legislation to come.