On Feb. 7, California Attorney General Xavier Becerra issued revisions to proposed regulations implementing the California Consumer Privacy Act (CCPA). Three days later, a new revision was proposed and the deadline for commenting on the changes extended to Feb. 25.
Revisions were made “in response to comments received” on the proposed regulation “and/or to clarify and conform the proposed regulations to existing law,” the California Department of Justice wrote in an announcement. The regulations were originally proposed last October in anticipation of the CCPA’s Jan. 1 effective date.
A surprising move?
Revising proposed regulations and extending a comment period “does not seem unusual or unreasonable given the complexity and scope of the CCPA’s requirements,” explained W. Reece Hirsch, a partner at the law firm Morgan Lewis and co-head of its privacy and cybersecurity practice. “If anything, many businesses would like to see a more extended period to clarify the law’s many remaining ambiguities before the July 1 enforcement date.”
It seems that a bit of pushback from the regulated community actually had an effect. “The original draft regulations went so far beyond the statutory requirements—and created even more uncertainty and confusion for CCPA compliance—that a variety of stakeholders encouraged the AG to pivot,” said Mark Brennan, lead innovation partner at the law firm Hogan Lovells.
“The original draft regulations went so far beyond the statutory requirements—and created even more uncertainty and confusion for CCPA compliance—that a variety of stakeholders encouraged the AG to pivot.”
Mark Brennan, Lead Innovation Partner, Hogan Lovells
The California law itself “was drafted hastily, with significant gaps between its text and what businesses could reasonably operationalize from a compliance standpoint,” Brennan said. “It was important that the AG get this rulemaking right.”
Becerra “should be applauded for taking into account the concerns of industry submitted as part of the first round of comments,” said Kim Phan, a partner at the law firm Ballard Spahr. “For a rulemaking this complex, a second round of comments is entirely appropriate and will help ensure that business can effectively deliver the new protections under the CCPA to consumers,” she explained. The AG “could even seek a third round of comments, if he feels it is appropriate,” Phan said.
Others shared a somewhat different CCPA worldview. “It is costing a fortune for companies to revise and re-revise their documentation to keep up with each iteration of draft rules,” said Lisa Sotto, a partner at the law firm Hunton Andrews Kurth and chair of its global privacy and cybersecurity practice. “For those organizations that changed their processes and documents to comply with the first set of draft regulations, having yet another set of draft regulations is disconcerting to say the least.”
More than minor changes?
In some measure, the proposed regulations and the latest changes to them create a compliance roadmap of sorts. “These regulations are particularly well drafted for usability,” said Jason Schwent, senior counsel at the law firm Clark Hill. “California has been very specific with its requirements and they have signaled that they intend to enforce those requirements just as specifically,” he noted. “It behooves regulated businesses to learn the specifics and follow them,” Schwent cautioned.
The California AG’s office “made a number of substantial improvements in the latest draft,” said Brennan. “While challenges still exist for businesses seeking to build out their CCPA compliance plans ahead of the July 1, 2020 enforcement deadline, the revisions help reasonably limit the scope of personal information, address some issues regarding the CCPA’s approach to households, and recognize that service providers may use personal information received from a business for research and development purposes without exceeding the scope of their engagement.”
At the same time, some haziness as to what is expected still persists. “The proposed modifications contain a surprising number of redlined changes,” observed Laura Jehl, a partner at the law firm McDermott Will & Emery and global head of its privacy and cybersecurity practice. “While many of these changes are clarifying and/or administrative, some are more substantive and raise additional questions, particularly given the limited explanations for the changes that accompanied the proposed modifications.”
“All in all,” Jehl continued, the proposed modifications “don’t really advance the ball if the goal is to make compliance with CCPA requirements easier—or at least more understandable—for businesses subject to the law.”
We still don’t know what “reasonable security” is
At various points in both the original and updated versions of the CCPA regulations, businesses are directed to use “reasonable security” measures, but the term remains undefined. Given that “the security provisions of the CCPA are linked to a private right of action,” noted Christina Gagnier, a shareholder at the law firm Carlton Fields, “not having clarity” on the meaning of “reasonable security” is “what is keeping business leadership up at night.”
More requirements for privacy notices
The proposed modifications “eliminate some of the required content for privacy notices that had been included in the proposed regulations,” Jehl acknowledged. But they also “add—for the first time—a requirement for just-in-time disclosures if an app collects personal information for a purpose that the consumer would not reasonably expect,” she noted.
“The situation with the CCPA is very fluid. There are still pushes for additional amendments and a new ballot initiative that would provide additional privacy protections and consumer rights.”
Brian Kint, Member, Cozen O’Connor
“That requirement itself appears to create different obligations than those imposed” by the Federal Trade Commission “in the well-known enforcement action cited in the proposed modification, leading to some confusion as to exactly what conduct is expected of businesses,” Jehl said.
Online notices to consumers should be “reasonably accessible” to those with disabilities under revised rules. “The proposed modifications promote the World Wide Consortium’s Web Content Accessibility Guidelines (WCAG) Version 2.1 as an example of a generally recognized industry standard in this area,” Jehl explained, noting that the revisions ignore “an ongoing Circuit split regarding the applicability of the Americans with Disabilities Act to websites and mobile apps, perhaps making California the de facto arbiter of a hotly disputed legal issue simply by virtue of proposed regulations unsupported in the text of CCPA.”
A clearer definition of “personal information”
Among the changes proposed by the California attorney general is additional verbiage on the meaning of “personal information.” The revision explains that “if a business cannot reasonably link data that it has collected to an individual consumer or household, then that information would not be ‘personal information’ for the purposes of the CCPA,” noted Gagnier.
Indeed, the “the clarification that an IP address collected through a website may not be personal information subject to the CCPA if it is not linked, and could not reasonably be linked, to an individual” is one of the more significant changes to the proposed rules, Hirsch noted.
The current version of the CCPA regulations would allow a bit more leeway to use personal information. “Originally, the language of the regulations prohibited businesses from using personal information for any purpose not originally disclosed,” Schwent explained. “The new changes allow use where that use is not ‘materially different’ from that disclosed,” he said. “While not a huge change,” it does “allow for some interpretation” on a business’ part as to “whether a use is materially different from the disclosed purpose,” Schwent said.
Responding to consumer requests
The proposed changes “provide more adequate direction under which circumstances businesses indeed have to respond to consumer requests and the requirements when doing so,” Gagnier said. “This process piece of responding to consumer data requests is cumbersome, and detailed guidance is necessary.”
The California AG “has elected a granular level of specificity in, for example, proposing a uniform method and look for how all Websites are to visually display their notice to inform consumers of the ability to opt out or elect the ‘Do Not Sell My Personal Information’ option,” Gagnier said.
Among the changes that the regulated community might embrace is the removal of the requirement to have a “a toll-free telephone number to make requests to know, requests to delete, or similar requests so long as the business primarily contacts consumers through the internet or through mobile applications,” explained Schwent. This revision “removes the need for internet-only businesses to obtain a toll-free number,” he explained.
One significant change on metrics disclosures
Although the change between the Feb. 7 revision and the one issued on Feb. 10 may seem minor, it is not. “A few days after releasing the modified draft regulations, the California Attorney General released a slightly revised version, having omitted a revision in Section 999.317(g),” noted Sotto. Although the “revision omitted from the initial version appears miniscule,” it actually “has a massive impact on the applicability of one of the draft regulations’ obligations,” Sotto explained.
The “initial draft regulations imposed certain metrics disclosure obligations on a business that annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information” of 4 million or more consumers, Sotto said. That number has now increased to 10 million or more consumers, “relieving many businesses from having to comply with the additional obligations,” Sotto noted.
With not long to provide feedback about these latest changes, commenters should “continue to seek clarity where possible to better measure compliance expectations,” Brennan suggested.
“Once the AG finalizes the regulations, the California Office of Administrative Law (OAL) has 30 days to review for sufficiency before determining whether they are fit for implementation,” Brennan explained. If the AG “is able to submit final regulations to the OAL between March 1 and May 31, the regulation could receive approval and enter into force on July 1, which is when the AG is authorized to begin enforcement,” he continued.
“However, based on the OAL’s implementing schedule, there is at least a chance the regulations’ effective date could be pushed to October 1” if the AG makes additional substantive changes following the current Feb. 25 public comment deadline (which could trigger another comment period), Brennan said.
Moreover, the underlying statute could still be revised. “The situation with the CCPA is very fluid,” observed Brian Kint, a member at the law firm Cozen O’Connor. “There are still pushes for additional amendments and a new ballot initiative that would provide additional privacy protections and consumer rights.”