California Attorney General Xavier Becerra recently released proposed modifications to his initial California Consumer Privacy Act (CCPA) regulation adjustments. While the CCPA became effective January 1, the attorney general (AG) still has until July 1 to finalize these regulations and may not bring an enforcement action until that time. However, the time is now for companies doing business in California to become compliant – especially given the AG’s caution that this delay does not create a “safe harbor,” and businesses should strive for earlier compliance.
Overall, businesses can expect the final regulations to look similar to the current draft, so it’s in everyone’s best interest to quickly take steps toward compliance and avoid scrambling come July 1. Here are five of the most important modifications to address and adjust based on the latest version of the AG’s CCPA regulations:
- Interpretation of “Personal Information” (§ 999.312(a)). The AG clarified that whether information is considered “personal information” depends on whether the business maintains the information in a manner that links or could reasonably be linked to a particular consumer or household. In making this clarification, the AG provided the example of internet protocol (IP) addresses. IP addresses will not be considered “personal information” for purposes of the CCPA, so long as the business does not link the IP addresses that they collect with an individual consumer or household.
This guidance is likely related to concerns that the use of website analytic services might constitute a “sale” of personal information under the CCPA, due to the fact that the analytics provider analyzes website usage through IP addresses and other non-personal identifiers. Given this example, collected information that is kept and used in a way that is not associated with personal data or linked to an individual consumer or household now likely falls outside of the scope of the CCPA’s broad definition of “personal information” and would not require a do-not-sell, opt-out notice.
- Web Accessibility (§ 999.305(a)(2)(d)). The initial regulations only required that a business provide information on how a consumer with a disability may access a privacy notice in an alternative format. In the revised regulations, notices provided online must follow generally recognized industry standards, such as the World Wide Consortium’s Web Content Accessibility Guidelines, version 2.1 (WCAG 2.1). The AG’s use of “such as” would imply that WCAG 2.1 is merely one example of an “industry standard.” However, unless further clarification on the issue is released, the safe bet is to stick with the AG’s example of what he considers an industry standard. In situations where notice is not provided on a website, a business should provide information on how a consumer with a disability may access the notice in an alternative format.
- Collecting Employment-Related Information (§ 999.305(e)). As currently drafted, the CCPA covers the collection of personal information from consumers and customers as well as employees and job applicants – although certain provisions of the CCPA are waived with respect to employee-related information until January 1, 2021. A business will usually have different processes with respect to these two categories of information and will use and disclose the collected information for different purposes.
A redline of the regulations with all of the modifications can be found here. The AG permitted comments to be submitted on the revised regulations, and will provide a summary and response once all comments are processed.
Given the approaching July 1 deadline, future major changes to the current version of the regulations are unlikely. Due to the process for adopting and approving the regulations, the AG must adopt the final regulation and submit them to the Office of Administrative Law by April 16. Any major changes to the regulations would require a new 45-day notice, which is not feasible to meet this mid-April deadline.