Earlier this week, more than 30 businesses sent a letter to California’s Attorney General requesting a temporary deferral in enforcement of the California Consumer Privacy Act (CCPA) until January 1, 2021 due to the COVID-19 pandemic and the lack of final regulations. CCPA enforcement is set to begin on July 1, 2020. But regulations directing the implementation of the CCPA remain incomplete and continue to change substantively. The regulations are not likely to be finalized for several weeks, which, under normal conditions, would leave businesses scrambling to comply before the enforcement deadline. But there is nothing normal about current conditions.
Right now, businesses are hyper-focused on the health and safety of employees and customers, and struggling with supply chain, technology, security and cash flow issues, to name a few. Businesses certainly do not need the added stress and pressure of potential enforcement actions for failure to comply with rules that have been a moving target for months.
The History of the CCPA Regulations
The CA AG’s office issued Initial Proposed Regulations on October 11, 2019 and provided 45 days for comment. After numerous public hearings and extensive comment, the AG released Modifications to the Proposed Regulations on February 7, 2020 (with some additional changes three days later) (February Modifications). Instead of the typical 45-day comment period, the AG provided a deadline of February 25, 2020 for comments, apparently taking the position that the changes were not substantial. That conclusion remains debatable. Then, unexpectedly, on March 11, 2020, the AG released the Second Set of Modifications to the Proposed Regulations and set March 27, 2020 as the deadline for comments (March Modifications).
While the changes in the March Modifications are not as extensive as those in the February, there are a number of important changes. Some of the most noteworthy revisions show a complete reversal of changes made in February. I highlight the top four changes below.
Top Four Changes in March Modifications
First, the March Modifications delete §999.302, which was added in February. The provision offered guidance on the definition of “personal information.” Specifically, it provided the following example: “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’” While this might be at odds with Europe’s General Data Protection Regulation’s (GDPR) definition of “personal data,” there has been much debate about whether an IP address alone should constitute “personal data” under GDPR if it could not lead to the identification of a person.
Some believed that California’s AG thought critically about this IP address issue and concluded that it made sense to include an IP address in the definition of “personal information” only if it can reasonably identify a person or household. But after this provision’s cameo in the February Modifications, it was removed just one month later.
Second, under the March Modifications, employers no longer need to provide a link to a privacy policy or employee-related privacy policy. This is another example of a change that appeared for the first time in February and then was removed in March.
Third, the AG removed the opt-out button it introduced for the first time in February. Apparently, businesses and privacy advocates alike disliked the button. The CCPA does not require a button but rather grants the AG’s office the authority to create one. It is unclear if the button issue is dead all together or whether the AG’s office will work on its design and issue another button.
Finally, there are more changes to the required language in the privacy policy. These changes, if finalized, will necessitate more tweaking of privacy policies. First, the policy must now identify the categories of sources from which personal information is collected and those categories need to be described in a manner that the consumer can understand. Second, the policy must also identify the business or commercial purpose for collecting or selling personal information and, like the categories, the purpose must be described in a manner that the consumer can understand. Finally, if a business has “actual knowledge” that is sells the personal information of minors under 16 years old, the privacy policy must include a description of the applicable opt-in processes detailed in other sections of the regulation.
In addition to changes to clean up language and address typos, the March Modifications also contained notable changes relating to notices at the point of collection, notices of financial incentives, requests for access, service providers and verification.
While the AG’s office has not yet responded to the March 17 letter from businesses requesting a delay in enforcement, I have to believe that the AG will provide additional time for compliance. Whether it provides time in the form of relaxed enforcement or whether the Governor or Legislature will step in and suspend the statutory enforcement date is yet to be seen. Stay tuned.