California recasts and strengthens its Consumer Privacy Act

As mentioned in earlier blog entries, California has enacted groundbreaking privacy legislation (the “California Consumer Privacy Act” or “CCPA“) granting consumers a certain degree of control over how businesses use their online personal data, to a certain extent putting into practice the lessons learned by their European counterparts.

The CCPA requires the attorney general to solicit broad public participation when adopting regulations implementing the CCPA to ensure a suitable achievement of its objectives.

These regulations are aimed at establishing procedures for exercising the new rights the CCPA gives consumers and to provide businesses with guidance to help them meet their obligations under the CCPA.

Some of these regulations are still in the drafting stage. On February 7, 2020, the attorney general’s office published a modified version of a proposed regulation it has been working on (the “Regulation“). The wording makes significantly amends the CCPA to reflect the views collected from businesses and citizens during the initial public consultation.

We highlight the following modifications made by the Regulation:

• First, the Regulation more precisely defines what is to be understood as “personal information.” The definition excludes information that a business has collected but cannot be reasonably used to identify a consumer, i.e., personal information obtained through a website—an IP address—not linked to any particular consumer or household. In contrast, Europe’s General Data Protection Regulation (the “GDPR“) is stricter and does consider information regarding location, digital identifiers, and other factors potentially linked to an individual indirectly to be personal data. Recital 26 states that assessing a reasonable likelihood of identifying a person should be based on such objective factors as the means, cost of and time required for identification, considering the technology available at the time of the processing and technological developments.
• The Regulation also requires businesses to provide “just-in-time notices,” for example, in a pop-up window, advising consumers of unexpected data collection, i.e., the existence of a new purpose for processing of their personal data. The notice must include the new categories of data being collected and a link to a full notice containing detailed information.
• The original wording of the CCPA required privacy policies and legal notices to be “reasonably accessible” without specifying further details, and now the Regulation helps clarify what “reasonable accessibility” should be taken to mean. Its definition of the term makes reference to generally recognized industry standards (such as “Web Content Accessibility Guidelines” and accessibility standards for websites as prescribed in the Americans with Disability Act).
• The modifications also streamline the obligations of intermediaries, or “data brokers”, i.e., businesses that sell personal information collected indirectly, i.e., initially obtained by another company. The original wording of the CCPA had required these businesses to ensure that the company that had originally collected the information had informed consumers at the time of collection, but the Regulation removes that burden if they register as “data brokers” and include a link to their privacy policy and the policy has instructions enabling consumers to opt out, should they so wish.
• It also includes examples of opt-out pop-ups that meet the Regulation’s requirements.

According to sources checked, other modifications have sought to limit or ease other obligations initially imposed by the CCPA on companies that process and sell consumer information. However, these do not seem to provide any further clarity regarding the meaning of “sell” or the meaning of “reasonable data security.”

Therefore, and pending further regulations that will hopefully shed more light on these aspects, the attorney general’s office has started a new round of public consultations until February 24, after which it intends to issue the final version of the Regulation in April or May 2020.

In any case, the effects of the CCPA and, to some extent, the GDPR, would appear to be spreading to other US states besides New York, and similar privacy initiatives have been proposed in Mississippi, Hawaii, Maryland and Massachusetts.