The California state capitol showing changes to privacy rules for the CCPA

California’s CCPA May Be Updated; Proposed Privacy Rules Would Be a Mixed Bag for Both Businesses and Consumers

The California Consumer Privacy Act (CCPA) went into effect as of the start of this year, and it is by far the strongest of the data privacy state laws in the US. A proposed update from the state Attorney General is set to change the new California law up a bit just two months in, based in part on public comments in the early going that indicate both businesses and consumers are running into some problematic situations.

The update to the privacy rules would not make any huge changes to the framework, but would grant some small concessions to both businesses and end users.

Proposed changes to the CCPA

One of the biggest changes for the benefit of consumers is an added requirement that opt-out procedures be clear and easy to access. The consumer must not be presented with default pre-selected settings, and must provide an affirmative response to opt-out. A standardized optional opt-out button design that satisfies CCPA requirements would be provided to businesses.

Businesses must also now provide end users with a link to their required notice of data collection prior to end user download of a mobile app. They must also provide a “just in time” notice prior to actual direct collection of personal data on mobile devices; a stock privacy policy will not work unless the end user is served with a clear link to it at the time of data collection.

All of these notices must also now comply with Web Content Accessibility Guidelines to ensure that they can be read and understood by people with disabilities.

Additionally, the revised privacy rules add record-keeping requirements that were not previously present. Businesses that deal in the commercial transfer of information of more than 10 million people annually will need to keep and disclose metrics regarding requests by customers.

The rest of the changes are essentially a big collection of small wins for businesses. These include:

  • “Personal information” is now defined only as items that can be “reasonably” linked to a specific person or household (ex: IP addresses decoupled from an identity are no longer considered personal information)
  • Registered data brokers (on file as such with the Attorney General’s office) are not required to provide notice at the time of collection
  • Service providers have expanded rights and exceptions in processing the personal information of contractors
  • Notices of collection now only have to disclose the general purpose of the data collection; privacy policies still have granular requirements regarding each category of personal information collected and to whom it was disclosed or sold
  • Businesses no longer need to notify third parties they have sold data to within 90 days of receiving an opt-out notice from a consumer
  • Employers are no longer required to provide a “do not sell my personal information” option to job applicants
  • Businesses must still maintain a toll-free number dedicated to opt-out requests, but the secondary method may now be an email address instead of a web form
  • Businesses now have 10 business days to respond to right-to-know requests, rather than 10 calendar days
  • The two-step verification process for deletion requests is now optional

A rash of problems with the new privacy rules

The changes to the privacy rules appear to be in direct response to complaints that both businesses and data subjects have been airing about the existing CCPA terms in recent weeks.

Businesses are unhappy with the present requirement that hardware and device data, such as an IP address, must be treated as personally identifiable information even if it cannot be connected to a specific identity. Automated logs capture a great deal of this sort of information, which some businesses feel puts an undue strain on them. This might also reduce the total count of “customers” for some businesses such that they are no longer large enough to be subject to the CCPA.

Some California residents have expressed frustration with the existing opt-out procedures, which in some cases seem to have been intentionally designed to be difficult and confusing. Users have levied accusations of “dark pattern” design, excessive amounts of menus and options, disclosures buried in obscure parts of websites that are difficult to find links to, and simple failure to comply with the privacy rules.

'Personal information' is now defined only as items that can be 'reasonably' linked to a specific person or household. #CCPA #respectdataClick to Tweet

The proposed regulations do nothing to address some of the shortcomings of the CCPA as compared to the more robust data sharing protections offered by the EU’s General Data Protection Regulation (GDPR). The modified CCPA privacy rules would still not offer consumers substantial right to correct personal data on file with businesses, the right to opt out of non-commercial targeted advertising, or subject businesses to consumer data minimization standards.

The revised privacy rules can be seen at the Attorney General’s website, with the proposed changes highlighted in red text. A public comment period is taking place until close of business on February 25th, so there might be further alterations after that point. Whatever final regulations might be, they are unlikely to go into effect until sometime in May at the earliest. Until then the original CCPA terms remain in place.