The California Attorney General recently released modified CCPA guidance.  While the modified guidance offers additional examples for CCPA compliance and clarifies certain obligations, several open issues and ambiguities still remain. Below are highlights of the changes, and note that written comments are due by February 25, 2020.

Definitions: The modified guidance specify the definition of “household” to include a person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.

Interpretation of CCPA Definition of Personal Information: The modified guidance explains that the definition of personal information “depends on whether the business maintains information in a manner that ‘identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”  As an example, “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.'”

Notice to Consumers: The guidance helpfully summarizes four scenarios where notice is required.

(1) Every business that must comply with the CCPA shall provide a privacy policy;

(2) A business that collects personal information from a consumer shall provide a notice at collection;

  • When collecting PI from a mobile device for a purpose that the customer “would not reasonable expect,” the business must provide a “just-in-time” notice explaining the categories of personal information being collected and a link to the full notice.

(3) A business that sells personal information shall provide a notice of right to opt-out; and

  • The guidance provides that an opt-out button may be used in addition to posting the notice of right to opt-out, and when it is used it shall appear to the left of the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link and should be approximately the same size as other buttons on the business’s webpage.

(4) A business that offers a financial incentive or price or service difference shall provide a notice of financial incentive.

All  notices must be reasonably accessible to consumers with disabilities.

Consumer Requests:  The modified guidance provides that businesses may–rather than “shall”–use a two-step process for online requests to delete.  In addition to government issued identification numbers, financial account numbers, health insurance or medical identification number, account password, or security questions and answers, a business shall not at any time disclose in response to a request to know “unique biometric data generated from measurements or technical analysis of human characteristics.”

Service Providers:  A service provider shall not retain, use, or disclose personal information obtained in the course of providing services except: (1) to perform the services specified in the written contract with the business that provided the personal information, (2) to retain and employ another service provider as a subcontractor, (3) for internal use by the service provider to build or improve the quality of the service provided that the use does not include building or modifying household or consumer profiles, or clearing or augmenting data acquired from another source; (4) to detect data security incidents or protect against fraudulent or illegal activity; or (5) for purposes enumerated in Civil Code section 1798.145(a)(1)-(a)(4).  If the service provider receives a request to know or a request to delete from a consumer, the service provider shall act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider.

Requests to Opt-Out:  The modified guidance provides that the methods for submitting requests to opt-out shall be easy, clearly communicate or signal that the consumer intends to opt-out of the sale of personal information, and that a business must respect the privacy control but may notify the customer if there is a conflict between the privacy control setting and a business-specific privacy setting or participation in a financial incentive program.

Requests to Access or Delete Household Information:  The modified guidance clarifies what conditions are required to honor a request to access or delete household information, including that the business must individually verify all members of the household and that each member making the request is currently a member of the household.

Verification:  A business cannot require the customer to pay a fee for verification of their request to know or delete (e.g., provide a notarized affidavit).

Discriminatory Practices: If the business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference.

See any issues?  Get your comments in by February 25!