Note: This blog post is the last of three expanding on the information contained in an Alert on the Duane Morris LLP website.
On February 10, 2020, California’s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations were summarized in our previous Alert. The deadline for providing comments on the modified proposed regulations is February 25, 2020.
The proposed changes to the requirements for service providers, authorized agents, minors, nondiscrimination and calculating the value of consumer data as set forth in the modified regulations are summarized below.
Section 999.314 – Service Providers
- Removes language from the prior version that would have prohibited a service provider from using personal information received from a person or entity it services or from a consumer’s direct interaction with the service provider for the purpose of providing services to another person or entity. Clarifies the permitted service provider uses of personal information obtained in the course of providing services to include only the following:
- Performing the services specified in the written contract;
- Retaining and employing another servicer provider as a subcontractor;
- For its own internal purposes to build or improve the quality of its services, so long as that use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source;
- Detecting security incidents or protecting against fraudulent or illegal activities; or
- Any other purpose enumerated in the CCPA.
- Clarifies that a service provider is prohibited from selling data on behalf of a business when the consumer has opted out of the sale of their personal information with the business.
- Clarifies that if a service provider receives a request to know or delete, the service provider must either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because it was sent to a service provider.
Section 999.317 – Training and Record Keeping Requirements
- Increases the threshold for triggering certain data analytics and reporting requirements regarding consumer requests received by the business to those businesses that alone or in combination buy, receive for a commercial purpose, sell or share for a commercial purposes the personal information of over 10 million (as opposed to 4 million) consumers in a calendar year (as opposed to annually).
Section 999.326 – Authorized Agent
- When a consumer uses an authorized agent to submit requests to delete and/or know on the consumer’s behalf, clarifies that the business may require the consumer to (1) provide the agent with written and signed permission to do so, (2) verify their own identify directly with the business and (3) directly confirm with the business that the provided the authorized agent permission to submit the request.
- Requires authorized agents to implement reasonable security procedures and practices and restrict use of any personal information except to fulfill the consumer’s request, for verification or for fraud prevention.
Section 999.330 – Minors Under 13 Years of Age
- Requires a business to establish, document and comply with a reasonable method for determining whether the person submitting a request regarding the personal information of a child under the age of 13 is the parent or guardian of that child. The regulations provide several examples of “reasonable methods,” but add language so that the list is not exclusive.
Section 999.336 – Nondiscrimination
- Clarifies that a business is prohibited from offering a financial incentive or price or service difference if the business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show the financial incentive or price or service difference is reasonably related to that value.
- Confirms that a denial of a consumer’s request to know, delete or opt out for reasons permitted under the CCPA is not discriminatory. Also confirms that a price or service difference that is the direct result of compliance with federal law is not discriminatory.
- Updates the illustrative examples of discriminatory and nondiscriminatory practices under the CCPA.
Section 999.337 – Calculating the Value of Consumer Data
- Revenue or profit generated by the business from separate tiers, categories or classes of consumers or typical consumers whose data provides differing value is no longer an explicitly recognized consideration for determining the value of consumer data. However, there is still a catchall for determining the value of consumer data, which includes any practical and reasonably reliable method of calculation used in good faith.
- For the purposes of calculating the value of consumer data, the business can consider the value of the data of “all natural persons” and not just consumers.