Proposed Modifications to CCPA Regulations – Service Providers, Authorized Agents, Minors, Nondiscrimination and Calculating the Value of Consumer Data

Note: This blog post is the last of three expanding on the information contained in an Alert on the Duane Morris LLP website.

On February 10, 2020, California’s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations were summarized in our previous Alert. The deadline for providing comments on the modified proposed regulations is February 25, 2020.

The proposed changes to the requirements for service providers, authorized agents, minors, nondiscrimination and calculating the value of consumer data as set forth in the modified regulations are summarized below.

Section 999.314 – Service Providers

  • Removes language from the prior version that would have prohibited a service provider from using personal information received from a person or entity it services or from a consumer’s direct interaction with the service provider for the purpose of providing services to another person or entity. Clarifies the permitted service provider uses of personal information obtained in the course of providing services to include only the following:
    • Performing the services specified in the written contract;
    • Retaining and employing another servicer provider as a subcontractor;
    • For its own internal purposes to build or improve the quality of its services, so long as that use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source;
    • Detecting security incidents or protecting against fraudulent or illegal activities; or
    • Any other purpose enumerated in the CCPA.
  • Clarifies that a service provider is prohibited from selling data on behalf of a business when the consumer has opted out of the sale of their personal information with the business.
  • Clarifies that if a service provider receives a request to know or delete, the service provider must either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because it was sent to a service provider.

Section 999.317 – Training and Record Keeping Requirements

  • Increases the threshold for triggering certain data analytics and reporting requirements regarding consumer requests received by the business to those businesses that alone or in combination buy, receive for a commercial purpose, sell or share for a commercial purposes the personal information of over 10 million (as opposed to 4 million) consumers in a calendar year (as opposed to annually).

Section 999.326 – Authorized Agent

  • When a consumer uses an authorized agent to submit requests to delete and/or know on the consumer’s behalf, clarifies that the business may require the consumer to (1) provide the agent with written and signed permission to do so, (2) verify their own identify directly with the business and (3) directly confirm with the business that the provided the authorized agent permission to submit the request.
  • Requires authorized agents to implement reasonable security procedures and practices and restrict use of any personal information except to fulfill the consumer’s request, for verification or for fraud prevention.

Section 999.330 – Minors Under 13 Years of Age

  • Requires a business to establish, document and comply with a reasonable method for determining whether the person submitting a request regarding the personal information of a child under the age of 13 is the parent or guardian of that child. The regulations provide several examples of “reasonable methods,” but add language so that the list is not exclusive.

Section 999.336 – Nondiscrimination

  • Clarifies that a business is prohibited from offering a financial incentive or price or service difference if the business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show the financial incentive or price or service difference is reasonably related to that value.
  • Confirms that a denial of a consumer’s request to know, delete or opt out for reasons permitted under the CCPA is not discriminatory. Also confirms that a price or service difference that is the direct result of compliance with federal law is not discriminatory.
  • Updates the illustrative examples of discriminatory and nondiscriminatory practices under the CCPA.

Section 999.337 – Calculating the Value of Consumer Data

  • Revenue or profit generated by the business from separate tiers, categories or classes of consumers or typical consumers whose data provides differing value is no longer an explicitly recognized consideration for determining the value of consumer data. However, there is still a catchall for determining the value of consumer data, which includes any practical and reasonably reliable method of calculation used in good faith.
  • For the purposes of calculating the value of consumer data, the business can consider the value of the data of “all natural persons” and not just consumers.

Proposed Modifications to CCPA Regulations – Consumer Requests and Verification Requirements

Note: This blog post is the second of three expanding on the information contained in an Alert on the Duane Morris LLP website.

On February 10, 2020, California’s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations were summarized in our previous Alert. The deadline for providing comments on the modified proposed regulations is February 25, 2020.

The proposed changes to the requirements for consumer requests and verification in the modified regulations are summarized below.

Sections 999.312 and 999.313 – Requests to Know and Requests to Delete

  • Clarifies that exclusively online businesses need only provide an email address for submitting requests to know.
  • Clarifies that a business shall consider the methods by which it “primarily” interacts with consumers when determining which methods to provide for submitting requests to know and delete. A business that operates a website but primarily interacts with customers at a retail location is only required to have two (not three) methods to submit requests.
    • CCPA Example: If the business interacts with consumers in person, the business shall consider providing an in-person method such as a printed form the consumer can directly submit or send by mail, a tablet or computer portal that allows the consumer to complete and submit an online form, or a telephone by which the consumer can call the business’ toll-free number.
  • Clarifies the following deadlines:
    • Confirmation of receipt of a request to know or delete must be provided within 10 business days (as opposed to calendar days). The confirmation may be given in the same manner the request was received.
    • Responses to a request to know or delete must be provided within 45 calendar days, beginning on the day the business receives the request, regardless of the time to verify the request. A business may deny the request if it cannot be verified within the 45 day time period. An additional 45 calendar days is permitted so long as, within the first 45 days, the business provides the consumer with notice and an explanation of the reason the business will take more than 45 days to respond.
  • Clarifies that in responding to a request to know, a business is not required to search for personal information if: (1) the business does not maintain information in a searchable or reasonably accessible format; (2) the business maintains the personal information solely for legal or compliance purposes; (3) the business does not sell the personal information and does not use it for any commercial purpose; and (4) the business describes to the consumer the categories of records that may contain personal information that it did not search due to meeting these requirements.
  • Adds unique biometric data generated from measurements or technical analysis of human characteristics to the list of sensitive personal information that may not be disclosed in response to a request to know.
  • Clarifies that the categories of third parties to whom personal information is sold or disclosed must be provided for each particular category of personal information identified in response to a request to know categories of personal information.
  • An unverified request to delete is no longer required to be treated as an automatic request to opt out. Instead, a business that sells personal information is required to respond to an unverified consumer request to delete by (1) asking the consumer if they would like to opt out of the sale of their personal information and (2) including either the contents of, or a link to, the notice of the right to opt out.
  • With regard to data stored in backup systems, explains that such data is only required to be deleted if and when it is restored to an active system or accessed or used for a sale, disclosure or commercial purpose.
  • Clarifies that a business must inform the consumer whether it has complied with the request to delete and that it will maintain a record of the request for purposes of ensuring the personal information remains deleted from the business’ records.

Section 999.315 – Requests to Opt Out

  • Mandates that methods for submitting opt-out requests be designed to require minimal steps and be easy to execute.
  • Clarifies that an acceptable method for submitting a request to opt out of the sale of personal information is through a user-enabled “global” privacy setting, including but not limited to a device setting. The use of a global privacy control by a consumer must be treated by the business as a valid request to opt out. Any privacy control must clearly signal that the consumer intends to opt out of the sale of personal information and must require that the consumer affirmatively select their choice to opt out and must not be designed with any preselected settings. If a global privacy setting conflicts with a consumer’s existing business-specific privacy setting or their participation in a business’ financial incentive program, the business must respect the privacy control but may give the consumer notice of the conflict and give the consumer the choice to confirm the business-specific purpose or participation in the financial incentive program.
  • Businesses must comply with a request to opt out as soon as feasibly possible but no later than 15 business days (as opposed to calendar days) from the date the business received the request. The business must direct all third parties to whom it sells personal information to stop selling that information while the business complies with the opt-out request.

Section 999.316 – Requests to Opt In

  • Clarifies that a business may provide a consumer with instructions on how to opt in to the sale of their personal information, if the consumer initiates a post-opt-out transaction or attempts to use a product or service that requires the sale of their personal information to a third party.

Section 999.318 – Requests to Access or Delete Household Information

  • Clarifies that where a household does not have a password-protected account with a business, the business is prohibited from providing specific pieces of personal information about the household in response to a request to know or from deleting personal information in response to a request to delete unless all consumers of the household make the request jointly and the business individually verifies the members of the household, including that each member making the request is a current member of the household. The business is no longer required to provide aggregate information in response to such requests.
  • Clarifies that a business may process requests through existing and compliant business practices when the consumer has a password-protected account with the business.
  • When members of a household are under 13 years of age, requires verified parental consent for disclosure of household information.

Section 999.323 – Verification

  • Prohibits a business from requiring consumers to pay a fee in connection with verification of a request to know or to delete.
    • CCPA Example: A business may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of the notarization.

Section 999.325 – Verification for Non-Accountholders

  • Updates the illustrative examples for verification of individuals without an account and clarifies that a business shall deny a request to know specific pieces of information if it cannot verify the identity of the requestor.

Proposed Modifications to CCPA Regulations – Definitions and Consumer Notice Requirements

Note: This blog post is the first of three expanding on the information contained in an Alert on the Duane Morris LLP website.

On February 10, 2020, California’s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations were summarized in our previous Alert. The deadline for providing comments on the modified proposed regulations is February 25, 2020.

The proposed changes to the definitions, notices, and privacy policies in the modified regulations are summarized below.

Section 999.301 – Definitions

  • The definition of “categories of sources” now requires businesses to provide descriptions of the sources with enough “particularity to provide consumers with a meaningful understanding of the type of person or entity.” The same particularity requirement applies to categories of third parties.
    • CCPA Example: Categories may include advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks and data brokers.
  • COPPA is now explicitly defined as the “Children’s Online Privacy Protection Act, 15 U.S.C. sections 6501 to 6508 and 16 Code of Federal Regulations part 312.5.”
  • “Employment benefits” and “employment related information” are now defined terms.
  • The definition of “household” is clarified and narrowed. Under the prior version of the proposed regulations, this was defined as anyone occupying a single dwelling. Now, household includes those individuals who not only live at the same address, but who must also share a common device or service and be identified by the business as sharing the same account or unique identifier.

Section 999.302 – Definitional Guidance

  • Adds a new section titled “Guidance Regarding the Interpretation of CCPA Definitions.” This guidance clarifies that what is considered “personal information” depends on the manner in which the information is maintained by a business.
    • CCPA Example: If a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be personal information.

Section 999.304 – General Notice Requirements

  • Adds an explicit overview of what notices are required for businesses subject to the CCPA, including the requirements that a business provide consumers with a privacy policy, notice at collection of personal information, notice of right to opt-out of the sale of personal information, if applicable, and notice of financial incentive, if applicable.

Section 999.305 – “At Collection” Notices

  • Requires businesses to following generally recognized industry standards to ensure that the “at collection” notices are reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers in California.
  • Clarifies and provides additional illustrative examples of notice considered readily available at or before the point of collection of any personal information.
    • CCPA Example: When collecting personal information online, providing a conspicuous link to the notice on a business’ introductory page of its website and on all webpages where personal information is collected.
    • CCPA Example: When collecting personal information through a mobile app, providing a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.
    • CCPA Example: When personal information is collected in person or via phone, providing the notice orally.
  • Adds a “just-in-time” notice requirement for personal information collected from a mobile device that a consumer would not “reasonably expect” to be collected in connection with an app. The notice must include a summary of the categories of personal information being collected and a link to the full notice at collection.
    • CCPA Example: If the business offers a flashlight app and the app collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the app, which contains the required information.
  • Clarifies that a business may not use a consumer’s personal information for any purpose “materially different” from the purpose disclosed at the point of collection, unless the business obtains explicit consent from the consumer for the materially different purpose.
  • For a data broker registered with the Office of the Attorney General, the “at collection” notice is not needed if the registration includes a link to its privacy policy that includes instructions on how to submit a request to opt out. The data broker is no longer required to contact the consumer or the source of personal information directly.
  • Clarifies that for requirements effective January 1, 2021, a “do not sell” link will not be necessary for employment-related information, and the notice at collection for employment-related information may include a link to, or a paper copy of, a business’ privacy policies for job applicants, employees, or contractors as opposed to the privacy policy for consumers.

Section 999.306 – “Do Not Sell” Opt-Out Notices

  • No longer requires a business that “may sell” personal information in the future to provide an opt-out notice if that business is not presently selling personal information.
  • Requires businesses to follow generally recognized industry standards to ensure that the opt-out notices are reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers in California.
  • Clarifies that a business that collects personal information through a mobile app may provide the opt-out notice within the app, such as through the app’s settings menu.
  • Requires an affirmative authorization for the sale of personal information collected when the business does not have a notice of right to opt-out posted.
  • Includes an example opt out button that, if used, must (1) be in addition to, not in lieu of, the posting of a notice of the right to opt-out, (2) appear to the left of the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link, and (3) be approximately the same size as the other buttons on a business’ web page.
  • CCPA Example:

Section 999.307 – Financial Incentive Notices

  • Requires businesses to follow generally recognized industry standards to ensure that the notice of financial incentives is reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers in California and to be readily available where consumers will encounter it before opting into a financial incentive or price or service difference.
  • The notice must explain how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data.

Section 999.308 – Privacy Policies

  • Requires businesses to follow generally recognized industry standards to ensure that the privacy policy is reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers in California.
  • Clarifies that a mobile app may include a link to the privacy policy in the app’s settings menu.
  • Clarifies that the categories of third parties to whom information is disclosed or sold must be provided for each category of personal information identified.
  • Clarifies that the privacy policy must state whether the business has “actual knowledge” that it sells personal information of minors under 16 years of age.
  • Clarifies that the privacy policy should provide instructions on how an authorized agent can make a request on a consumer’s behalf, as opposed to explaining how a consumer can designate an authorized agent.

Nevada Privacy Law Takes Effect October 1: Is Your Company Compliant?

The newest Nevada privacy law, SB 220, is about to become operative on October 1, 2019, and will require website operators to provide consumers with the right to opt out of the sale of their personal information. The definition of what constitutes a “sale” is fairly narrow and includes several broad exclusions. Therefore, this opt-out provision is likely to apply only in narrow circumstances. However, businesses that may be covered by this new law will need to complete the following items prior to October 1:

  1. Determine whether the law applies to your business.
  2. Confirm compliance with existing consumer notice requirements.
  3. Establish a designated request address where consumers may submit a verified request to opt out of the sale of their covered information.
  4. Develop policies, procedures and processes for verifying and responding to requests within 60 days.

Please see our Alert for a detailed discussion of this law and when it applies.

Amendments to the CCPA Ready for Governor’s Signature

By:  Michelle Hon Donovan, Brandi Taylor and Angelica Zabanal

Last Friday, September 13, 2019, marked the final day for the California Legislature to vote to pass amendments intended to clarify the terms and scope of the California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020. The bills are now on Governor Gavin Newsom’s desk for approval, and the Governor will have until October 13, 2019, to sign or veto them.

Of the CCPA amendment bills that were in consideration, the following were passed:

  • AB 25, regarding employee exemption
  • AB 874, regarding the definition of PI (personal information)
  • AB 1146, regarding warranty and vehicle repairs
  • AB 1355, regarding the B2B exemption and other clarifying amendments
  • AB 1564, regarding toll-free telephone number exception

Also of note, AB 1130 – a bill that does not specifically amend CCPA – also passed. This bill expands the categories of PI covered by California’s data breach notification laws, which will now include tax identification numbers, passport numbers, military identification numbers and unique identification numbers issued on a government document, as well as certain types of specified unique biometric data. This expansion is anticipated to impact liability under the CCPA’s private right of action

While not an exhaustive list of the bills that stalled during the legislative process, the following bills of note failed to be passed by the legislature:

  • AB 873, regarding the definition of de-identified
  • AB 846, regarding customer loyalty programs
  • AB 981, regarding exemption for certain insurance transactions

While the approved amendments did not significantly overhaul the CCPA, several notable changes were made. Please see our Alert for a detailed discussion of these changes.

What Is Personal Information? In Legal Terms, It Depends

In early March, cybersecurity professionals around the world filled the San Francisco Moscone Convention Center’s sprawling exhibition halls to discuss and learn about everything infosec, from public key encryption to incident response, and from machine learning to domestic abuse.

[…]

Companies should not overthink [data privacy and personal information]. Instead, data privacy lawyers said businesses should pay attention to what information they collect and where they operate to best understand personal data protection and compliance.

As Duane Morris LLP intellectual property and cyber law partner Michelle Donovan said:

“What it comes down to, is, it doesn’t matter what the rules are in China if you’re not doing business in China. Companies need to figure out what jurisdictions apply, what information are they collecting, where do their data subjects reside, and based on that, figure out what law applies.”

To read the full text of this article, please visit the MalwareBytes website.

Pa. Supreme Court Rules Employers Have Legal Duty to Protect Employees’ Personal Information from Data Breaches

On November 21, 2018, the Pennsylvania Supreme Court ruled that the University of Pittsburgh Medical Center (UPMC) had a legal duty to exercise reasonable care to protect sensitive employee information against an unreasonable risk of harm when that information is stored on an internet-accessible computer system. Dittman v. UPMC, No. 43 WAP 2017 (Pa. Nov. 21, 2018). In doing so, the Court made clear that the criminal acts of third parties who may breach a computer system do not alleviate the legal duty on a business to protect such information. The Court further held that the economic loss doctrine (a doctrine that precludes tort cases where the loss is purely monetary) did not apply in this case because the legal duty to protect sensitive employee information exists independently from any contractual obligations between the parties.

Visit the Duane Morris LLP website to read the full Alert.

The Eighth Circuit Gives Defendants New Ammunition Against Data Breach/Misuse Cases

Since the Supreme Court’s decision in Spokeo v. Robins, courts have begun to ratchet back prior decisions on the minimum standard to plead an injury sufficient to establish Article III standing. The recent Eighth Circuit opinion in Braitberg v. Charter Communications adds to the growing number of cases defendants will rely upon to get data breach cases dismissed at the pleadings stage. Braitberg addressed standing in the context of the retention, use, and protection of personally identifiable information. Although the case did not involve a data breach, its holding is however instructive when defending against such cases.

In Braitberg, plaintiff alleged that he was required to provide personally identifiable information to purchase cable services and that the cable provider improperly retained his information long after he cancelled the services in violation of the Cable Communications Policy Act (“CCPA”).

Prior to Spokeo, such claims would have been sufficient to establish Article III standing because the Eighth Circuit permitted the actual injury requirement to be satisfied solely by pleading that there was an invasion of a legal right that Congress created. The Supreme Court in Spokeo held that Article III standing requires a “concrete injury” even in the context of a statutory violation.

With the benefit of Spokeo’s guidance, the Eighth Circuit acknowledged that Spokeo superseded its prior precedent. Accordingly, the panel affirmed the district court’s dismissal of the complaint for lack of Article III standing and failure to state a claim. In doing so, the panel rejected arguments that CCPA created standing to sue where the defendant merely retained the data in violation of the statute with no other injury. It further rejected an economic argument that retention of the data deprived plaintiff of the full value of the services received from the company.

This decision is important for two reasons. First, the Eighth Circuit further narrowed the scope of allegations that will give rise to Article III standing in a post-Spokeo world. Second, in denying the economic argument, the court cut off an alternative avenue by which plaintiffs have successfully alleged harm.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress