{"id":730,"date":"2020-02-20T11:03:57","date_gmt":"2020-02-20T15:03:57","guid":{"rendered":"http:\/\/blogs.duanemorris.com\/techlaw\/?p=730"},"modified":"2020-02-20T11:25:24","modified_gmt":"2020-02-20T15:25:24","slug":"proposed-modifications-to-ccpa-regulations-definitions-and-consumer-notice-requirements","status":"publish","type":"post","link":"https:\/\/blogs.duanemorris.com\/techlaw\/2020\/02\/20\/proposed-modifications-to-ccpa-regulations-definitions-and-consumer-notice-requirements\/","title":{"rendered":"Proposed Modifications to CCPA Regulations \u2013 Definitions and Consumer Notice Requirements"},"content":{"rendered":"<p><em>Note<\/em>: This blog post is the first of three expanding on the information contained in an <a href=\"https:\/\/www.duanemorris.com\/alerts\/california_attorney_general_proposes_modified_ccpa_regulations_overview_significant_0220.html\"><em>Alert<\/em><\/a> on the Duane Morris LLP website.<\/p>\n<p>On February 10, 2020, California\u2019s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) <a href=\"https:\/\/www.oag.ca.gov\/privacy\/ccpa\">regulations<\/a> first published on October 11, 2019. The initial proposed regulations were summarized in our previous <a href=\"https:\/\/www.duanemorris.com\/alerts\/ccpa_update_newsom_signs_amendments_law_attorney_general_publishes_proposed_regulations_1019.html\"><em>Alert<\/em><\/a><em>. <\/em><strong>The deadline for providing comments on the modified proposed regulations is February 25, 2020.<\/strong><\/p>\n<p>The proposed changes to the definitions, notices, and privacy policies in the modified regulations are summarized below.<\/p>\n<p><strong>Section 999.301 \u2013 Definitions<\/strong><\/p>\n<ul>\n<li>The definition of \u201ccategories of sources\u201d now requires businesses to provide descriptions of the sources with enough \u201cparticularity to provide consumers with a meaningful understanding of the type of person or entity.\u201d The same particularity requirement applies to categories of third parties.\n<ul>\n<li><strong>CCPA Example<\/strong>: Categories may include advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks and data brokers.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>COPPA is now explicitly defined as the \u201cChildren\u2019s Online Privacy Protection Act, 15 U.S.C. sections 6501 to 6508 and 16 Code of Federal Regulations part 312.5.\u201d<\/li>\n<li>\u201cEmployment benefits\u201d and \u201cemployment related information\u201d are now defined terms.<\/li>\n<li>The definition of \u201chousehold\u201d is clarified and narrowed. Under the prior version of the proposed regulations, this was defined as anyone occupying a single dwelling. Now, household includes those individuals who not only live at the same address, but who must also share a common device or service and be identified by the business as sharing the same account or unique identifier.<\/li>\n<\/ul>\n<p><strong>Section 999.302 \u2013 Definitional Guidance<\/strong><\/p>\n<ul>\n<li>Adds a new section titled \u201cGuidance Regarding the Interpretation of CCPA Definitions.\u201d This guidance clarifies that what is considered \u201cpersonal information\u201d depends on the manner in which the information is maintained by a business.\n<ul>\n<li><strong>CCPA Example<\/strong>: If a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be personal information.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Section 999.304 \u2013 General Notice Requirements<\/strong><\/p>\n<ul>\n<li>Adds an explicit overview of what notices are required for businesses subject to the CCPA, including the requirements that a business provide consumers with a privacy policy, notice at collection of personal information, notice of right to opt-out of the sale of personal information, if applicable, and notice of financial incentive, if applicable.<\/li>\n<\/ul>\n<p><strong>Section 999.305 \u2013 \u201cAt Collection\u201d Notices<\/strong><\/p>\n<ul>\n<li>Requires businesses to following generally recognized industry standards to ensure that the \u201cat collection\u201d notices are reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers <em>in California<\/em>.<\/li>\n<li>Clarifies and provides additional illustrative examples of notice considered readily available at or before the point of collection of any personal information.\n<ul>\n<li><strong>CCPA Example<\/strong>: When collecting personal information online, providing a conspicuous link to the notice on a business\u2019 introductory page of its website and on all webpages where personal information is collected.<\/li>\n<li><strong>CCPA Example<\/strong>: When collecting personal information through a mobile app, providing a link to the notice on the mobile application\u2019s download page and within the application, such as through the application\u2019s settings menu.<\/li>\n<li><strong>CCPA Example<\/strong>: When personal information is collected in person or via phone, providing the notice orally.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>Adds a \u201cjust-in-time\u201d notice requirement for personal information collected from a mobile device that a consumer would not \u201creasonably expect\u201d to be collected in connection with an app. The notice must include a summary of the categories of personal information being collected and a link to the full notice at collection.\n<ul>\n<li><strong>CCPA Example<\/strong>: If the business offers a flashlight app and the app collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the app, which contains the required information.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>Clarifies that a business may not use a consumer\u2019s personal information for any purpose \u201cmaterially different\u201d from the purpose disclosed at the point of collection, unless the business obtains explicit consent from the consumer for the materially different purpose.<\/li>\n<li>For a data broker registered with the Office of the Attorney General, the \u201cat collection\u201d notice is not needed if the registration includes a link to its privacy policy that includes instructions on how to submit a request to opt out. The data broker is no longer required to contact the consumer or the source of personal information directly.<\/li>\n<li>Clarifies that for requirements effective January 1, 2021, a \u201cdo not sell\u201d link will not be necessary for employment-related information, and the notice at collection for employment-related information may include a link to, or a paper copy of, a business\u2019 privacy policies for job applicants, employees, or contractors as opposed to the privacy policy for consumers.<\/li>\n<\/ul>\n<p><strong>Section 999.306 \u2013 \u201cDo Not Sell\u201d Opt-Out Notices<\/strong><\/p>\n<ul>\n<li>No longer requires a business that \u201cmay sell\u201d personal information in the future to provide an opt-out notice if that business is not presently selling personal information.<\/li>\n<li>Requires businesses to follow generally recognized industry standards to ensure that the opt-out notices are reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers <em>in California<\/em>.<\/li>\n<li>Clarifies that a business that collects personal information through a mobile app may provide the opt-out notice within the app, such as through the app\u2019s settings menu.<\/li>\n<li>Requires an affirmative authorization for the sale of personal information collected when the business does not have a notice of right to opt-out posted.<\/li>\n<li>Includes an example opt out button that, if used, must (1) be in addition to, not in lieu of, the posting of a notice of the right to opt-out, (2) appear to the left of the \u201cDo Not Sell My Personal Information\u201d or \u201cDo Not Sell My Info\u201d link, and (3) be approximately the same size as the other buttons on a business\u2019 web page.<\/li>\n<li><strong>CCPA Example<\/strong>:<\/li>\n<\/ul>\n<p><a href=\"http:\/\/blogs.duanemorris.com\/techlaw\/wp-content\/uploads\/sites\/17\/2020\/02\/CCPA-blog-post-1-for-Alert-reference.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-731\" src=\"http:\/\/blogs.duanemorris.com\/techlaw\/wp-content\/uploads\/sites\/17\/2020\/02\/CCPA-blog-post-1-for-Alert-reference-300x74.jpg\" alt=\"\" width=\"300\" height=\"74\" srcset=\"https:\/\/blogs.duanemorris.com\/techlaw\/wp-content\/uploads\/sites\/17\/2020\/02\/CCPA-blog-post-1-for-Alert-reference-300x74.jpg 300w, https:\/\/blogs.duanemorris.com\/techlaw\/wp-content\/uploads\/sites\/17\/2020\/02\/CCPA-blog-post-1-for-Alert-reference.jpg 398w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong>Section 999.307 \u2013 Financial Incentive Notices <\/strong><\/p>\n<ul>\n<li>Requires businesses to follow generally recognized industry standards to ensure that the notice of financial incentives is reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers <em>in California<\/em> and to be readily available where consumers will encounter it before opting into a financial incentive or price or service difference.<\/li>\n<\/ul>\n<ul>\n<li>The notice must explain how the financial incentive or price or service difference is reasonably related to the value of the consumer\u2019s data.<\/li>\n<\/ul>\n<p><strong>Section 999.308 \u2013 Privacy Policies<\/strong><\/p>\n<ul>\n<li>Requires businesses to follow generally recognized industry standards to ensure that the privacy policy is reasonably accessible to consumers with disabilities. Also clarifies that the notice must be provided in the languages in which the business generally provides information to consumers <em>in California<\/em>.<\/li>\n<\/ul>\n<ul>\n<li>Clarifies that a mobile app may include a link to the privacy policy in the app\u2019s settings menu.<\/li>\n<li>Clarifies that the categories of third parties to whom information is disclosed or sold must be provided for each category of personal information identified.<\/li>\n<\/ul>\n<ul>\n<li>Clarifies that the privacy policy must state whether the business has \u201cactual knowledge\u201d that it sells personal information of minors under 16 years of age.<\/li>\n<\/ul>\n<ul>\n<li>Clarifies that the privacy policy should provide instructions on how an authorized agent can make a request on a consumer\u2019s behalf, as opposed to explaining how a consumer can designate an authorized agent.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Note: This blog post is the first of three expanding on the information contained in an Alert on the Duane Morris LLP website. On February 10, 2020, California\u2019s Office of the Attorney General proposed a modified version of the California Consumer Privacy Act (CCPA) regulations first published on October 11, 2019. The initial proposed regulations &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blogs.duanemorris.com\/techlaw\/2020\/02\/20\/proposed-modifications-to-ccpa-regulations-definitions-and-consumer-notice-requirements\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Proposed Modifications to CCPA Regulations \u2013 Definitions and Consumer Notice Requirements&#8221;<\/span><\/a><\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[783,837,169,792,824,651,823,664,633],"ppma_author":[878],"class_list":["post-730","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-anjali-kulkarni","tag-brandi-taylor","tag-california","tag-california-consumer-privacy-act-of-2018","tag-ccpa","tag-data-privacy","tag-michelle-hon-donovan","tag-personal-information","tag-sandra-jeskie"],"authors":[{"term_id":878,"user_id":6,"is_guest":0,"slug":"duanemorris3","display_name":"Duane Morris","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/843ff6e7a8fe5fc92109b47a45f34b6cf0ea499e6e788db23456c838b0ae6747?s=96&d=blank&r=g","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/posts\/730","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/comments?post=730"}],"version-history":[{"count":0,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/posts\/730\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/media?parent=730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/categories?post=730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/tags?post=730"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blogs.duanemorris.com\/techlaw\/wp-json\/wp\/v2\/ppma_author?post=730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}