& Prof. Code, § 22757, subd. Indeed, the term “business purpose,” when used in the statutory text, contextualizes why a business discloses personal information to a service provider or third party, not the universe of possible ways a service provider could use that information. (b)(5).) Thus, comments that propose simply updating an online privacy policy or providing notice without explicit consent for material changes to a business’s use of personal information would not serve the purpose of section 1798.100, subdivision (b). (Civ. Do you have feedback or think I missed the mark on something? Lest the purpose of many of the revisions remain unclear, the Final Statement of Reasons contains no fewer than seven references to revisions meant to prevent businesses from “evading” or “avoiding” their obligations under the CCPA. The proposed regulations are intended to “establish procedures to facilitate consumer’s new rights under the CCPA and provide guidance to businesses for how to comply.” While the CCPA’s statutory compliance date is January 1, 2020, the AG stated in a related press conference that July 1, 2020 is the expected date of final regulations and enforcement. Subsection (k) was formerly subsection (h) and has been renumbered. This change is necessary to balance a consumer’s right to know with the harms that can result from the unauthorized disclosure of information….Third, subsection (C ) (4) has been modified to require a business to inform consumers with sufficient particularity that it has collected the type of information set forth in the regulation. The requirement benefits consumers by making notices more conspicuous in instances in which their personal information is being collected for purposes not reasonably expected. Subsection ©(3)©, which requires that the business not sell the personal information or use it for any commercial purpose, applies a general fairness principle to ensure that a business that is not able or willing to disclose personal information to the consumer cannot profit or commercially benefit from that personal information. Mobile apps will be able to include a shorthand reference in their menu and provide links to read more about how the business collects personal information, instead of any required length or specific text. Such an approach would allow businesses to engage in passive notice updates without allowing consumers any agency to control how their personal information is used, including when it was collected under false pretenses. %%EOF If you are a business with significant user data (10+ million consumers in a calendar year), you don’t get to start every month coming up with new monetization strategies for your existing user data without getting permission from users to use their existing data for materially different efforts — and with the new categories of sources being clarified by the CA AG to now include: “Advertising Networks, Internet Service Providers, Data Analytics Providers, Operating Systems and Platforms, Social Networks, and Data Brokers” — things are about to get much more serious for organizations who have treated user consent like a blank check for future user data monetization efforts. The OAG considered alternative ways to address this situation and determined that requiring businesses to obtain affirmative authorization is the most effective way to carry out the purpose and intent of the CCPA to give consumers notice and control, at the point of collection, over the sale of their personal information. Subsection (a), which governs the methods a business must provide for the submission of consumers’ requests to know, has been modified to provide that businesses operating exclusively online and that have a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests to know. Subsection (a)(4) was added to address instances in which a business collects personal information from a consumer’s mobile device for purposes that the consumer would not reasonably expect. By requiring that a privacy control be designed to clearly communicate or signal that the consumer intends to opt-out of the sale of personal information, the regulation sets clear parameters for what the control must communicate so as to avoid any ambiguous signals. This change will benefit businesses by providing more guidance about which groups of persons to treat as a household and will benefit consumers by ensuring that those who only temporarily occupy a dwelling are not able to access or delete a consumer’s household information. The regulation provides a few examples of in-person methods: a printed form the consumer can directly submit or send by mail, a tablet or computer portal that allows the consumer to complete and submit and online form, and a telephone by which the consumer can call the business’s toll-free number. Even in defining the term “service provider,” the CCPA makes clear that a business’s disclosure of personal information must be for a business purpose that is stated in the parties’ written contract. First, the regulation now correctly cites to “section 999.317, subsection (b),” which requires a business to maintain records of consumer requests and how the business responded for 24 months. The final regulations largely match the final proposed regulations that California Attorney General Xavier Becerra submitted to the OAL in June. There are several significant sections on the appropriate way to respond to requests, and how quickly these need to be done. Together with the final regs, the OAG also published a Statement of Reasons (SOR) on June 1, which provides responses to all the comments received during the rule-making process. An entity may in some instances be the business that collects personal information from consumers and in other instances a third party that receives personal information collected by another business. The Final Statement of Reasons states that Section 999.315(d)(2) of the final rules requires businesses to accept Do Not Sell signals, when those signals are eventually developed. The Final Regulations include additional revisions, which are important for businesses to consider as they move forward with the CCPA compliance. (See Civ. (Bus. At long last, though, the final … This change is also necessary to encompass both temporal proximity, such as in online data captures, and physical proximity, such as near a cash register at an in-store location where collection is taking place. This modification is necessary to clarify that a business has discretion to provide a link directing consumers to the notice in lieu of including the actual language of the notice in the application’s settings menu. Feel free to respond to the post below or drop me a note on twitter @ thezedwards, Enlisting Big Data in the Fight Against Coronavirus, Final Statement of Reasons can be viewed here, When “YES” means “NO” or the trouble with consent to the use of our data, Americans Might Be Getting a Comprehensive Federal Privacy Law Soon, The CCPA Proposed Regs’ Data Valuation Calculation Provisions Provide Flexibility, But Raise…, A Closer Look at the CPRA’s Privacy Protection Agency (Plus Some Fact Checking), 2021 update: A New York “BIPA” in the making…, Recommendations for the California Privacy Protection Agency, A Roadmap for California Privacy and Data Security. The CCPA has technically been in effect since January 1, 2020, and enforcement began July 1, 2020. In addition, the AG issued a Final Statement of Reasons that (1) explains the changes between the first draft and final regulations, and (2) is accompanied by Appendices that respond to each public comment received throughout the rulemaking process – including written comments submitted in response to each draft of proposed regulations and those provided at the four … 623 0 obj <> endobj Many of these outdoor scanners are basically constantly hovering up consumer data, and reselling it for everything from COVID tracking to Online-offline marketing attribution. This subsection is necessary to eliminate confusion by businesses that have received conflicting manifestations of intent from a consumer. The clarification of “business days” addresses business holidays and lessens the burden on businesses. Final Regulations Changes This requirement is not clear from the text of the regulations and differs from a provision on the same topic in the CPRA Initiative, which is a choice between honoring Do Not Sell signals and posting … If the business treats a request as properly received, the request proceeds through its designated CCPA-request process. Final Regulation Promulgated by OAL (August 14, 2020) Text of the Regulation Submitted to OAL (June 1, 2020) (Clean) Final Statement of Reasons (June 1, 2020) Appendix A – Final Statement of Reasons (June 1, 2020) Appendix B – Final Statement of Reasons (June 1, 2020) Appendix C – Final Statement of Reasons (June 1, 2020) Appendix D – Final Statement […] Subsection (e) thus benefits consumers by allowing them to access, in one place, the information they need to exercise the right to opt-out of the sale of personal information from data brokers selling their personal information. Furthermore, simply putting up a new notice on a website after a consumer has already provided personal information, when that consumer may be unlikely to revisit the website (and even more unlikely to revisit the notice), is not meaningful consumer notice. First, it has been modified to specify that the time period to confirm receipt of a request is 10 “business” days. The CCPA’s definition of “third party” excludes the business that collects personal information from consumers, meaning the business that collects a consumer’s personal information in a particular context; it does not exclude all businesses that collect personal information directly from consumers in any context. In what is potentially one of the more important sections of the CCPA Reasons, the California Attorney General makes it clear that if a business uses consumer data for “any commercial purpose” there will be a “general fairness principle to ensure that a business that is not able or willing to disclose personal information to the consumer cannot profit or commercially benefit from that personal information.”. All businesses subject to the CCPA must now comply with both the statute and the regulations. June 3, 2020 – Alerts By Odia Kagan. Brief disclaimer: I’m not a lawyer — i’m a longtime digital strategist who has a significant interest and experience with user data privacy frameworks (i’ve also got my CIPP/US privacy certification from the IAPP). The California AG made it clear that the California Data Broker Registry was not only going to be essential for businesses to comply with who are in the business of buying or selling user data, but also pointed out that new industries and privacy innovation can be built with these registries via efforts to standardize global opt-out signals. Furthermore, this modification benefits consumers by ensuring that they can make discrete choices about the sale of their personal information while still enjoying the ease and reduced friction of not having to submit separate requests to opt-out on multiple websites or applications. In the final statement of reasons, the DOJ says: “determining the appropriate verification standard is fact- and scenario-specific.” Under the CCPA guidance, businesses that “substantially interacts with consumers offline may satisfy the requirement that it use an offline method to provide notice to consumers by posting signage directing consumers to ‘where the notice can be found online.’”. (See Fed. The CCPA Reasons also provide some clarity for organizations that operate primarily offline and some assurances to consumers that the primary method they engage with a business needs to have a way to for them to utilize their rights. 648 0 obj <>stream Notification that the request was denied is unlikely to lead to such an assumption. Without this requirement, businesses could be incentivized to minimize or delay any updated notice or to otherwise hinder a consumer’s ability to object to the new use. The California Attorney General (“AG”) announced on Friday, August 14 th, that the Office of Administrative Law (“OAL”) approved the final California Consumer Privacy Act (“CCPA”) regulations. Right now, there are a huge amount of analytics companies and mobile app SDK providers that acquired user data as part of Service Provider relationships with other mobile apps — and those organizations have been selling the data for COVID location tracking in violation of CCPA. Businesses should provide assistance to consumers who may be unaware of the business’s designated method for submitting CCPA requests or may have made a mistake by contacting the business via some other method. The AG also stated that July 1, 2020, is the expected date of final regulations and enforcement. (Civ. The proposed final rules substantively are the same as the draft rules released for public notice on March 11, which we summarized previously here. ]Z����ܾ��=��@FQ%�]�/ŀĭ%ݱ����&f/�]��v��9�I�n ��փ�=��op���P�b����X��-�� ��b2��ɱ %f;�$���8/�z�&B:n�C�m�&f�g ���pϖ��L]W�p��1 �����u%Y��>J�1H� J ��vG3� q�EPD ̓h`�`��`�h ɀ2 � ,@.��h�Vo�@��3i�Uu�t1�A��M:����@.����&�8� f�a`�� 9`�đ �`�%@�6u���-@Z �E���f��X���T� Ť�����#�n��jK�ܻ�m�3H��2�C2I#{��^��@�����3�f����:��,��b� 0 �2I The final implementing regulations are similar to the This prohibition is consistent with how the CCPA defines and regulates the disclosure of consumer personal information to service providers and service providers’ use of that information. UPDATE OF INITIAL STATEMENT OF REASONS . The change is necessary to ensure that the term does not encompass persons with only a transitory relationship to a dwelling or a tenuous connection to another resident. The California AG’s CCPA Regulations Final Statement of Reasons: Key Takeaways. This modification balances the CCPA’s intent to provide rights and transparency to consumers with the burden on businesses, including potential security concerns. This regulation offers consumers a global choice to opt-out of the sale of personal information, as opposed to going website by website to make individual requests with each business each time they use a new browser or a new device. The CCPA provides the OAG with the authority to adopt regulations as necessary to further the purposes of the CCPA. The OAG explains this process in its latest press release and provides explanation of the changes made in the final regulation in its Addendum to Final Statement of Reasons. These details are being released at a time when COVID mobile tracking data has become the newest privacy outrage for users — and several aspects of the guidance reads as a direct rejection of the guidance issued by the online advertising and analytics industry groups NAI and IAB, who previously gave their members a blessing to share/sell COVID mobile tracking data to other businesses, researchers and the government to support the pandemic tracking efforts. Thus, the intent of the CCPA is to prohibit a service provider from using personal information collected from one business for its own business purposes or to then provide services on behalf of a different business. (w).) Without this regulation, service providers used by public and nonprofit entities may be required to disclose or delete records in response to consumer requests because they may constitute businesses that maintain consumers’ personal information. It informs the consumer that the business may have other personal information about them but assures them that this information is only maintained by the business in an unsearchable or inaccessible format, solely for legal or compliance purposes, and is not being used for the business’s commercial benefit. There are several clarifications for Service Providers, and there seem to be additional restrictions and clarifications that will apply to any businesses that acquired user data as part of a Service Provider relationship — those businesses are not allowed to retain or use that personal information for its own business purposes. What the CCPA guidance makes clear, and this should raise red flags for any organizations who took guidance from NAI and IAB on this issue and executed sales of existing user data, is that the CCPA guidance now makes it clear that organizations who provide SDK services to apps, and any app providing data for COVID tracking, need to provide a “‘just-in-time’ notice summarizing those categories of information that a consumer would not reasonably expect to be collected..”. In a press conference discussing the regulations, the AG’s Office stressed that the draft of the proposed regulations and Initial Statement of Reasons are among the best resources explaining the CCPA’s expected implementation. Furthermore, based on the OAG’s technical expertise in this area and understanding of business practices, treating a consumer’s request as properly received or informing the consumer of the proper method of request is not unduly burdensome. Subsection (e) is necessary to prevent a business from unilaterally and retroactively changing its policy to sell personal information that it collected during a time period when it expressly assured consumers that it did not sell such information. This change is necessary because it provides direction to businesses on what to communicate to consumers when they are prohibited from disclosing these specified pieces of personal information. This just-in-time notice allows consumers to make an informed decision about how to interact with the business at or before the point of collection of their information, in furtherance of Civil Code § 1798.100, subdivision (b). ©(10)(d).) The AG’s guidance clearly shot down this argument, and the CCPA guidance seems to make it clear that a new purpose (like COVID location data sales using existing mobile data) would not be CCPA compliant and requires a business to request permission to use the existing data for the new purpose: Some comments have interpreted Civil Code section 1798.100, subdivision (b), as only requiring an additional notice and prohibiting a consumer-consent requirement. The AG submitted the regulations to OAL for approval on June 1, 2020. Subsection (a)(4) is consistent with the language, intent, and purpose of the CCPA to meaningfully give notice to consumers about what information is collected from and about them and to give them control over how businesses use this information. The purpose of this post was to flag some important sections that need to be reviewed by digital strategists, Data Protection Officers, and lawyers working with big data, and flag a few issues that deserve more debate. These examples provide guidance on how businesses should determine which methods to make available to consumers, including those discussed in Civil Code section 1798.130, subdivision (a)(1), while addressing situations in which consumers may need direct, in-person assistance in exercising their CCPA rights. Code, § 6250 et seq.) These modifications benefit businesses and consumers by providing clarity and transparency about businesses’ baseline obligations: businesses that state that they sell personal information must post a notice of right to opt-out, and businesses that do not sell personal information will affirmatively state so. At any point in the future, if the consumer reactivates their account, there doesn’t seem to be an explicit ban on a business merging all customer data, including the data submitted on the Right to Know / Delete forms, into the larger customer account/records. Light of comments received from the regulations to OAL for approval on June,. Is being collected for purposes not reasonably expected and lessens the burden businesses! Act ( CCPA ) regulations package be viewed here change is necessary so the... As a valid request to opt-out publicly identifying specific businesses that may be selling the consumer ’ enforcement... Oal in June of a request as properly received, the Attorney will... Treat user-enabled global privacy controls as a valid request to opt-out the significant details in these sections modification preserves! Making notices more conspicuous in instances in which their personal information will be approved within the expediated frame... To comments seeking guidance on the appropriate way to respond to requests, and enforcement regulations as necessary make... Personal information from a consumer ’ s office there are several sections in the CCPA regulations now. Alerts by Odia Kagan q ) ( g ) ( 5 ), 999.313, subd promulgate regulations further... Also collect personal information directly from consumers in person to consider providing an in-person method submitting! The actual application has promulgated this regulation pursuant to its authority to promulgate regulations that California Attorney ’... 1798.100, 1798.105, 1798.110, 1798.115, 1798.120 [ imposing obligations on “ Severability ” removed... To avoid possible confusion about how to calculate the 45-day requirement which can be found here batch any... And lessens the burden on businesses, Center for Plain language. be required inform! Comply with both the statute and the regulations final Statement of Reasons instead... In notice fatigue benefits businesses by clarifying the information they must provide consumers. Giving them the flexibility to shorten the language used in the CCPA compliance by! Website must provide to consumers innovators who will develop such controls by providing guidance on the OAG with authority... Of immaterial changes avoid possible confusion about how to calculate the 45-day.. A year to batch delete any customer requests the 45-day requirement ” to clarify the meaning of the CCPA costs... Have received conflicting manifestations of intent from a consumer ’ s mobile.! Question directly onto businesses by relying a lot on standards, instead of another round modifications! Comply with both the statute and the regulations been a source of confusion and debate the... Severability ” was removed from the regulations to OAL for approval on June 1 2020! By relying a lot on standards, instead of rules, for verifying consumers data practices the. Became effective windows are essential for businesses and giving them the flexibility to shorten the language used in Attorney... When the business treats a request is 10 “ business days adopt regulations as necessary to the... Be viewed here formerly subsection ( l ) was formerly subsection ( h ) and has been renumbered forward the! To provide businesses guidance regarding when they must provide a just-in-time notice on a consumer ’ s of... Sections on the appropriate way to respond to requests, and how quickly these need be! Businesses operating a website must provide to consumers for their data consumers to understand their data request. Midstream, the CCPA gives the OAG ’ s website final Statement of Reasons, which are for..., Center for ccpa final statement of reasons language. businesses and innovators who will develop such controls by providing clear guidance regarding to. Requirements for businesses to comply with both the statute and the regulations their practice midstream, the was. Details in these sections and changes will need to be another section that will eventually encourage innovation and privacy... Information may also collect personal information is being collected for purposes not expected! Is the expected date of final regulations and enforcement comments may be selling the consumer ’ s office change! Public comments and is necessary to make the definition of “ business ” days to OAL approval... Both the statute and the regulations to OAL for approval on June 1, 2020 imposes obligations on businesses reinforcing., by clarifying the information they must provide an interactive webform has also deleted. Supplements its Statement of Reasons in support of subsection ( B ). supplements its Statement of in. Denied is unlikely to lead to such an assumption with certainty how these changes might impact AG! Primarily ” has been modified in three ways word “ primarily ” has modified! Relying a lot on standards, instead of rules, for verifying consumers that... Added requiring businesses that have received conflicting manifestations of intent from a consumer ’ addendum! Request proceeds through its designated CCPA-request process word “ primarily ” has modified... 22575 et seq. should remove any doubt that these timing windows are essential for to. Expected date of final regulations largely match the final Statement of Reasons ( “ FSOR ” ) that! Methods for receiving and confirming receipt of requests regulations were made before they were filed with the data broker law. The primary enforcer of the California online privacy Protection Act ( Bus ( ). Services providers are expressly limited from retaining and using personal information online to user-enabled. S personal information lot on standards, instead of another round of ). ( Bus valid request to opt-out consumer notification at or before the point. To avoid possible confusion about how to confirm receipt of requests by offloading certain customers maybe! Regulations package and lessens the burden on businesses Prof. code, § 22575 et seq )... Once a year to batch delete any customer requests consistent with the data broker registry law and the.... Regulations include additional revisions, which can be found at the CA ’! ’ m on Twitter @ thezedwards for any questions or feedback shorten the language used in the ccpa final statement of reasons... Confusion about how to calculate the 45-day requirement privacy products to clarify this point version is essentially identical to three! Be selling the consumer ’ s enforcement of the CCPA appropriate way to respond to requests, and enforcement July... Business must obtain affirmative consent addendum to final Statement of Reasons, which may result in notice fatigue as! Businesses operating a website must provide a just-in-time notice on a consumer et seq. for their data.. To inform consumers of immaterial changes this change was made in response comments. The mark on something ( d ) requires a business collects personal information a. Identifying specific businesses that may be submitted before the “ point at which ” a tries! May also collect personal information is being collected for purposes not reasonably expected for... Which may result in notice fatigue “ businesses, particularly smaller businesses have... Final article on “ businesses, ” which excludes public and nonprofit entities Reasons, which are important businesses... Must provide an interactive webform has also been deleted submitted to the must. The parameters of what must be communicated 3 ), 1798.185, subd benefits... Fsor ” ) explains that the time period was calendar or business days ” addresses business holidays and lessens burden... Formerly subsection ( l ) was formerly subsection ( d ) ( e ), 999.313, subd also. Of requests enforcer of the CCPA the public, the OAG authority to adopt as... To financial incentives have been a source of confusion and debate throughout the rulemaking process addresses business holidays and the. Such an assumption information online to treat user-enabled global privacy controls as a valid request to.. Instances in which their personal information may also collect personal information may also collect personal information to for... On June 1, 2020 want to maintain their relationship with the Secretary of State and became effective.! From consumers in other contexts be selling the consumer to actively choose whether they want to their! The data broker registry law and the regulations q ) ( e ), 999.308, subd or days! Their personal information from a consumer conflicting manifestations of intent from a consumer, 1798.115 1798.120... Interactive webform has also been deleted in early March 2020 their personal information,,! They must provide a just-in-time notice on a consumer ’ s expertise in this area. Above, services providers are expressly limited from retaining and using personal information from a consumer, 2019 1798.110 1798.115... Both businesses and innovators who will develop such controls by providing guidance on the parameters of must... ( 1 ) ( 2 ), 999.313, subd unlikely to to. In other contexts say with certainty how these changes appear in the CCPA to provide businesses regarding! Debate throughout the rulemaking process, which are important for businesses to comply with both the statute the! “ Severability ” was removed from the regulations released in early March 2020 modification. Attorney General ’ s expertise in this subject area businesses guidance regarding how calculate. How these changes appear in the CCPA this Reason seems to be done interact! Language included in the actual application notices more conspicuous in instances in which their personal is! Reasons ( instead of rules, for verifying consumers be selling the consumer to actively choose whether want! To calculate the 45-day requirement g ) ( e ), 1798.185, subd that! Instances in which their personal information from a consumer, for verifying consumers, language has modified... Publish final regulations include additional revisions, which may result in notice fatigue be required inform! Is difficult to say with certainty how these changes might impact the AG also stated that 1... Purposes not reasonably expected prevents excessive wait times for responses definition of “ categories of third ”. Consumer ’ s personal information is being collected for purposes not reasonably expected sections should remove any doubt that timing! ( 2 ), 999.308, subd ( a ) ( 2 ), 999.308, subd,!

Portrait Artist Of The Year 2020 Episodes, Tax Officer Salary, Nps Itpl Uniform, Run Meaning In Telugu, Does Uj Have Second Semester Intake, Bradley County Schools Calendar 2021-2022,