On March 11th the California Attorney General’s office released the third draft of the regulations required to implement the California Consumer Privacy Act, lovingly known the world around as the CCPA. However unpopular versions 1 and 2 of the CCPA regulations might have been, at least there were substantive points proposed and adapted. In round 3, the AG’s office has dropped a redlined version that looks like the product of an overworked lawyer who simply mailed it in.
Let’s focus on the positive first.
The first somewhat material change should really be considered an error correction, as v3 eliminates v2’s hot mess of a Do Not Sell button in section 999.306. Companies are criticized regularly for not getting the user interface “right” and making it “easy,” and the AG’s proposal was neither of these. The AG’s office should have simply borrowed an Easy button (less than $10 online) from the folks at Staples. As long as a business that ‘sells’ personal information under the CCPA makes it relatively easy for a consumer to communicate that request, the business should be fine. (And, frankly, these days, we’ve got way worse $*!% to worry about.)
Staying on the sunny side of the street, the AG’s team made a helpful and practical change in the Notice at Collection provisions. Section 999.305 concerns the notice to be provided a consumer when personal information is collected. But we all know that there are many instances in which a business might collect those details indirectly. Subsection 305(d) now provides that a business receiving consumer information indirectly does not need to notify the consumer if the business does not sell the information.
What this means for non-data broker businesses collecting indirectly is that there is no more requirement for a GDPR-like notice to the individual when the business was unable to get a suitable attestation from the seller of the information. Furthermore, those fitting this exclusion would typically be purchasing a marketing list for their own internal purposes, and when the marketing communication is eventually sent to the consumer it would contain a link to the privacy policy and an unsubscribe mechanism.
Even data brokers get a break and need not notify consumers of the indirect collection if the data broker has registered with the AG’s office per Civil Code section 1798.99.80. It is a reasonable compromise that helps to protect ‘collection notice burnout’ beyond the ‘breach notice burnout’ endured by so many.
Those two changes alone, in .306 and .305, are helpful. And there’s an additional treat at the end of the Privacy Policy section confirming that a business must have actual knowledge of selling the consumer information of those under 16 years of age before the child related provisions apply. Thank you.
To summarize the helpful changes: we have the removal of the Do Not Sell button; we have clarification that the provisions for under 16’s require actual knowledge rather than speculation before applying; and we have a single truly substantive change regarding indirect data collection.
So why the grumpiness over v3? The second version of the draft rules added 999.302 titled Guidance Regarding the Interpretation of CCPA Definition. This single paragraph had added a dose of reality, reflecting a world in which an IP address does not on its own identify a person and had added the qualifier of a business’s ‘reasonable’ capability to identify someone. While there are identifiers that a business could reasonably match to an individual, this is not the case with all identifiers.
Version 3 removed this sensible interpretative guidance. Version 3 moved the CCPA regulations a massive step backward, away from the modicum of common sense that .302 delivered. Think of the online ecosystem: if a site owner shares the IP address of a site visitor with an ad network that is already on the site, that will now quite possibly be considered a sale of personal information (which is just fine if you think the GDPR is a model of fairness, reasonableness, and pragmatism). Perhaps this was the negotiated price for the consumer advocates in not fighting the positive above, I have no idea.
Service providers do not remain untouched by this version either. Version 2 had added a helpful provision affirming that service providers may use personal information received or collected in the context of a service for the quasi-secondary purpose of using that data to build or to improve the quality of the offering. This secondary use was limited in v2 so that the service provider could not use the information to build or modify household/consumer profiles or to clean personal details with the service provider’s database.
Version 3 has restricted this further in that the household/consumer profile prohibition applies not simply to those profiles that the service provider might hold but particularly those profiles it might use in providing services to another business. For some business context, the intent is understandable: prevent or hinder data brokers from improving their data sets and use that improved data set as part of a new or improved service. But what about a company that has no interest in selling data but wants to improve the accuracy and completeness of the data it has about people? What about a business that provides fraud prevention and each data point is a relevant component in detecting a potential fraud? What about those service providers that serve to verify the individual behind a consumer request? The more current the data available, the more likely it is valuable to double check whether an individual can be authenticated as to the identity they present. It’s a muddle.
The remainder of v3 changes are cosmetic, superficial, and perhaps improve the way the rules read but not in any substantive manner. A mind is a terrible thing to waste, as is time, and this v3 of the CCPA rules shows respect for neither.
What should the AG really be doing now? I’ve been in privacy and data protection since 2004 and individuals benefit greatly from an effective set of rules that restrains what the public and private sectors might otherwise do with personal information. I support the role that state AGs and federal agencies have in protecting privacy. However, right now, I think the California AG’s office should step away from the keyboard. Organizations and individuals are doing everything possible simply to keep colleagues and families healthy and safe. Many businesses and individuals wonder how they’ll survive the fallout from this coronavirus pandemic. I’m not blaming the AG’s office for misplaced priorities – like many of us, they are simply trying to put one foot ahead of the other. Keep calm and carry on, as the meme goes. But I suspect that even Alistair McTaggart would not object to a six-month delay of enforcement to December 31, 2020 and with no retroactive (back to Jan. 1, 2020) prosecution. This is not a get-out-of-jail-free card; this is a ‘we’re all in this together’ situation.