March 11th, 2020 saw a second set of California Consumer Privacy Act (CCPA) amendments come to light. These new amendments are meant to clarify and emphasize some aspects of the Californian Privacy Regulations and provide further guidelines for companies to adjust their privacy compliance programs. While there does not seem to be any major breakthrough since the first set of amendments in February, we are highlighting the main takeaways for data controllers and service providers.
The previously acclaimed IP Address Guidance
The former section (§ 999.302) that provided guidance on how to interpret the definitions in the CCPA is removed in this new set of amendments. The specific paragraph described an interesting example related to IP addresses classified as Personal Identifiable Information (PII) and excluded those from the scope of the CCPA if they cannot be linked to any consumer or household. It would be premature to interpret the deletion of the section to mean that sole IP addresses are included under the CCPA scope. The proposed regulation might just intend to avoid any unnecessary repetition with the existing definition in the Civil Code which already takes a clear stance on the scope of PII.
Dispositions Targeting Service Providers
This new round of amendments brings some further clarity for Service Providers (referred to as Processors by the European General Data Protection Regulation) and their processing activities.
On one hand, businesses are not required to give notice to consumers at the time of data collection when their data is not collected from the consumers themselves (§ 999.305). This exemption does not apply in the event that businesses perform a ‘sale’ of the personal information.
On the other hand, data retention rules for Service Providers are further detailed to follow the purpose of processing as clarified by the contract with the business instructing the collection of data or providing that specific data directly to the Service Provider (§ 999.314).
Consumers’ Right to Opt-Out from the Sale of their Data
The previously optional Do Not Sell button or logo suggested by the February amendments was simply removed this time, implying that the current guidelines around the notice of right to Opt-Out remains sufficient.
Whereas the obligation to share the link to the right to opt-out notice was previously highlighted in the context of a failure to verify the identity of a consumer requesting their data to be deleted, the amendments slightly broaden this obligation by extending it to any denial to requests to delete (§ 999.314). This seems to include failure of verification as well as instances where legal exceptions justify a refusal to delete data.
A new caveat is added regarding the retention of information maintained for record-keeping purposes. The text states that this information “shall not be shared with any third party except as necessary to comply with a legal obligation”. The newly added legal obligation language is not defined and could be therefore interpreted broadly (§ 999.317).
The training section sees the infamous ‘reasonable’ term being used when it comes to the scope of businesses having to disclose metrics related to the requests received and their processing. In this context, the disclosure of information applies to “a business that knows or reasonably should know that it, alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 10,000,000 or more consumers in a calendar year”.
Though this likely won’t be the last set of amendments that we see regarding the CCPA, it does provide further clarity around interpretation of the regulation. With continuous changes in the legal applicable frameworks and the burden and uncertainty it means for legal teams, companies are turning to technology to ensure a quick and compliant response. At DataGrail, our product team continually responds to privacy regulation updates and this latest round is no exception. Speak with our team to learn more about how DataGrail’s Privacy Platform already accommodates these latest amendments and keeps your business covered during these times of constant change.
About the Author: Justine has built experience in the legal and tech industry, working in the legal department of a London knowledge broker before moving to a Customer Success career. She studied Data Privacy as part of her Master of Laws in Belgium and at the LSE in London. She is also a published author on the topic.