Editor's Note: This article is broken up into three parts. Part 1 can be found here, Part 3 will be published next week.
The California AG’s Office has been working hard on the California Consumer Privacy Act’s (CCPA) proposed regulations. On Friday, February 7, 2020, the AG published revised proposed regulations, and then just three days later, on February 10th, the AG published revised proposed regulations again (citing an omission in the February 7th publication).
Many of the revisions are meaningful and show the AG has been carefully listening and reviewing feedback, as well as doing its homework. For example, the AG’s Office is required to disclose what documents and information it relied upon during the rulemaking process, and the AG has disclosed 20 different published sources (ranging from studies and legal journals, to online articles and reports).
While there were many revisions, there were 15 significant changes that may be of interest to the credit and collections industry. Part 2 of this article series deals with changes 6-10. Part 3 will be published on insideARM in the coming week.
6. Clarification on Business and Calendar Days for Responding to Requests
The revised regulations clarify that a business has 10 business days to confirm receipt of a request to know or delete, and 45 calendar days to respond to a request (and an additional 45 calendar days to respond when necessary). The revisions also extended the timeline to comply with a request to opt-out by stating a business has 15 calendar days to process that request.
However, if a business sells a consumer’s personal information after the consumer’s request, but before the business processes it, the business must inform the third party to whom it sold the information that the consumer opted-out and direct the third party to not sell that consumer’s information.
7. Providing Context to Confirmation Receipts
Many grumbled about the proposed regulations requiring a business to confirm receipt of a request. Perhaps in response to those grumbles, the AG’s office decided to include in its revisions a clarification that the “confirmation may be given in the same manner in which the request was received.” Accordingly, if the request was made over the phone, the confirmation may be provided verbally during that very same phone call.
8. Simplifying what a Business Must Do when Responding to a Request to Know
The revisions struck language which said a business “shall not provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.” The revisions replaced the language by stating a business is not required to search for personal information if four conditions are met:
- The “business does not maintain the personal information in a searchable or reasonably accessible format,
- The “business maintains the personal information solely for legal or compliance purposes,”
- The “business does not sell the personal information and does not use it for any commercial purpose,” and
- The “business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.”
The revisions lighten a business’s burden by relieving them of even having to perform the search if they can show the personal information meets the four conditions.
9. Simplifying what Must be Disclosed in Response to a Request to Know
The statutory definition of personal information states that it includes “inferences drawn from any [personal information] to create a profile about a consumer reflecting the consumer’s preferences, characteristics, physiological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
The fact that personal information includes “inferences” had many scratching their head when thinking about the data artificial intelligence creates (for example, when AI is used to inform a collection strategy). The revisions appear to address this. The AG added that a business “shall not disclose in response to a request to know . . . technical analysis of human characteristics.” One reading of this suggests that inferences made using AI do not need to be disclosed when responding to a request to know if such inferences are based on human characteristics rather than personal information.
10. Eliminated Requirement that an Unverified Request to Delete be Treated as an Opt-Out Request
The revisions struck the requirement that an unverified request to delete be automatically treated as an opt-out request. If a business sells information, the revisions added a requirement that the business provides the consumer with the option to opt-out of the sale of their personal information and to provide the consumer with the opt-out link.
More to Come...
Look out next week for the final part of this 3-part series, that will cover the final 5 significant changes.