The California AG’s Office has been working hard on the California Consumer Privacy Act’s (CCPA) proposed regulations. On Friday, February 7, 2020, the AG published revised proposed regulations, and then just three days later, on February 10th, the AG published revised proposed regulations again (citing an omission in the February 7th publication).
Many of the revisions are meaningful and show the AG has been carefully listening and reviewing feedback, as well as doing its homework. For example, the AG’s Office is required to disclose what documents and information it relied upon during the rulemaking process, and the AG has disclosed 20 different published sources (ranging from studies and legal journals, to online articles and reports).
While there were many revisions, there were 15 significant changes that may be of interest to the credit and collections industry. Part 1 of this article series deals with changes 1-5. Part 2 and Part 3 will be published on insideARM in the coming week.
1. Improved Guidance on the Definition of “Personal Information”
The revised proposed regulations added a whole new section to clarify that information is personal information if “the business maintains information in a manner that ‘identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.’” The revision then illustrates this: “[f]or example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’”
This clarification is a huge sigh of relief because, without it, the definition of personal information is unwieldy. Many businesses possess information that could conceivably be “personal information” but don’t maintain it in a manner that could reasonably be linked back to the consumer or household. Accordingly, this revision makes the definition of personal information a little more palatable and manageable.
2. Clarification about the Various Notices Requirements to Consumers
3. Multiple Clarifications about the Notice Before the Time of Collection
The original proposed regulations (i.e., the proposed regulations prior to the revisions) assumed that the notice provided to a consumer at or before the time of collection would be in writing. It completely ignored the fact that data collection is often conducted over the telephone.
The revisions overhauled § 999.305 by adding a non-exhaustive list of illustrative examples of how the notice may be provided. One of those examples addresses the situation where the data collection is done over the telephone. The example shows that the notice may be provided verbally if a business is collecting personal information over the telephone.
While our industry welcomes this revision, we are already bracing for consumers’ reactions—when a consumer realizes they are speaking with a debt collector, for example, they are already usually irritated by our verification procedure (which is necessary to authenticate their identity) and the Fair Debt Collection Practices Act’s (FDCPA) required disclosures (e.g., mini-Miranda, meaningful disclosure, validation information, etc.). We cringe thinking about adding an explanation about the categories of information we may collect over the telephone during that conversation (or future conversations) and explaining the purposes for which that personal information may be used. Many consumers easily become impatient on the phone, and it would have been nice for the AG to allow for an abbreviated version of the notice when it is provided on the phone.
The revisions also add one significant clarification: a business may not use a consumer’s personal information for a purpose which is “materially different” than those disclosed in the notice at collection. Adding materiality relieves a business from having to think of every little conceivable way it may use the data, and now allows a business some latitude within the realm of materiality.
5. Clarification about the Methods for Submitting Requests
The revisions to proposed regulation § 999.312 simplified the methods a business must offer a consumer to submit a request to know or delete. If a business “operates exclusively online and has a direct business relationship with a consumer,” then the business is only “required to provide an email address for submitting requests to know.” All other businesses must still provide two or more designated methods for submitting requests, “including at a minimum, a toll-free telephone number.”
The revisions removed the requirement that a business is required to provide an “interactive webform” if the business maintains a website. Another sigh of relief, because setting up an email address to accept requests is a whole lot easier than (and just as effective as) programming an interactive webform.
The revisions still require a business to “consider the methods by which it primarily interacts with consumers when determining which methods” it offers to consumers for making such requests.
More to Come...
Check back later for Parts 2 and 3 of this article, that will discuss the other significant changes in the revisions.