The California AG’s Office has been working hard on the California Consumer Privacy Act’s (CCPA) proposed regulations. On Friday, February 7, 2020, the AG published revised proposed regulations, and then just three days later, on February 10th, the AG published revised proposed regulations again (citing an omission in the February 7th publication).
Many of the revisions are meaningful and show the AG has been carefully listening and reviewing feedback, as well as doing its homework. For example, the AG’s Office is required to disclose what documents and information it relied upon during the rulemaking process, and the AG has disclosed 20 different published sources (ranging from studies and legal journals, to online articles and reports).
While there were many revisions, there were 15 significant changes that may be of interest to the credit and collections industry. In this final part, we will cover the final 5 changes. Part 1 covers changes 1-5 and Part 2 covers changed 6-10.
11. Clarifications How to Treat Requests to Delete
The proposed regulations no longer require a business to specify the way it deleted personal information. Instead, the revisions simply require a business to “inform the consumer whether or not it has complied” with the request. The revisions also clarify that a business “may retain a record of the request for the purpose of ensuring that the consumer’s personal information remains deleted from the business’s records.” The revisions also added that if a business denies a consumer’s request to delete, it must not only “describe the basis for the denial” but also explain any “conflict with federal or state law, or exception to the CCPA, unless prohibited from doing so by law.”
12. Clarifications for Service Providers
The revisions made some practical changes to what service providers may do with personal information it receives from its customers, without the service provider traversing into the realm of being a third party. For example, the revisions clarify that a service provider may use their customer’s personal information for retaining and employing other service providers as subcontractors (provided the subcontractor meets the requirements for a service provider). The revisions also allow service providers to use personal information for their own internal use, including building or improving the quality of their services, “provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.” It also allows service providers to use personal information to “detect security incidents, or protect against fraudulent or illegal activity.”
Another significant revision made to the proposed regulations is that it no longer requires a service provider to respond to requests to know or delete. Instead, a service provider has the option to either “act on behalf of the business” by responding to the request or informing “the consumer that the request cannot be acted upon because the request has been sent to a service provider.” Accordingly, it behooves service providers to clarify with their clients how they should treat requests received directly from consumers.
13. Setting the Accessibility Standards to be Followed
The revisions incorporate by reference the Web Content Accessibility Guidelines (“WCAG”), version 2.1 of June 5, 2018, from the World Wide Web Consortium. If the CCPA requires any information or notices online, the revisions make clear all such content must follow WCAG. The revisions provide for all other contexts, a business is still required to “provide information on how a consumer with a disability may access the notice in an alternative format.”
14. Changes to Reporting Threshold
The original proposed regulations used to require that a business which buys, receives, sells or shares, for commercial purposes, the personal information of 4,000,000 or more consumers annually would be required to compile and report certain metrics. The revisions bumped the number up to 10,000,000 and clarified that it is 10,000,000 in a calendar year.
15. How to Treat Household Requests and Requests from Authorized Agents
Given the sensitive nature of personal information, there was quite a stir surrounding how to handle requests for household personal information and requests from consumer’s authorized agents. The revisions fortified guidance on both topics.
For households, the definition was revamped to a "person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier." When a household does not have a “password protected account with a business,” the revisions clarify a business does not need to comply with a household’s request to know or delete unless three conditions are met: (1) all consumers in the household “jointly request access,” (2) the business is able to “individually” verify each household member (note, the revisions clarify that if a household member is under the age of 13, parental consent must be provided), and (3) the business is able to verify that “each member making the request is currently a member of the household.”
For authorized agents, the revisions clarify that when an agent makes a request on behalf of a consumer: (1) a business may ask the consumer to provide the authorized agent with written and signed permission evidencing that the agent is authorized to act on the consumer’s behalf, (2) a business may verify the authorized agent’s own identity, and (3) a business may require the consumer to “[d]irectly confirm with the business” that he/she provided the authorized agent permission to submit the request. The revisions further clarify that an authorized agent must “implement and maintain reasonable security procedures and practices to protect the consumer’s information” and that they may not “use a consumer’s personal information, or any other information collected from or about the consumer, for any purpose other than to fulfill the consumer’s requests, for verification, or for fraud prevention.”
Overall, the revisions do help companies better operationalize the CCPA. It is clear the AG is trying to provide clarifications for companies that are not internet-based companies. However, many questions remain. For example, how far does the Gramm-Leach-Bliley (GLBA) exception stretch? If a debt collector is a service provider to a non-profit, and non-profits are not subject to the CCPA, should that non-profit still execute a CCPA addendum with its service providers since the regulations state that a business that provides services to an organization that is not a business is still required to follow the CCPA? Thinking of a consumer’s experience on a telephone call, can the AG authorize an abbreviated version of the required notice at the time of collection? Do debt collectors have to treat licensed attorneys as service providers under the CCPA? For example, a business may share a consumer’s personal information with its outside legal counsel when defending against a consumer lawsuit. Is this kind of information exchange subject to the CCPA, wherein a company would need to have the law firm sign and agree not to sell personal information? Outside legal counsels do not “sell” consumer information they receive from their clients, as this would be contrary to the Rules of Professional Conduct governing lawyers. In a similar vein, is information exchanged with other professionals, such as external auditors, CPAs, and tax firms, subject to the CCPA? It would be helpful for the AG to provide clarity on these kinds of things.