The California AG’s Office has been working hard on the California Consumer Privacy Act’s (CCPA) proposed regulations. On Friday, February 7, 2020, the AG published revised proposed regulations, and then just three days later, on February 10th, the AG published revised proposed regulations again (citing an omission in the February 7th publication). 

Many of the revisions are meaningful and show the AG has been carefully listening and reviewing feedback, as well as doing its homework. For example, the AG’s Office is required to disclose what documents and information it relied upon during the rulemaking process, and the AG has disclosed 20 different published sources (ranging from studies and legal journals, to online articles and reports). 

While there were many revisions, there were 15 significant changes that may be of interest to the credit and collections industry. Part 1 of this article series deals with changes 1-5. Part 2 and Part 3 will be published on insideARM in the coming week.

1. Improved Guidance on the Definition of “Personal Information”

The revised proposed regulations added a whole new section to clarify that information is personal information if “the business maintains information in a manner that ‘identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.’” The revision then illustrates this: “[f]or example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’” 

This clarification is a huge sigh of relief because, without it, the definition of personal information is unwieldy. Many businesses possess information that could conceivably be “personal information” but don’t maintain it in a manner that could reasonably be linked back to the consumer or household. Accordingly, this revision makes the definition of personal information a little more palatable and manageable. 

2. Clarification about the Various Notices Requirements to Consumers 

You get a notice, you get a notice, everybody gets a notice! The CCPA has various notice requirements throughout its text. Therefore, it makes sense that the revisions summarized, in one convenient spot, all the CCPA’s different notice requirements. The added section (§ 999.304) creates a roadmap to each of the four different notice requirements. In doing so, the revised proposed regulations make it clear that the required notice a business must provide at or before the time it collects personal information directly from a consumer is distinctly different than a businesses’ privacy policy. Note, the revisions still require a business to link, or say where the policy can be found, in its notice at or before the time of collection.


3. Multiple Clarifications about the Notice Before the Time of Collection 

The original proposed regulations (i.e., the proposed regulations prior to the revisions) assumed that the notice provided to a consumer at or before the time of collection would be in writing. It completely ignored the fact that data collection is often conducted over the telephone. 

The revisions overhauled § 999.305 by adding a non-exhaustive list of illustrative examples of how the notice may be provided. One of those examples addresses the situation where the data collection is done over the telephone. The example shows that the notice may be provided verbally if a business is collecting personal information over the telephone. 

While our industry welcomes this revision, we are already bracing for consumers’ reactions—when a consumer realizes they are speaking with a debt collector, for example, they are already usually irritated by our verification procedure (which is necessary to authenticate their identity) and the Fair Debt Collection Practices Act’s (FDCPA) required disclosures (e.g., mini-Miranda, meaningful disclosure, validation information, etc.). We cringe thinking about adding an explanation about the categories of information we may collect over the telephone during that conversation (or future conversations) and explaining the purposes for which that personal information may be used. Many consumers easily become impatient on the phone, and it would have been nice for the AG to allow for an abbreviated version of the notice when it is provided on the phone. 

The revisions also add one significant clarification: a business may not use a consumer’s personal information for a purpose which is “materially different” than those disclosed in the notice at collection. Adding materiality relieves a business from having to think of every little conceivable way it may use the data, and now allows a business some latitude within the realm of materiality. 

Lastly, the revisions clarify that a data broker, who is registered with the AG, is not required to provide the notice to consumers if it has included “in its registration submission a link to its online privacy policy which includes instructions on how a consumer can submit a request to opt-out.” This greatly simplified the prior proposed regulation which required data brokers to either contact a consumer directly and provide them with a right to opt-out, or to confirm with the source of the information that they provided notice at collection and to obtain signed attestations from the sources.

4. Simplification of the Privacy Policy 

The revisions simplified the privacy policy by removing three requirements. The privacy policy no longer requires the sources of collected information to be disclosed, the business or commercial purposes, or the categories of third parties with whom the business shares personal information. If a business sells personal information, however, the privacy policy must still identify the categories of personal information the business has disclosed or sold for a business purpose in the last 12 months, and for each category, “provide the categories of third parties to whom the information was disclosed or sold.” 

5. Clarification about the Methods for Submitting Requests 

The revisions to proposed regulation § 999.312 simplified the methods a business must offer a consumer to submit a request to know or delete. If a business “operates exclusively online and has a direct business relationship with a consumer,” then the business is only “required to provide an email address for submitting requests to know.” All other businesses must still provide two or more designated methods for submitting requests, “including at a minimum, a toll-free telephone number.” 

The revisions removed the requirement that a business is required to provide an “interactive webform” if the business maintains a website. Another sigh of relief, because setting up an email address to accept requests is a whole lot easier than (and just as effective as) programming an interactive webform. 

The revisions still require a business to “consider the methods by which it primarily interacts with consumers when determining which methods” it offers to consumers for making such requests.

More to Come...

Check back later for Parts 2 and 3 of this article, that will discuss the other significant changes in the revisions. 


Next Article: Glasser Plaintiff Seeks Re-Hearing from Eleventh Circuit ...