Earlier this month the California Attorney General’s Office released revisions of proposed regulations for the California Consumer Privacy Act, the much-anticipated data privacy law that went into effect at the beginning of the year and is the country’s most stringent set of obligations for companies collecting consumer information. The revisions build on proposed regulations released by the office in October 2019, and the office will take public comments on the revisions until Feb. 25.
The CCPA gives California residents the right to opt-out of having businesses share or sell their personal data, and they can also request for businesses and their service providers to delete that data. The law has a few “tiers of entry” to determine which businesses it applies to: Those with with more than $25 million in revenue per year, that collect personal information from more than 50,000 California residents or get more than half their revenue from selling consumer data.
One of the significant proposed regulations clarifies the definition of “personal information” covered by the law. It explains information collected by a company has to be “reasonably capable” of being linked to a particular consumer to fall under the CCPA’s purview. The proposed guidance uses IP addresses as an example: Collecting IP addresses without linking them to users’ identities wouldn’t be considered personal information.
“What they’ve done in here really does help from a compliance standpoint, and I think it also shows that the office is taking its responsibilities seriously,” said Greg Szewczyk, of counsel at Ballard Spahr. “They’re not just making tweaks to something here or there, but I think they’ve truly listened during the comment periods and endeavored to … give companies means to comply that really works for the companies.”
He said the definition of personal information will benefit all businesses, but it seems targeted to appease businesses that don’t have a physical presence in California but have website traffic from consumers there that they collect non-identifying information from.
“This really gives some good clarity to a lot of businesses in that situation.”
Dave Stauss, a partner at Husch Blackwell, said it will be more clear in some instances of information collection than others whether it meets the definition of personal information. Names paired with addresses or Social Security numbers are a black-and-white situation, but information such as browsing history or IP addresses as the attorney general’s office pegged will probably take case-by-case determinations.
“You get these technology-based categories that I think are going to be tough, and they’re going to be case-specific as well,” he said. Some clients are not going to have the technological know-how to associate an IP address with an individual, but some clients are going to be using technology and services [where] they do.”
Stauss said he expects more debate over the scope of personal information’s definition eventually, but the California attorney general’s office will probably focus its resources first on cut-and-dry violations of the CCPA, such as companies selling personal data without permission.
Szewczyk echoed a similar sentiment. He said he believes the attorney general’s guidance will help reduce its workload related to figuring out what “personal information” means in each separate circumstance.
“With the sheer size of the task ahead of them, I think that this really helps the office be able to focus on more traditional types of investigations or enforcements as to whether or not companies are complying, as opposed to quibbling or debating what constitutes personal information.”
Beyond the definition of personal information, he said the proposed regulations’ clarification of a disability-accessible requirement for privacy policies seems like the other significant revision. He said the initial proposed regulations didn’t define accessibility, and he said the requirement surprised him and other practitioners he knows. But the revised regulations have added language saying businesses should use “generally recognized industry standards” for accessibility, such as the Web Content Accessibility Guidelines from the World Wide Consortium.
“So that’s one area where I think there’s something unexpected, and it has stayed,” Szewczyk said, “But they’ve given a little more clarity
on what needs to be done to accomplish it.”
—Julia Cardi