On February 7, the Office of the Attorney General of California issued a second draft of its California Consumer Privacy Act regulations, quickly fixed an omission from that draft Feb. 10, and set a Feb. 25 deadline for written comments. While “Version 2.0” of the regulations scales back several of the ways the first version exceeded the plain language of the statute, it keeps the do-not-sell signal requirement and adds proposed restrictions on service provider handling of personal information.
Definitions. Notable clarifications include: (1) tightening the definition of “household” data as people who not only live at the same address, but also share a common device or service from the business, and are identified as sharing the same account or unique identifier; (2) adding examples of “categories of [data] sources” and “categories of third parties” that must be disclosed to consumers and specifying these “must be described with enough particularity to provide consumers with a meaningful understanding of the type of person or entity” (§999.301 (d)(e) and (3) specifying whether information is “personal information” depends upon how the information is maintained so that if an IP address cannot reasonably link to a particular consumer or household, it is not personal information (§ 999.302).
Notice. The “at collection” notice requirements have expanded somewhat from “Version 1.0.” The regulation appears to require notices on “all webpages where personal information is collected,” as well as both on a mobile app download page “and within the app,” such as through the app’s download page or settings menu. Oral notice would be permissible when information is collected in person or over the phone (§ 999.305(a)(3)(d)). Also, a just-in-time notice requirement for mobile device personal information collection “that the consumer would not reasonably expect” has been added.
Accessibility standards. Version 2.0 clarifies that, for notices provided online, businesses “shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium,” which Version 2.0 incorporates by reference.
Do Not Sell Notice (§ 999.306). The proposed regulations require opt-in consent, instead of a total ban, for sale of personal information collected when a “do not sell” notice is not posted. Also, Version 2.0 sets out an optional “do not sell” icon but requires the posting of a “do not sell” link regardless of whether the icon is posted.
To read more on RESPONDING TO REQUESTS TO KNOW AND REQUESTS TO DELETE click here.