On February 7, 2020, the California Attorney General’s office published its long awaited revised proposed regulations implementing the California Consumer Privacy Act (available here). Here are 10 takeaways for businesses:
1. Guidance regarding “personal information.” The regulations clarify that whether information is “personal information” depends on whether the business maintains information in a manner that identifies, relates to, describes or could reasonably be linked with a particular consumer or household. For instance, if a business collects IP addresses of visitors to its website but does not link the IP address with any particular consumer or household, then the IP address would not be “personal information.”
3. Opt Out Button. The regulations now recognize a uniform “opt out” logo for use as the “Do Not Sell My Personal Information” link. The logo is a red button or toggle switch that looks like this:
The button must link to a webpage or online location containing a description of the consumer’s right to opt out and an explanation of how to exercise those rights:
4. Confirmation of Receipt. Businesses must confirm receipt of a request to know or delete within 10 business days. The confirmation may be given in the same manner in which the request was made (e.g., phoned-in requests may be confirmed on the phone).
5. Responses to Requests to Know and Delete. Substantive responses to requests to know and delete must be made in 45 calendar days.
7. Greater Service Provider Rights. Service providers are now permitted to use and retain data for additional purposes including (a) retaining another service provider, (b) for internal uses, (c) to detect data security incidents or protect against fraudulent or illegal activity, or (d) for the purposes enumerated in Civ . Code §1798.145(a)(1)-(a)(4).
8. Diminished Search Obligations In Certain Circumstances. In responding to a request to know, businesses are not required to search for personal information if all of these conductions are met: (a) The business does not maintain the personal information in a searchable or reasonably accessible format; (b) the business maintains the personal information solely for legal or compliance purposes; (c) the business does not sell the personal information and does not use it for any commercial purpose; and (d) the business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.
9. Obligations Regarding Data Stored in Archives and Back Ups. If businesses store personal information on archived or back up systems, they may delay compliance with a request to delete of the data stored in archives or back ups until archived or back up system relating to that data is restored to an active system or when it is next accessed or used for a sale, disclosure or commercial purpose.
10. Responding to Requests to Delete. Businesses no longer have to inform consumers how they deleted information.
The modified regulations are subject to an additional 15-day comment period which will close on February 24, 2020.
– Keesal, Young & Logan Privacy and Data Security Group
This information has been prepared by Keesal, Young & Logan for informational purposes only and is not legal advice. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship between you and Keesal, Young & Logan. You should not act upon this information without seeking professional counsel. To unsubscribe from our mailing list, please click here.