The California Attorney General (AG) in February 2020 made adjustments to the California Consumer Protection Act (CCPA; cf. the Overview page of the AG on the CCPA) proposed, with the aim of clarifying certain points of the CCPA (although this is only partially successful).
The proposed changes concern mainly the following points, which are also interesting because they relate to practical difficulties that also arise under the GDPR (and the e‑DSG):
- The definition of “personal information” (PI): Data is PI only if the entity in question processes the data in a manner that identifies or can identify a specific consumer or household. IP addresses may therefore not constitute PI (“For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information”).
- Privacy policy in the survey must be provided where PI is collected, e.g. on websites, download pages for mobile Apps (and in the app, e.g. in the settings) and printed forms. In the offline survey, reference can also be made to a website. If PI is used via a Mobile device collected for unexpected purposes, a “just-in-time” notice is required with a description of the categories of PI collected and a link to a full privacy statement.
- A renewed consent for the processing to other purposes is not required if the new purposes are not “materially different” from the original purposes.
- Companies need to take into account the Editing purposes not specify separately for each category of PI (this was different in the first proposed version of the changes).
- Companies must meet the Receipt of information and cancellation requests within 10 Business Days confirm. But the deadline for response remains 45 Calendar Days.
- It is no longer necessary to use a Web form to provide. For companies that operate exclusively through a website, providing an email address for inquiries is sufficient. All other companies must provide at least two methods for requests, including a toll-free number. For cancellation requests, it remains the case that all companies must provide two methods.
- In the case of requests for information, companies must, under the following conditions do not search for PI: 1) PIs are not retained in a searchable or accessible format; 2) PIs are retained solely for legal or compliance purposes; 3) the Company does not sell PIs or use them for commercial purposes; and 4) the categories of records that might contain PIs are identified.
- Service provider may PI for own internal purposes (e.g., product development and maintenance, for security purposes, or defense or enforcement of legal claims), provided that PI is not used for profiling or cleansing or supplementing PI with data from other sources.