Plan­ned chan­ges to the CCPA

The Cali­for­nia Att­or­ney Gene­ral (AG) in Febru­ary 2020 made adjust­ments to the Cali­for­nia Con­su­mer Pro­tec­tion Act (CCPA; cf. the Over­view page of the AG on the CCPA) pro­po­sed, with the aim of cla­ri­fy­ing cer­tain points of the CCPA (alt­hough this is only par­ti­al­ly successful).

The pro­po­sed chan­ges con­cern main­ly the fol­lo­wing points, which are also inte­re­st­ing becau­se they rela­te to prac­ti­cal dif­fi­cul­ties that also ari­se under the GDPR (and the e‑DSG):

• The defi­ni­ti­on of “per­so­nal infor­ma­ti­on” (PI): Data is PI only if the enti­ty in que­sti­on pro­ce­s­ses the data in a man­ner that iden­ti­fi­es or can iden­ti­fy a spe­ci­fic con­su­mer or hou­se­hold. IP addres­ses may the­r­e­fo­re not con­sti­tu­te PI (“For exam­p­le, if a busi­ness coll­ects the IP addres­ses of visi­tors to its web­site but does not link the IP address to any par­ti­cu­lar con­su­mer or hou­se­hold, and could not rea­son­ab­ly link the IP address with a par­ti­cu­lar con­su­mer or hou­se­hold, then the IP address would not be “per­so­nal information”).
• Pri­va­cy poli­cy in the sur­vey must be pro­vi­ded whe­re PI is coll­ec­ted, e.g. on web­sites, down­load pages for mobi­le Apps (and in the app, e.g. in the set­tings) and prin­ted forms. In the off­line sur­vey, refe­rence can also be made to a web­site. If PI is used via a Mobi­le device coll­ec­ted for unex­pec­ted pur­po­ses, a “just-in-time” noti­ce is requi­red with a descrip­ti­on of the cate­go­ries of PI coll­ec­ted and a link to a full pri­va­cy statement.
• A rene­wed con­sent for the pro­ce­s­sing to other pur­po­ses is not requi­red if the new pur­po­ses are not “mate­ri­al­ly dif­fe­rent” from the ori­gi­nal purposes.
• Com­pa­nies need to take into account the Editing pur­po­ses not spe­ci­fy sepa­ra­te­ly for each cate­go­ry of PI (this was dif­fe­rent in the first pro­po­sed ver­si­on of the changes).
• Com­pa­nies must meet the Rece­ipt of infor­ma­ti­on and can­cel­la­ti­on requests within 10 Busi­ness Days con­firm. But the dead­line for respon­se remains 45 Calen­dar Days.
• It is no lon­ger neces­sa­ry to use a Web form to pro­vi­de. For com­pa­nies that ope­ra­te exclu­si­ve­ly through a web­site, pro­vi­ding an email address for inqui­ries is suf­fi­ci­ent. All other com­pa­nies must pro­vi­de at least two methods for requests, inclu­ding a toll-free num­ber. For can­cel­la­ti­on requests, it remains the case that all com­pa­nies must pro­vi­de two methods.
• In the case of requests for infor­ma­ti­on, com­pa­nies must, under the fol­lo­wing con­di­ti­ons do not search for PI: 1) PIs are not retai­ned in a searcha­ble or acce­s­si­ble for­mat; 2) PIs are retai­ned sole­ly for legal or com­pli­ance pur­po­ses; 3) the Com­pa­ny does not sell PIs or use them for com­mer­cial pur­po­ses; and 4) the cate­go­ries of records that might con­tain PIs are identified.
• Ser­vice pro­vi­der may PI for own inter­nal pur­po­ses (e.g., pro­duct deve­lo­p­ment and main­ten­an­ce, for secu­ri­ty pur­po­ses, or defen­se or enforce­ment of legal claims), pro­vi­ded that PI is not used for pro­fil­ing or cle­an­sing or sup­ple­men­ting PI with data from other sources.