On Feb. 7, California Attorney General Xavier Becerra released modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA). On Monday, February 10, 2020, the Attorney General released updated modifications ("Proposed Modifications"), noting that one revision had been inadvertently omitted from the version released on February 7.

While still in draft form, the proposed modifications represent an improvement to the initial draft released late 2019, but still leaves many questions unanswered. If the proposed modifications are adopted as-is, many organizations that were hoping to rely on the regulations for clarity will need to find an alternative path to operationalize the CCPA's more puzzling issues. Becerra expects to issue the final regulations in spring 2020.

Two Steps Forward

The proposed modifications alleviate some of the concerns raised by the statute and the initial draft of the regulations:

• Whether Data Qualifies as "Personal Information" Depends on How it is Maintained. The proposed modifications clarify that whether information is "personal information (PI) depends on how the business maintains the information. Specifically, if information is maintained in a manner that identifies, relates to, describes, or is reasonably capable of being associated with or could be reasonably linked, directly or indirectly, with a particular consumer or household, then the information may qualify as PI. As an example, the proposed modifications provide that, "if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be "personal information."

The likely effect of this language is twofold. First, although there will be questions of how the term "indirectly" will be applied in this context, it appears that an IP address alone, without additional identifying information, may no longer be viewed as "personal information." Although this appears to conflict with the FTC's position that data is "personally identifiable" when it can be reasonably linked to a particular person, computer, or device, it is generally in line with the European Union's view on IP addresses and signifies an appreciation for and understanding of how the technology works.

Second, applying the principle above to other datasets may curtail the number of businesses that meet the threshold of receiving the personal information of 50,000 or more consumers. For example, a business that collects only address information for marketing purposes should assess how the CCPA applies to its business. While an address, alone, may be capable of being linked to a particular consumer or household, the question appears to be whether the business maintains the data in a manner that would allow for such link. Indeed, the CCPA does not requires businesses to "link information that is not maintained in a manner that would be considered personal information."

• Less Detailed Privacy Notice Requirements. The proposed modifications minimize the detail businesses need to include in their consumer-facing privacy notices. For example, as originally drafted, section 999.308(b)(1)(d) required businesses to provide certain information "for each category of personal information collected," including the sources and the business or commercial purpose(s) for which the information was collected. The proposed modifications provide that businesses can instead disclose: the categories of information collected and the categories of third parties to whom the information was disclosed or sold, as applicable.

For organizations which drafted their disclosures based on the initial draft of the regulations, it may be worth reviewing whether updates should be made. Indeed, including the level of detail required by the initial draft regulations may now expose the organization to unnecessary liability.

• Eliminated the Notice at Collection Requirements for Data Brokers. The proposed modifications significantly reduce the obligations imposed on businesses who sell consumers' personal information but do not collect such information directly from consumers (essentially data broker[s], as defined by Cal. Civ. Code Section 1798.99.80(d)). The initial version of the draft regulations required that, prior to selling consumers' personal information, these entities must contact the consumer or the source of the information to ensure that the required notices have been provided. The proposed modifications instead provide that if the entity registers with the attorney general as a data broker and includes in its registration submission a link to its privacy policy and instructions on how a consumer can opt out, the entity is not required to provide a notice at collection.
• Denied Requests to Delete Do Not Become Valid Requests to Opt Out. The initial draft regulations provided that if a business denies a Request to Delete because it could not verify the identity of the requestor, it must treat the request as a valid request to opt out. The proposed modifications delete this requirement and instead provide that in responding to a consumer's request to delete whose identity could not be verified, the business will ask the consumer if they would like to opt out of the sale of their personal information and include a link to the notice of right to opt out, as applicable. From a practical perspective, this will likely enable businesses to create a standardized response for requests to delete where the identity of the requestor could not be verified.

5. Not So Fast, Authorized Agents. The proposed modifications make a few noteworthy modifications to requirements relating to authorized agents. First, authorized agents must be registered with the California Secretary of State. Second, consumers must provide authorized agents signed written authorization to act on their behalf. An authorization form will be deemed signed if it is physically signed or provided electronically in accordance with the Uniform Electronic Transactions Act; however, businesses are prohibited from requiring consumers to pay a fee for verification (e.g., a business may not require a consumer to provide a notarized affidavit unless the business compensates the consumer for the cost of notarizations). Lastly, even if the consumer provides the authorized agent written and signed permission, the business may, nonetheless, directly confirm with the consumer that it provided the authorized agent permission to submit the request.

This added language will most likely benefit larger organizations which become targets for "privacy businesses" seeking to submit CCPA requests on behalf of consumers in bulk. With the new added language, businesses could confirm directly with consumers whether the agent has been authorized to act on their behalf and also clarify the scope of the authorization.

• Expanded Use of Personal Information by Service Providers. The proposed modifications expand how service providers can use personal information they process on behalf of businesses. Specifically, the proposed modifications provide that a service provider may use personal information for, among other things: internal use to build or improve the quality of its services, provided that such use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source; and (ii) for any other CCPA exceptions listed in Cal. Civ. Code Section 1798.145 (a)(1) through (a)(4).

Notably, the proposed modifications specifically exclude the exception listed in Section 1798.145(a)(5), which provides that the CCPA does not restrict a business's ability to use consumer information that is deidentified or in aggregate form. Given that this type of data is not "personal information" in the first place, whether this omission has any actual effect is questionable.

One Step Back

While the proposed modifications will help businesses operationalize the CCPA in some respects, a few notable issues remain:

• Vendors to Nonregulated Businesses May Be CCPA Service Providers. The proposed modifications state that a business that provides services to a nonregulated entity and that would otherwise meet the requirements and obligations of a service provider, shall be deemed a CCPA-service provider. This clarified language raises two issues. First, should entities acting as vendors for non-regulated businesses update their contracts to include the language required by the CCPA for service providers? Second, could the failure to update such contracts result in the vendor being viewed as a "business" in connection with the data it processes on behalf of the non-regulated business? While this language closely tracks the language included in the initial draft of the regulations, these issues are starting to become more prevalent.
• No Clarification on Definition of "Sale." Notably absent from the proposed modifications is any clarity on what qualifies as a "sale" of personal information. Without further guidance, we will likely continue to see significant variances in organizations' compliance efforts given that what constitutes the sale of personal information remains subject to each organization's interpretation and risk-tolerance level.
• Notice at Collection Express Consent Requirements Still Intact. The proposed modifications continue to track the language included in the initial draft regulations, which provided that a business cannot use a consumer's personal information for any purpose other than those disclosed in the notice at collection (referring to Section 1798.100(b)). If the business intends to use a consumer's personal information for a purpose that was not previously disclosed, the initial draft regulations required the business to "directly notify the consumer of [the] new use and obtain explicit consent from the consumer to use it for [the] new purpose."

While the proposed modifications make modest changes to this section, the express consent requirement remains intact. Practically, this requirement will continue to incentivize businesses to adopt broad notices that list all possible uses of personal information, regardless of whether such use is ever put into practice.

It is also likely that these broad notices will follow a common form to avoid competitive pressure and risk caused by more customized, practical notices, including avoiding the need to obtain "explicit consent" from consumers in the future.

• Affirmative Authorization to Sell Consumers' Personal Information. The proposed modifications clarify that a business cannot sell the personal information it collected during the time the business did not have a notice of right to opt out posted, unless it obtains the affirmative authorization of the consumer. In other words, if a business claims to not sell personal information, it cannot later sell the personal information previously collected without obtaining consumers' "affirmative authorization." Affirmative authorization is currently defined by the proposed regulations to include a two-step process whereby the consumer shall first, clearly request to opt in and then second, separately confirm their choice to opt in.

Given this requirement, businesses will need to consider their whether and how taking the position that it does not sell personal information may curtail future activities. As noted above in connection with the notice at collection express consent requirements, this obligation may simply incentivize companies to disclose that they do sell personal information, regardless of whether such sales actually occur. It is also worth noting that rather than complying with this process, it may simply be easier for businesses to delete personal information previously collected and recollect such information once the notice of right to opt out is posted.

• New Carve Out for Requests to Know. The proposed modifications provide that, in responding to a request to know, a business is not required to search for personal information if the following conditions are met: the data is not in a searchable or reasonably accessible format; the information is maintained solely for legal or compliance purposes; the information is not being sold or used for any commercial purposes; and the business describes (likely in its response back to the consumer) the categories of records that may contain personal information it did not search because it meets the foregoing conditions.

While the language appears to create a new carve out for information previously subject to a disclosure request, it is unclear what types of data fall within its scope.  Indeed, the exception only applies if all of the conditions are met, which likely will result in the carve out providing minimal advantages for businesses, if any.

• Guidance on Placing the Notice at Collection. CCPA requires businesses to provide, at or before the point of collection, a notice informing consumers of the personal information to be collected and the purposes for which it will be used. The proposed modifications provide that consumers should "encounter" the notice at or before the point of collection and provides, as an example, that for businesses collecting personal information online, the notice may be posted through a conspicuous link to the notice on the introductory page of the business's website and on all webpages where personal information is collected.

From a practical perspective, businesses should review their placement of the notice at collection through the lens of consumers. For example, will a consumer "encounter" a notice at collection that is placed in the footer of a website? Additionally, while not necessarily unique to the proposed modifications, businesses should consider what this means for personal information passively collected (e.g., through cookies and other similar technologies). Does a notice have to be provided on each webpage where cookies may be collecting PI or can businesses continue to rely on the use of cookie banners following the industry standard approach? Businesses will need to think through these issues carefully.

The Attorney General's Office is accepting written comments to the proposed modifications until Feb. 25. Although enforcement is scheduled to begin July 1, 2020, the ad-tech industry is pushing Becerra to further "delay enforcement of the CCPA until at least six months from the date of finalization of the rules implementing the law, in order to provide businesses a sufficient time period to implement the new regulations before being subject to enforcement." Whether the attorney general is considering this request remains unclear. Absent further direction from the attorney general's office, businesses should expect enforcement to begin in July.

Wynter L. Deagle is a partner in the San Diego office of Troutman Sanders. A member of the international association of privacy professionals, Deagle counsels clients in proactively assessing and managing risks associated with their privacy, data security, and information management practices.

Ronald I. Raether, a partner in the Orange County office leads the cybersecurity, information governance and privacy practice group at the firm, and is a partner in the firm's consumer financial services group. He has assisted companies in navigating federal and state privacy laws for over 20 years.

Anne-Marie Dao is an associate in the firm's San Diego office. She represents clients in a wide variety of intellectual property, complex commercial, real estate, class action and privacy matters.

Sadia Mirza is an associate in the firm's cybersecurity, information governance and privacy practice group. She has experience in cyber law-privacy matters, having handled a number of data breaches and investigations in a variety of industries, including: health care, financial services, retail and professional services.