Comments on the DOJ’s Proposed Modifications to the CCPA Regulations
In October 2019, the California Department of Justice (DOJ) published its first draft of regulations under the CCPA. These regulations attracted 1700 pages of comments, including a submission from me. Earlier this month, the DOJ published proposed revisions to those regulations. I’ll call the October draft the “regulations” and the February changes the “revisions.”
At minimum, the DOJ had to update the proposed regulations to fill in one conspicuous blank, the button design for opting out of data sales (more about the button below). However, the revisions also apparently respond, at least partially, to the 1,700 pages of comments to the regulations’ first draft.
For the most part, the revisions’ changes to the regulations are good. They smooth out some of the roughest edges. That’s not to say that the regulations or the revisions are “good” overall. No amount of regulatory intervention can fix the CCPA’s multitudinous structural flaws. The CCPA is, and always will be, a dumpster fire. Worse, the DOJ is still sticking to its guns on several misguided points. Finally, the sheer number of words (between the CCPA text and the regulations) is staggering. Just reading the two documents takes hours of an expert’s time.
Before getting to the revisions’ substance, let’s talk about the crazy process. The CCPA became law 2 months ago; and the DOJ can bring its first enforcement actions starting in 4 months. Yet, the law that businesses are supposed to be complying with remain a whirlwind of chaos. The revisions did not make just minor tweaks to the proposed regulations. There are literally hundreds of substantive changes proposed in the revisions; and several have substantial financial consequences.
As just one example, the regulations initially proposed mandatory transparency reports for businesses that collect personal information from 4M+ Californians. The revisions would increase that requirement’s threshold to businesses collecting PI from 10M+ Californians. This is a positive development (though even better would be to scratch the requirement entirely), but the timing is painful. Given the substantial lead time required to build systems to handle the reporting, surely some businesses in the 4-10M consumer range had already started investing in compliance–investments that are now wasted. Other similarly impactful changes in the revisions include redefinitions of “personal information” and “household.” These definitions have pervasive impacts on every business’ compliance program.
I’m not complaining about these improvements. Better for the DOJ to get the policy as right as it can. Still, the whipsawsing shows how the process is pernicious (in addition to the perniciousness of the substantive rules). Businesses are hustling to satisfy the DOJ, but the DOJ keeps moving the goalposts. At this point, the DOJ’s final regulations won’t be out until the July 1 enforcement deadline is imminent (in the best case), so the DOJ will give businesses essentially no time to comply with its final version of the regulations.
Due to the huge volume of changes in the revisions and the imminence of the DOJ’s enforcement, you’d think the DOJ would announce a grace period beyond July 1 to give businesses adequate time to comply with the final regulations. NOPE. We’re in the anomalous situation where the CCPA is already “law,” yet businesses still don’t know what the “law” is or how to make their compliance investments. THIS IS NOT HOW ANY LAW SHOULD WORK, especially not a law comprehensively regulating the world’s fifth largest economy (and beyond).
Possibly Good News
The revisions made too many changes to comprehensively enumerate them all. In this part, I’ll highlight some of the better changes I saw:
- The revisions strip out any references to “average consumer” and “typical consumer” from the regulations. Both of those terms implied legal standards out of sync with standard consumer protection law.
- The definition of “household” is tightened substantially. (The revisions in 999.318 are correspondingly improved). In the regulations, “household” was defined as people “occupying a single dwelling.” The revisions require 3 elements for people in a “household”: (1) same address, (2) share a common device or the same service, and (3) the business identifies them as sharing the same account or unique identifier. I believe this revised definition mostly fixes the huge privacy and security holes that the concept of “household” creates, by making the “household” a relevant definition only when the service can’t distinguish its constituent individuals.
- The definition of price discrimination (“price or service difference”) apparently narrows in important ways. (This is reinforced in the operative regulation, 999.307(a)(1)). The revisions clarify that price discrimination only occurs when it’s based on the “disclosure, deletion, or sale of personal information.” This is a logical change. The price discrimination restrictions are supposed to be triggered by consumers exercising their CCPA rights, but prior drafting could have been read much more expansively. By referencing disclosure, deletion or sale, the revisions now make it clearer that other types of price discrimination are outside the CCPA’s scope (as they should be). Unfortunately, Example 4 (999.336(d)) shows that things still aren’t crystal-clear. It says that if a consumer requests deletion of his or her email address and browsing history, a website must still show the consumer any discounts offered via pop-up windows because the email address isn’t necessary for the pop-up…but wouldn’t the deleted browsing history affect the tenability of the pop-up ads???
- The revisions try to exclude IP addresses from the definition of “personal information” when IP addresses stand alone. This is a good move, but the drafting undercuts the benefit by still treating IP addresses as PI if the business could “reasonably link the IP address to any particular consumer or household.” Because this linkage “could” be possible in many circumstances, even if the business has no plans to do so, the revisions don’t quite get where they tried to go.
- Online-only businesses can accept consumer requests via email, though this doesn’t clarify if emailed requests can be treated as inherently verified. The revisions also remove a mandatory two-step confirmation requirement for deletion requests (it remains optional).
- The revisions remove an obligation of businesses not to disclose PI (in response to a consumer request) that would create a “substantial, articulable, and unreasonable” security risk. I think this removal is the right call because it put businesses in potential no-win situations where they are legally obligated to disclose but simultaneously at legal risk for disclosures that the DOJ considered a security risk.
- Businesses aren’t required to search for (in response to consumer requests) PI that is not in a searchable/readily accessible format, is maintained solely for legal/compliance purposes, sold or commercially used, and is described to consumers as a category of non-disclosure. However, I wonder if this exception is too narrow and conditional.
- The revisions walk back a terrible idea in the regulations to treat an inadequately verified deletion request as an opt-out request. Now, the business must ask the consumer if he/she wants to opt-out.
- The revisions clean up when businesses must apply deletion requests to archival data. Now, it says that the requests must be applied when the data is made active again or is being sold, disclosed, or used for a commercial purpose. This is largely what I suggested to the DOJ in my October comments.
- The revisions deleted an obligation to tell consumers how their data was deleted. Businesses also can retain deletion requests so they can be tracked, even though the requests contain PI.
- The regulations’ specified methods for computing the value of discriminatory pricing are now illustrative, not mandatory.
Probably Not Good News
Most of the revisions’ changes are positive, but there was still some not-so-good news:
- The revisions provide a safe harbor for web accessibility by incorporating the Web Content Accessibility Guidelines v2.1. However, the CCPA accessibility requirement applies irrespective of the ADA, and the ADA doesn’t clearly apply to all pure websites with no offline storefronts. Thus, the CCPA regulations will be a major move towards getting the California Internet (and thus all of the Internet) to embrace WCAG. While increased web accessibility is good news, this is yet another potentially substantial CCPA compliance expense. Online-only businesses might cut a corner by making only CCPA-related pages WCAG-compliant.
- The proposed opt-out button:At least three problems with this design: (1) the mixed metaphor (dot to enable and X to cancel) makes it’s unclear to consumers if they need to take any action; (2) the red color signals a warning to stay away; and (3) clicking on the button doesn’t actually take any action–it just links to a page with more information, and consumers might not realize that they must take more steps to complete an opt-out.
- The revisions refined the idea that browser software or plug-ins can automatically communicate opt-outs (rather than consumers having to manually select it per website), but the revisions don’t go nearly far enough. They still put the burdens on businesses–including businesses who really don’t know much about the Internet–to figure out which browsers or plug-ins are sending the appropriate signal and immediately honor those signals. I believe the DOJ should defer this issue altogether for now. If the DOJ wants to go this direction now, the DOJ should certify compliant software versions and provide a phase-in period.
- The DOJ retained the mandatory transparency reports, but it bumped up the threshold for compliance from 4M consumers to 10M consumers. That narrows the requirement substantially to only a small number of companies. Nevertheless, the DOJ hasn’t done a proper cost-benefit justification for the requirement, even as restricted.
My Comments to the Revisions
I again submitted comments to the DOJ. Read the PDF.
Prior CCPA Posts
* Eric Goldman’s Comments to the California DOJ Draft Regulations for the Consumer Privacy Act (CCPA) (Part 3 of 3)
* Some Lessons Learned from the California Consumer Privacy Act (CCPA), 18 Months In (Part 2 of 3)
* Resetting the California Consumer Privacy Act (CCPA)…with 2 Weeks To Go! (Part 1 of 3)
* And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
* A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
* Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
* Recap of the California Assembly Hearing on the California Consumer Privacy Act
* A Status Report on the California Consumer Privacy Act
* 41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
* California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
* Recent Developments Regarding the California Consumer Privacy Act
* The California Consumer Privacy Act Should Be Condemned, Not Celebrated
* A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
* Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
* A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
* An Introduction to the California Consumer Privacy Act (CCPA)