The California Consumer Privacy Act (CCPA) took effect last January giving Californian consumers increased visibility into and control over the use of their personal information by companies. As we mentioned in our previous article, this piece of legislation creates new rights enforceable by consumers and higher transparency requirements for companies having any or all of their commercial activities in the State of California.

As required by the CCPA (§1798.185), the General Attorney Xavier Becerra initiated a legislative process last October to issue Regulations meant to further detail the practical implementation of the CCPA.

According to the Initial Statement of Reasons published last October, these Regulations aim to “operationalize the CCPA and provide clarity and specificity to assist in the implementation of the law”. The Regulations should enter into force by July 1st, 2020 and, until that date, Attorney General’s power to enforce the CCPA is delayed.

US administrative rulemaking process under the spotlights

The CCPA is set to reshape the privacy legal landscape for businesses in California, triggering a lot of attention to the design of these Regulations.

Despite the compelling comparison of the CCPA legislation with the European GDPR, the complexity of the two-step rulemaking process (Statute and Regulations) and the open, documented and time constrained public consultations could both explain the divergences and bifurcations from the European regime the CCPA enacted. The CCPA rulemaking process is also to be contextualised in US federal architecture: being the first State’s instrument regulating the matter so extensively, it concentrates high stakes and may be used as a precedent.

Regulations are the equivalent of French “décrets d’application”, both instruments falling under the authority of executive powers. The noticeable cultural and legal difference lies in the competence of the General Attorney instead of a government, confining the rulemaking process within judicial institutions.

The rulemaking process also deserves some attention to understand the way a legal dialogue was established to implement the CCPA.

The Attorney General initiated this rulemaking process to comply with the mandate given to him by the CCPA. The preliminary rulemaking activities involved seven public forums around the State of California and the processing of over 300 written comments. This first step culminated in the disclosure by the Attorney General’s Office, on October 11th, 2019, of a text bundle comprising:

The Notice of Proposed Rulemaking Action detailed the modalities under which the public can make comments for the 45 Day Comment Period, which ended on December 6th, 2019. It anticipated four public hearings from December 2nd to December 5th, 2019 and specified that written comments relevant to the proposed regulatory action are open to “any interested party, or their duly authorised representative”. The transcripts and audio of the written comments and public hearings are available on the website of the Attorney General’s Office.

On February 10th, 2020, the Attorney General released a second text bundle with a revised version of the Regulations, open to public comments until February 25th, 2020. The following documents were made public:

More information about US Administrative rulemaking process can be found on the Office of Administrative Law’s website.

The definition and interpretation of personal information clarified

The CCPA enacted a notably broad definition of “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (CCPA, § 1798.140 (o)). Examples of personal information are provided by the law and include, inter alia:

  • Identifiers such as name, alias, addresses, personal or online identifiers, official documents numbers, etc,
  • Commercial information, including records of personal property products and purchasing or consuming histories or tendencies,
  • Biometric information,
  • Internet or other electronic network activity information, such as browsing or search history, consumer’s interaction with websites, applications, advertisements,
  • Geo-localisation,
  • Audio, visual, thermal, olfactory or similar information,
  • Professional information,
  • Education information,
  • Inferences drawn from any aforementioned information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities and aptitudes.

The most important contribution of the Regulations is to offer some guidance regarding the interpretation and the limits of “personal information” (Regulations, §999.302(a)). The Regulations highlight that this legal qualification should depend on “whether the business maintains information in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.

The Regulations explicitly mention that IP addresses collection, central for businesses offering services based on statistical and analytical information about websites’ uses, do not constitute personal information if they are not tied to and cannot be reasonably linked to any identifiable consumer or household.

This clarification is central insofar as the interpretation of “personal information” directly impacts the scope of the entire Statute. Opening the possibility to use “deidentified” information has been criticised as weakening the significance of the CCPA and setting out a weak precedent, susceptible to influence other States which are currently debating similar statutes.

A pragmatic approach to compliance issues

These Regulations clarify numerous compliance issues raised by the CCPA, among which:

  • CCPA’s definitions and interpretation (Art. 1)
  • Notices to consumers (Art. 2)
    • Notice at collection of personal information
    • Notice of the right to opt-out of sale of personal information
    • Notice of financial incentive
    • Privacy Policy
  • Business practices for handling consumer requests (Art. 3)
    • Implementation of the rights to know and to delete: Methods for submitting requests and responding to them; special rules regarding household information requests
    • Implementation of the right to opt-out of the sale of personal information: Requests to opt-out and requests to opt-in after opting out
    • Methods for record keeping and its disclosure
    • Special rules applicable to service providers
  • Verification of requests (Art. 4)
  • Special rules regarding minors (Art. 5)
    • Minors under 13
    • Minors between 13 to 16
  • Non-discrimination (Art. 6)
    • Discriminatory practices
    • Calculating the value of consumer data

Mathias Avocats remains at your disposal for any further questions and will keep you informed of the developments of compliance issues under the CCPA.