The comment period on the initial regulations proposed under the California Consumer Privacy Act (CCPA) closed Dec. 6, 2019. With remarkable speed, the state has proposed amended regulations based on the comments received, with a further comment deadline of 5:00 p.m. on Feb. 25, 2020. The notice of procedures may be seen here.
A redline version of proposed changes appears here. The full text of the amended regulations runs 29 pages.
I filed a comment on the proposed regulations, seeking clarification of the reach of the regulations to out-of-state firms: The regulations are clear that the intent is to also bind non-California businesses that acquire personal information about California residents: "... out-of-state competitors would also be subject to the CCPA and the regulations for their California customers." [Notice of Proposed Rulemaking Action at 13]
This raises the important question of how much business must be done with "California customers" to bring the regulations to bear on non-resident businesses.
I argued that the state was legally bound to treat out-of-state businesses at least equally with in-state businesses and, therefore, that, the same three thresholds for enforcement of the statute should apply to out-of-state businesses that sell to California residents and the thresholds ($25 million in revenue, for example) should be construed to refer to business with California residents and not business done elsewhere.
It appears that the final regulations do not address that comment one way or the other. Nevertheless, I believe it is correct.
Beyond that, most of the proposed changes are technical and do not appear to affect the travel retail industry very differently than the rules as originally proposed. One potential exception is that there are numerous changes to the details governing treatment of data obtained about minors. That said, every business that is subject to the CCPA should carefully review the rules to be sure it is complying.
Among the notable major changes in the regulations, the state has expanded the concept of “personal information” even further than the original proposal. Under § 999.302. Guidance Regarding the Interpretation of CCPA Definitions, the definition now:
“Depends on whether the business maintains information in a manner that ‘identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.’ For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’”
That is an exceptionally broad definition that translates to “any information that might be connectable to a particular person or household” is likely “personal information” for purposes of the CCPA.
“§ 999.304. Overview of Required Notices
(b) A business that collects personal information from a consumer shall provide a notice at collection in accordance with the CCPA and these regulations, including section 999.305.
(c) A business that sells personal information shall provide a notice of right to opt-out in accordance with the CCPA and these regulations, including section 999.306.
(d) A business that offers a financial incentive or price or service difference shall provide a notice of financial incentive in accordance with the CCPA and these regulations, including section 999.307.”
Given the reported increases in the use of mobile devices to book travel, advisor companies that are large enough to fall under CCPA should take note of this new requirement:
“When a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection. For example, if the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the application, which contains the information required by this subsection.”
One improvement in the regulations changes the use of a two-step online process for requests to delete personal information from mandatory to optional. As revised:
“A business may use a two-step process for online requests to delete where the consumer must first, clearly submit the request to delete and then second, separately confirm that they want their personal information deleted.” [§ 999.312]
Finally, there are changes to Article 6 of the regulations dealing with discrimination and the offering of financial incentives or price differences that are not “reasonably related to the value of the consumer’s data ….” Travel firms considering the offer of such incentives or price differences should pay particular attention to the complex language, and examples set forth, in Article 6 as amended.
As with all things legal and particularly laws as complex as the CCPA, every firm subject to this statute should consult legal counsel for specific guidance and interpretation.