In the current environment, it is tempting to let data privacy issues take a back seat to more urgent issues of health and safety.  But businesses cannot afford to forget about data privacy compliance, especially in light of the upcoming July 1, 2020 enforcement date of the California Consumer Privacy Act (“CCPA”), which Attorney General Xavier Becerra has said will not be delayed due to COVID-19 issues.  Businesses must continue to consider and address privacy compliance issues now and over the next few critical months.

In this article, we discuss how the CCPA impacts franchisee-franchisor relationships, franchise obligations under the CCPA, and potential consequences of non-compliance.

CCPA Penalties: Good News, Bad News, And Brand Reputation

The good news for franchisees and franchisors (and all businesses) is that only the Attorney General may bring a lawsuit against a business for most CCPA violations.  The exception to this, of course, is that the CCPA provides a private right of action for consumers affected by a data breach.  However, for most CCPA violations, there is no private cause of action and a consumer cannot commence a lawsuit against your company.

The bad news is that even under Attorney General actions, penalties of non-compliance with CCPA are steep.  Intentional violations carry a $7500 price tag per violation and unintentional violations are subject to penalties of $2500 per violation. And those violations are calculated on a per consumer basis.  When considered in perspective that California’s population exceeds 39 million, even unintentional violations can quickly add up to hundreds of millions of dollars in penalties. Both franchisees and franchisors (under the theory of vicarious liability) may be directly liable for these penalties.

In addition to monetary penalties, as more Americans become cognizant of and value their privacy, any lack of transparency or privacy violations can lead to bad PR, tarnishing the brand image and goodwill associated with the brand.  The franchise system depends on a strong brand. Once the brand reputation takes a hit, it is hard to overcome the negative connotations without spending significant resources. Both the franchisor, who has developed the strength of the brand, and the franchisee who is operating under the name of the brand, have much to lose as customers will not distinguish between franchisor-franchisees when punishing a brand.

Thus, the cost-benefit analysis weighs in favor of taking the CCPA seriously and evaluating if compliance is required at the franchisor and franchisee level.

Evaluating Whether CCPA Compliance is Required

Many franchisees and franchisors may not think they are subject to the CCPA.  Franchisors that have no presence and do no direct business in California may believe that they are exempt from complying with the CCPA.  Alternatively, franchisees may believe that their franchisor’s compliance with privacy obligations is sufficient to render them compliant.  While this may seem to make sense where personal information is generally collected through a corporate website or point of sale system operated by the franchisor, the information is processed by the franchisor and generally used by the franchisor, franchisees are not automatically absolved of having to comply with the CCPA by virtue of their franchise relationships.  In fact, some franchisors in their privacy policies explicitly disclaim any liability arising from their franchisee’s collection and use of personal information.

In sum, both franchisors and franchisees must independently evaluate their collection and use of personal information, their corporate relationships, and branding to analyze CCPA compliance.

A franchisor or franchisee must independently comply with the CCPA if they are either: 1) a business as defined in the CCPA or 2) an “entity that controls or is controlled by a business” and “shares common branding with the business.”

Are You A Business?

A “business” under the CCPA is defined as any legal entity, operated for profit, that (1) collects the personal information of consumers and determines the purposes and means of processing the consumer information, (2) does business in CA, and (3) meets any of the following thresholds: a) has annual gross revenues exceeding twenty-five million ($25,000,000); b) buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or c) derives 50% or more of its annual revenues from selling consumers’ information.

If a franchisor or franchisee meets any of the above thresholds on its own, it is a business under the CCPA and must independently comply with the statute.  In such a circumstance where a franchisee independently meets these requirements, it is not sufficient that a franchisor provides a privacy policy or certain privacy notices; the franchisee is required to maintain their own privacy policies and notices and comply with other CCPA requirements.

Do You Satisfy the Business Branding and Control Test?

If a franchisor/franchisee does not independently meet the definition of a business, the inquiry then shifts to whether it is an “entity that controls or is controlled by a business” and “shares common branding with the business.”  To make this determination, a franchisee should consider: 1) the franchisor’s status as a business, 2) the franchisor’s control over the franchisee, and 3) shared common branding.  Similarly, a franchisor should consider: 1) its franchisees’ status as a business, 2) its control over its franchisees, and 3) shared common branding with its franchisees.

1. Franchisor/Franchisee Status As A “Business”

Unless your franchise is part of an extremely limited business model, most franchisors will likely meet the twenty-five million revenue threshold and satisfy the above definition of a “business” under CCPA if they are doing any business in California and collecting any personal information of consumers. If the franchisor is a business, the franchisee should next inquire regarding the remaining two factors of control and branding for a franchisee.

While many franchisors who are not directly subject to the CCPA may not need to worry about their franchisees hitting the $25 million revenue trigger for CCPA compliance, it is possible that franchisees may, through website visits or other means, collect information from over 50,000 California consumers, households, or devices per year. If a franchisee is a “business” under the CCPA due to its collection of information in this regard, the franchisor must then look to control and branding to determine its own potential compliance obligations.

2. Control

“Control” or “controlled” under the CCPA means, “ownership of, the power to vote, more than 50% of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of directors, or individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company.”

Certain aspects of the definition of “control” are relatively clear to evaluate.  For example, ownership is apparent based on whether a franchisor jointly owns a franchise with a franchisee. Similarly, whether or not the franchisor has the power to vote can be determined from corporate legal documents.

There is more uncertainty regarding the phrase “the power to exercise a controlling influence over the management.”  As written i.e. – the power to exercise – could mean that a franchisor does not have to actually exercise any controlling influence over management, it must only be vested with the power to exercise such influence. There is much ambiguity as to what “controlling influence over the management” means.

Generally, franchisors exert considerable control over their franchisees. For example, standard franchise agreements include provisions defining the franchisee’s sale territory and location, services offered by the franchisee, required training for franchisee employees, strict quality control requirements over the products and services offered by the franchisee, design and décor, and limitations on use of franchisor branding and intellectual property.  Franchise agreements often include non-compete clauses restricting the franchisee from competing with the franchisor’s business.  Therefore, one can argue that a franchisor has broad control over the management of a franchise and CCPA compliance is warranted by any franchisee under the control of a franchisor that is a business.  The practical consequences of such an interpretation of “control” is that any franchise, regardless of its location and size, if collecting California consumer data, is required to comply with the CCPA.  So a hotel-franchisee of an international hotel chain in New York City, NY must comply with the CCPA regardless of the number of Californians visiting the franchisee hotel.

On the other hand, one can argue that the franchisor’s control is only exerted initially when the franchise is set up and wanes over time to quality control only.  The location, territory, products, and services offered are all one-time decisions.  The franchisee maintains control over day-to-day activities such as installing equipment, hiring and managing employees, determining wages, all of which the franchisor has no control over.  Thus, there is no ongoing “controlling influence” on the franchisee operations and no CCPA compliance is warranted.  The concern over this interpretation of “control” is that a franchisee may never have to comply with the CCPA.  This would render the language in the statute pertaining to entities that control or are controlled by a business and share common must comply with the CCPA superfluous. It would also contradict the general spirit of the CCPA that aims to provide transparency and clarity in the collection and use of personal information of California consumers.  For example consider a burger franchise in Roseville, CA that collects personal information of CA residents and shares it with the franchisor corporation.  The franchisor then uses this information to engage in targeted advertising, sells this information to third parties, and shares the data with its affiliates and partners, etc.  The CA consumer in Roseville had no notice or transparency when visiting the franchise about how his/her personal information would be used, sold, or shared by the franchisor. This is exactly the situation the CCPA seeks to remedy.

The CCPA is unchartered territory so ultimately what constitutes “control,” what actions can be categorized as “controlling influence,” and what is “management” are questions that will be resolved by forthcoming enforcement actions.  Each franchise circumstance is different and, for now, franchisors and franchisees should evaluate their data collection and use policies and assess “controlling influence” exerted by franchisors over franchisees while making a good faith determination of whether or not to comply with CCPA.

3. Common Branding

Common branding means a “shared name, servicemark, or trademark.”  The essence of a franchisor-franchisee relationship is to enable the franchisee to use the franchisor’s trademark, name, processes, and know-how.  The franchisee seeks to benefit from the franchisor’s brand recognition and reputation in the market. As a result, franchisees will almost always share the name and mark of the franchisor and satisfy the common branding requirement.

Because the CCPA applies to companies that control or are controlled by a business AND share common branding with a business if these two elements are met, and either the franchisor or the franchisee is deemed a “business,” both entities are likely subject to CCPA.

Conclusion

The decision of whether or not a given franchisor or franchisee must comply with CCPA and how it can achieve this goal should be evaluated on a case-by-case basis.  Depending on the situation, resourceful legal solutions may be successful in navigating CCPA compliances in light of the complexities of franchise relationships.  For example, in unique situations, it may be possible for a franchisee to enter into a “service provider” agreement with the franchisor thereby shifting the CCPA obligations on the franchisor. Alternatively, franchisors and franchisees may be able to change their corporate relationships, operations or management functions to avoid getting pulled into CCPA liability when they would not otherwise be covered by the CCPA.

If you are a franchisor, franchisee, parent, subsidiary or other business and are evaluating whether or not you should comply with CCPA or how to comply, contact Cybersecurity and Data Privacy attorney Scott Hall (shall@coblentzlaw.com) to determine further obligations. You can also review additional CCPA articles and resources in our CCPA Resource Center.

With the COVID-19 pandemic threatening people’s health and wreaking economic havoc in California and worldwide, parties to commercial contracts are asking whether force majeure and the closely related doctrines of commercial impracticability and frustration of purpose, can avoid or suspend their obligations in a contract.

As just one example, commercial and retail tenants have sought relief from their obligation to pay rent, given that many retail establishments like restaurants have been forced to close or have seen revenues plummet. Beyond leases, the COVID-19 crisis may affect performance of obligations under other commercial contracts (like loans or services or supply contracts), because cash flow and supply chains are disrupted, employees cannot come to a workplace, or government orders have required business closures.

Contracts Containing a Force Majeure Clause

As a first step, read through the contract and check whether it contains a force majeure clause. If it does, review its language closely. Force majeure generally requires two conditions to excuse performance: (a) the occurrence of unforeseen, extraordinary circumstances that create a risk that neither party has agreed to bear, and (b) the extraordinary circumstances were beyond the control of the party seeking to suspend or avoid performance. Contractual force majeure provisions typically list a series of events that the parties have agreed would excuse performance, including, as examples: a pandemic, epidemic, public health emergency, government action, or, more generally acts of God or events beyond the control of either party. In addition to listing particular triggering events, force majeure clauses typically state that performance is suspended for the duration of the event, and, in some cases, for a reasonable period beyond the event. Some force majeure provisions may require that the party invoking it provide notice to the other party, including advising of the expected duration that performance will be suspended.

Contracts Without Force Majeure Provisions

Even where a contract does not contain a force majeure provision, California law may excuse performance of a contract when extraordinary events not within the contemplation of the contracting parties, and beyond their control, make performance impossible or commercially impracticable. See, e.g., City of Vernon v. City of Los Angeles (1955) 45 Cal.2d 710. California Civil Code Section 1511 and the California Commercial Code Section 2615(a) reiterate these common law principles: The failure to perform or a delay in performance is excused when it is rendered impossible or impracticable by the occurrence or nonoccurrence of an event not within the contemplation of the parties and beyond their control, unless one of the parties explicitly agreed in the contract to assume the risk of such event.

Although force majeure and commercial impracticability are potentially viable defenses to performance of a contract, they are generally reserved for extraordinary situations. The current pandemic and government shelter-in-place measures may indeed be truly extraordinary, at least at the moment, for certain businesses and certain contracts entered into before the possibility of a COVID-19 event was reasonably anticipated. As time passes and the pandemic, government action, and government aid develop, however, the situation should change and become less exceptional.

Assuming that the current pandemic and government action would trigger a force majeure defense for contracts entered into, for example, before February 2020, the party seeking to avoid performance must still prove causation and is required to reasonably mitigate damages. Did the party invoking force majeure have other business problems before the pandemic that are causing or substantially contributing to the inability to perform? Has the party undertaken reasonable, diligent measures to mitigate the effect of the COVID-19 pandemic, such as redirecting its business efforts and minimizing costs? Moreover, why should the counter-party to the contract be forced to bear the risk of the pandemic?

The Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”) signed into law on March 27, 2020 and other state enactments that may follow should also offer some contracting parties with sufficient relief and mitigation such that continued, or renewed, performance with pre-existing contracts may be required. The CARES Act provides hundreds of billions of dollars of funding available for Small Business Association loans, which will provide “forgiveness” (no repayment required) for amounts the businesses spend on interest payments for mortgages, payroll, utilities, and rent for an eight-week period after a loan originates. Government aid may enable businesses to mitigate their damages sufficiently that continued performance with contracts is required.

The full text of the CARES Act is available here and a thorough summary of both business and employment benefits under the act can be found here.

Issues for Consideration

• Review the contract for a force majeure provision and the particular contract language. Where the contract contains a specific provision, its language and the manner in which it allocates risks between the parties should take precedence over California’s common law and statutory law.
• If you are seeking to suspend or avoid performance, give the other party written notice, regardless of whether the contract requires it. If you are the counter-party seeking to require performance and you receive notice, ask reasonable questions – why in particular does COVID-19 justify suspending performance for this business, for how long, and what accommodations in lieu of suspending performance altogether could you (or the other party) propose?
• The party attempting to suspend or avoid performance needs to seek to mitigate damages. Likewise, the party seeking to enforce the contract should be flexible, where possible, both as a good business practice to further the relationship and to show that you were flexible or even proposed mitigation measures. Ask what you can do to facilitate performance, such as agreeing to delay or defer a payment for a certain period of time, or, possibly to waive or diminish interest payments or a late fee for a particular period. If litigation later ensues, a party’s flexibility should help to show that the party seeking to avoid performance could have found a way to perform with reasonable proposed accommodations or mitigation measures.

Aggressive litigants may also seek to take tactical advantage of the COVID-19 pandemic to avoid contracts they do not like. If you are faced with a baseless or overreaching claim that the COVID-19 pandemic has made contractual performance impossible, you may need to push back forcefully. And before you seek to take tactical advantage of the pandemic, keep in mind that courts are unlikely to look with sympathy on parties who try to exploit a worldwide health and financial crisis. Force majeure provisions should only be invoked where appropriate.

Any decision about whether to invoke force majeure or how to respond to a counter-party’s invocation of it is fact-specific. We expect to provide future updates on issues in specific contexts. For example, how will lenders and debtors address loan defaults if the pandemic triggers a long-term recession? How will commercial and residential landlords deal with sky-rocketing numbers of tenants who may suddenly be unable to pay rent?

For further information on how the COVID-19 pandemic might impact your contracts and your business, contact Howard Slavitt at hslavitt@coblentzlaw.com.

On March 27, 2020, Congress approved and the President signed the Coronavirus Aid, Relief, and Economic Security Act (CARES Act, H.R. 748). In addition to the Families First Coronavirus Response Act (FFCRA) upon which we previously reported on, the CARES Act provides for approximately $2 trillion in assistance to individuals and businesses, among other things. For individuals, relief set out in the bill includes direct payments of $1,200 to millions of Americans and strengthened unemployment benefits. For businesses, the bill allocates hundreds of billions of dollars in loans and grants for struggling businesses, particularly small businesses, and expands the availability of pre-existing loan programs to more businesses. The bill includes: Expanded Unemployment Compensation for Workers. The CARES Act sets out a multipronged approach to assist state-based unemployment programs. The CARES Act includes (i) a $600 supplement to state-paid unemployment compensation for those who already qualify, (ii) a pandemic unemployment assistance program which matches the normal state unemployment rate plus $600 for unemployed workers who would not normally be eligible, and (iii) an extension of unemployment compensation by 13 weeks beyond the states’ existing eligibility periods. The Act further provides federal funding to states to cover the cost of the first week of unemployment benefits if states elect to waive typical one-week waiting periods (which California has done). Pandemic Unemployment Assistance – Section 2102 Section 2102 creates the temporary Pandemic Unemployment Assistance program effective January 27, 2020, to remain in effect until December 31, 2020, which covers individuals who would not otherwise be eligible for unemployment insurance and benefits. Individuals covered by the CARES Act include the self-employed, independent contractors, gig workers, part-time employment seekers, those who lack sufficient work history, or those who have exhausted their unemployment benefits under existing schemes – provided they are able to self-certify that they are unemployed, partially unemployed, or unavailable due to the following reasons: They have been diagnosed with COVID-19 or are experiencing symptoms of COVID-19 that require a medical diagnosis. A member of their household has been diagnosed with COVID-19. They are providing care for a family member or member of their household who has been diagnosed with COVID-19. A member of their household for whom they have primary caregiving responsibility is unable to attend school or another facility that has been closed as a direct result of the COVID-19 public health emergency and because of this closure, they are unable to work. They are unable to work because of a quarantine imposed as a result of the COVID-19 public health emergency. They are unable to work because they have been advised to self-quarantine by a health care provider. They were scheduled to start a job but are unable to do so as a result of the COVID-19 public health emergency. They have become the breadwinner or major supporter for a household because the breadwinner in the household has died as a direct result of COVID-19. They quit their job as a direct result of COVID-19. Their place of employment is closed as a direct result of the COVID-19 public health emergency. (Note: individuals who are able to telework with pay or who have received paid sick leave or other paid leave benefits are ineligible to receive assistance under the Program.)Covered individuals may receive assistance under the Program for a maximum of 39 weeks, including any weeks for which the covered individual received regular unemployment benefits provided under Federal or State law. The amount of benefit provided to a covered individual under the Program is equal to the amount of unemployment benefit the covered individual would otherwise be entitled to under federal or state law plus an additional amount referred to as Federal Pandemic Unemployment Compensation in the amount of $600 per week. The Program removes any waiting periods established by state unemployment laws. Emergency Increase in Unemployment Compensation Benefits – Section 2104 Section 2104 provides for an additional $600 per week payment beyond what individuals receive under state unemployment laws, referred to as “Federal Pandemic Unemployment Compensation,” to recipients of unemployment insurance or Pandemic Unemployment Assistance for a period of up to four months. Pandemic Emergency Unemployment Compensation – Section 2107 Section 2107 provides an additional 13 weeks of unemployment compensation, through December 31, 2020, to all individuals who otherwise would be ineligible for such compensation because they have exhausted all rights to regular unemployment compensation under applicable state or federal law with respect to this benefit year, provided they (i) have no rights to regular unemployment compensation under any applicable state or federal law, (ii) are not receiving unemployment compensation under Canadian law, and (iii) are able, available and actively seeking work. The amount of unemployment compensation payable to an individual under this Section is equal to the amount of unemployment benefit the individual would otherwise be entitled to under applicable federal or state law plus the amount of Federal Pandemic Unemployment Compensation ($600). For a chart summarizing all employment benefits made available due to the pandemic under federal and California law, click HERE. Recovery Rebate for Individual Taxpayers. The CARES Act would provide a $1,200 refundable tax credit for individuals ($2,400 for joint taxpayers). Additionally, qualifying taxpayers with children will receive a flat $500 for each child. The rebate starts to phase out for single taxpayers earning $75,000 or more, for head of household taxpayers earning $112,500 or more, and joint taxpayers earning $150,000 or more. The phase out is calculated at 5% per dollar of qualified income, or $50 per $1,000 earned above the phase out threshold. For example, a single taxpayer filing as an individual (not head of household) making $85,000 annually would receive a rebate of $700 (that is, $1,200 reduced by 5% of $10,000, or $500). It phases out entirely for single taxpayers with no children who earn more than $99,000 per year, and for joint taxpayers with no children who earn more than $198,000 per year. An individual’s 2019 or 2018 tax returns will be used to calculate the rebate advanced to taxpayers, but taxpayers eligible for a larger rebate based on 2020 income will receive it in the 2020 tax season. Paycheck Protection Program – Section 1102. The bill provides aid to businesses with fewer than 500 employees and allocates approximately $350 billion through June 30, 2020 for small business loans up to $10 million through approved lenders that are fully government-guaranteed. The loan proceeds may be used to cover payroll costs, such as employee salaries, paid sick or medical leave, insurance premiums, and mortgage, rent, and utility payments incurred from February 15, 2020 through June 30, 2020. The maximum amount of a loan equals 2.5 times the average regular monthly payroll expenses, subject to a hard cap of $10 million and other certain limitations. The following businesses are considered eligible for the Paycheck Protection Program: Businesses with fewer than 500 employees. Small businesses as defined by the Small Business Administration (SBA) Size Standards at 13 C.F.R. 121.201. 501(c)(3) nonprofits, 501(c)(19) veteran’s organization, and Tribal business concern described in Section 31(b)(2)(C) of the Small Business Act with not more than 500 employees. Hotels, motels, restaurants, and franchises (NAICS Code 72) with fewer than 500 employees at each physical location. Businesses that receive financial assistance from Small Business Investment Act Companies licensed under the Small Business Investment Act of 1958. Sole proprietors and independent contractors. Eligible small businesses may also receive loan forgiveness equal to the amount spent by the borrower during an eight-week period after the origination date of the loan on payroll costs, interest payment on any mortgage incurred prior to February 15, 2020, payment of rent on any lease in force prior to February 15, 2020, and payment on any utility for which service began before February 15, 2020, with the amount of any such forgiveness reduced if the borrower subsequently reduces its employee headcount or employee compensation beneath certain established thresholds. Any amount of loan used to pay any single employee more than $100,000 will be excluded from forgiveness. Borrower and lender fees, collateral, and personal guarantee requirements all are waived. The CARES Act authorizes the Small Business Administration to issue loans with interest rates of up to 4% with a maximum maturity date of 10 years, though the regulations issued by the Treasury Department after enactment of the law set the interest rate at 1% with a maturity date of only 2 years. There is no penalty for prepayment, and loan repayments can be deferred for 6-12 months. Eligibility for loans under the Paycheck Protection Program is based on whether the business (1) was operational on February 15, 2020, and (2) had employees for whom it paid salaries and payroll taxes, or a paid independent contractor, and not with regard to repayment ability. A borrower must make a good faith certification that current economic conditions caused the borrower to request support, the loan will be used for approved uses, and the borrower is not also seeking or received an SBA 7(a) loan for the same purpose. A list of approved lenders can be found here. SBA Economic Injury Disaster Loans & Advances – Section 1110. The bill expands the types of entities eligible to receive (1) up to $2 million in direct loans from the Small Business Administration (with the actual loan amount depending on the amount of the actual injury), and (2) loan guarantees for substantial economic injury caused by the COVID-19 pandemic. Eligible borrowers under this program are those that are unable to meet their obligations as they mature or to pay their ordinary and necessary operating expenses as a result of the COVID-19 pandemic. The loan proceeds may be used for (i) working capital necessary to carry on the concern until normal operations resume, (ii) expenditures necessary to alleviate the specific economic injury, (iii) providing paid sick leave to employees, (iv) maintaining payroll, (v) meeting increased costs to obtain materials, (vi) making rent or mortgage payments, and (vii) repaying obligations that cannot be met due to revenue losses. Due to potential delays in disbursing these loans, the bill also authorizes emergency grants of up to $10,000 to eligible borrowers, available immediately. Note that borrowers receiving an Economic Injury Disaster Loan relating to the COVID-19 pandemic cannot also receive a loan under the Paycheck Protection Program. The Economic Injury Disaster Loan application can be found here. New Eligible Entities: Generally, businesses with fewer than 500 employees. Tribal businesses with fewer than 500 employees. Cooperatives with fewer than 500 employees. Employee Stock Ownership Plans with fewer than 500 employees. Individuals operating as a sole proprietor or an independent contractor during the covered period (January 31, 2020 to December 31, 2020). Other Eligible Entities: Small businesses as defined by the Small Business Administration Size Standards. Private non-profits with exemptions under sections 510(c), (d) or (e) of the Internal Revenue Code. Section 7(a) Loan Subsidies – Section 1112. The bill allocates $17 billion to the Small Business Administration to cover principal, interest, and fees on loans guaranteed by the Small Business Administration for up to six months. For a chart summarizing the loan, forgiveness and subsidy programs made available under the CARES Act click HERE. Tax Provisions. In addition to the specific provisions detailed above, the new law includes several changes to the U.S. tax laws to provide assistance for taxpayers dealing with the financial fallout from the pandemic. These include: Five-Year NOL Carryback and Suspended 80% Limitation – Section 2203 For taxable years 2018 to 2021, the 80% income limitation on net operating losses (“NOLs”) has been suspended. The bill also allows for NOLs earned in 2018, 2019, or 2020 to be carried back five taxable years. Waiver of Penalty on Early Withdrawal from Retirement Account – Section 2103 The bill removes the 10% penalty on early withdrawals from retirement accounts for any “coronavirus-related distribution.” A coronavirus-related distribution is a distribution from a retirement plan made between March 27, 2020 and December 31, 2020 to an individual (i) who has tested positive for coronavirus, (ii) whose spouse or domestic partner has been diagnosed with coronavirus, or (iii) who experiences adverse financial consequences as a result of coronavirus. Amounts withdrawn are taxable over three years, but may be recontributed without affecting retirement account caps. Eligible retirement accounts include individual retirement accounts (“IRAs”), 401ks, and other eligible plans under Section 402(c)(8)(B) of the Internal Revenue Code. Temporary Waiver of Required Minimum Distribution from Retirement Account – Section 2203 The bill waives the required minimum distribution for 2020 from 401k plans, IRAs and other eligible retirement accounts. Interest Deduction Limitation – Section 2206 The bill increases the amount of deductible business interest expenses from 30% to 50% of EBITDA for tax years beginning in 2019 and 2020. Technical Correction Regarding Deduction for Qualified Improvement Property – Section 2307 The bill includes an amendment to the 2017 Tax Cuts and Jobs Act, which reduces the depreciable life of qualified improvement property, such as leasehold improvements, from 39 years to 15 years. This amendment is retroactive to January 1, 2018, and therefore taxpayers may file amended tax returns to receive the benefits of additional and bonus depreciation. The full text of the CARES Act is available online here. This alert was authored by Coblentz Employment attorneys and Christopher Westman, with contributions from our Tax attorneys Jeffry Bernstein and Jessica Wilson. For more information or to discuss how the CARES Act impacts your company, please contact Jeffry Bernstein at jbernstein@coblentzlaw.com, or Paul Tauber at ptauber@coblentzlaw.com.

California Attorney General Xavier Becerra wasted no time in issuing new modified draft regulations for the California Consumer Privacy Act (“CCPA”), announcing new draft regulations on March 11, 2020 – just two weeks after the public comment period expired on the prior draft regulations. While the March 2020 changes are more limited than the February 2020 modifications to the original October 2019 draft regulations, the new changes have an immediate impact on all businesses currently working to comply with the CCPA’s requirements. Selected provisions of the newest draft regulations are set forth below:

1. Personal Information Reverts to the Statutory Definition – There was a lot of excitement in February about the modification to the definition of “personal information” under the statute, including in what contexts certain information not explicitly linked to an individual or household (such as IP addresses collected from website visits) would or would not be considered “personal information.” As we noted in a previous article, the problem with that modification was that it created ambiguity regarding when certain personal information collected or disclosed by the business may be “capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household” when combined with other available information, even if the business itself makes no effort to create such a  link or identification. The newest draft regulations have accordingly deleted this attempt at narrowing the definition of “personal information,” essentially reverting back to the broad definition in the statute. Thus, as currently defined, essentially every piece of information that is reasonably capable of being related to a California resident or household, including IP addresses or other information not currently linked to an individual or household, constitutes collection of personal information under the CCPA.
2. Businesses That Do Not Collect Information Directly Do Not Need To Provide Notice At Collection – Although this appeared to be the case based on statutory language and previous regulations, the March 2020 modifications added back in the provision that a business that does not collect personal information directly from a consumer does not need to provide a notice at collection if it does not sell consumers’ personal information.
3. The Opt-Out Button And Logo Is Gone – The proposed Opt-Out Button and Logo released with the February 2020 modifications has been entirely deleted in the March 2020 modifications. It remains to be seen whether a new button or logo will be forthcoming or what it will look like.
4. Responses to Request to Know Specific and Sensitive Information – The February 2020 modifications clarified that businesses are restricted from disclosing certain sensitive information such as driver’s license number or other government-issued identification numbers, social security number, financial account number, health insurance or medical identification number, account password, security questions and answers, and biometric data, in response to consumer requests to know specific pieces of information collected about them. However, the new modifications explain that businesses must still disclose with “sufficient particularity” the type of sensitive information collected without disclosing the actual information. For example: if a business collects biometric data, it must respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
5. Notice of Employment-related Information – A business collecting employment-related information still needs to provide notice at collection to employees and job applicants but does not need to include a link to a business’s main privacy policy in that notice.
6. Privacy Policy Right To Know Description– Although the description of personal information required to be disclosed in a business’s privacy policy appeared to be somewhat relaxed by the February 2020 modifications, the new modifications clarify that a privacy policy must identify not only the categories of personal information collected about consumers in the previous 12 months, but also the categories of sources from which personal information is collected and the business or commercial purposes for collecting and selling the personal information (in addition to the previous requirement of identifying the categories of personal information sold or disclosed to third parties and –for each category – the categories of third parties to whom information was sold or disclosed).
7. Information Of Minors – If a business has actual knowledge that it sells personal information of minors under 16 years of age, it must include a description of the affirmative opt-in consent process required for selling personal information of minors in its privacy policy.
8. Opt-Out Privacy Controls – The February 2020 modifications prohibited businesses from providing pre-selected opt-outs in user-enabled privacy controls and required consumers to affirmatively exercise their choice to out-opt.  However, the March 2020 regulations deleted this affirmative selection requirement leaving the possibility of pre-selected settings. Moving forward, how businesses handle opt-outs in privacy controls will depend on a variety of factors including the industry the business operates in, target audience, and the value of the collected data to the business.

Despite all of this new information and guidance, it is important to remember that these modifications are still in draft form and will undergo further revisions until finalized later this year.  It remains to be seen how many more modifications will come between now and July, and businesses are already frustrated at the moving target of compliance presented by the ever-changing regulations.  While it is helpful to get periodic glimpses into the AG’s thought process and see where the regulations are heading, additional draft modifications – including adding and then removing requirements, or removing them and then adding them back in, as well as making other substantive changes – will likely incentivize businesses to stop taking any further steps toward compliance until final regulations are released.  The good news is the recent changes are less extensive, indicating that we are hopefully getting closer and closer to the final product.

For further information on how the modified regulations or the CCPA impacts your business, contact Cybersecurity & Data Privacy attorney Scott Hall (shall@coblentzlaw.com).  You can also review additional CCPA articles and resources in our CCPA Resource Center.

With the CCPA (California Consumer Privacy Act) in effect as of January 1, but regulations still being revised and finalized, businesses are struggling to know what they need to do now to comply. If your business has not yet taken steps to comply with the CCPA or is still uncertain about the precise steps to take, now is the time.  We raise and respond to 10 questions below that every business should be asking itself to assess its current status and next steps for CCPA compliance.

1. Is My Business Subject To The CCPA?

The relevant factors for determining whether a business is subject to the CCPA have remained the same despite the shifting draft regulations.  Namely, if: (1) you are a company (excluding non-profit and government entities) that (2) collects personal information – or on whose behalf such information is collected – that alone or jointly determines the purposes and means of processing that information, and (3) you do business in the State of California, then you are subject to the CCPA if: (a) you have gross annual revenue (not limited to CA) of more than $25 million; or (b) you collect the personal information of 50,000 or more California residents, households or devices annually; or (c) 50% or more of your annual revenues are derived from selling consumers’ personal information.

Whether you are “doing business” in California is somewhat ambiguous, but will likely be determined by factors indicating intentional, repeated economic activity in the state (i.e., not an unintended or isolated transaction).  A physical presence in the state is not necessary, as repeated transactions remotely or online will likely suffice, as could soliciting or advertising to California consumers.  Moreover, the 50,000-consumer/device/household threshold may capture a significant number of businesses since IP addresses, geolocation information, or other internet-collected information is defined as personal information under the statute.  Although the new draft regulations state that IP addresses that cannot reasonably be linked to a consumer or household would not constitute personal information, it remains somewhat unclear under what circumstances information such as IP addresses can or cannot be reasonably linked or associated with a specific consumer or household in light of, or in combination with, other available information.

2. Is My Privacy Policy Sufficient?

The old days of privacy policies that merely provide general and broad descriptions of data collection and use practices, or that limit disclosures to online or website data collection practices only, are over.  Under the CCPA, businesses that collect personal information from consumers must have a privacy policy that provides a comprehensive description of the business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and the rights of consumers regarding their personal information.  Specifically, businesses must disclose how the business collects and discloses certain categories of personal information with enough detail to provide consumers with a “meaningful understanding.”  This means that privacy policies must explicitly list categories of information collected in the past 12 months, and third parties to which the information has been sold or disclosed in the past 12 months, with requisite specificity (e.g., advertising networks, data analytics providers, social networks, data brokers, etc.).

Privacy policies must also describe the various consumer rights under the CCPA, including the right to request to know what information has been collected, the right to request deletion of information collected, and the right to opt-out of sale of personal information, as well as providing instructions on how consumers can submit requests and describing the process for verifying consumers’ identities in connection with such requests.  Businesses must also include a consumer’s right to not be discriminated against for exercising rights under the CCPA, provide information regarding requests made by authorized agents, and include contact information for the business and the date the privacy policy was last updated.

Privacy policies should be posted through a conspicuous link using the word “Privacy” on the business’s website homepage and in the settings menu of a mobile application.  Privacy policies also need to be easy to read and understand, capable of being printed, and accessible to consumers with disabilities, including by following Web Content Accessibility Guidelines, version 2.1 from the World Wide Web Consortium.

3. What Other Notices Or Disclosures Are Required Under the CCPA? 

Beyond the privacy policy, businesses must provide a “Notice At Collection” via a conspicuous link on the website homepage, a just-in-time notice or link on the mobile application download page or settings menu, or a notice given by telephone or printed forms, depending on the way your consumers primarily interact with your business.  The Notice At Collection should detail the categories of personal information collected by the business and the business or commercial purposes for which the information will be used with enough specificity to provide consumers with a “meaningful understanding.”  The Notice a Collection should also include a “Do Not Sell My Info” link if the business is selling data, as well as a link to the business’s main privacy policy.

4. How Do I Know If I’m “Selling” Personal Information Under The CCPA? 

By now, you probably know that “selling” personal information as defined in the CCPA encompasses more than simply selling personal data to third parties in exchange for money.  “Selling” under the CCPA is defined as any disclosure of personal information for valuable (not necessarily monetary) consideration and may encompass disclosures of personal information to service providers, use of data analytics tools, or other disclosures in the course of business relationships.  Mapping the data collection and sharing practices of your business is essential, and if you are disclosing data to a third party for any reason, you should consider whether it might constitute a sale and whether you need to disclose that sale and offer an opt-out right or whether you can avoid the disclosure being deemed a sale by entering into a written contract that restricts the further use of the information.

5. Do I Have To Update My Vendor/Service Provider Contracts?

The primary way to avoid the disclosure of personal information to a third-party service provider being deemed a “sale” under the CCPA is to enter into a written contract, certified by the service provider, that restricts the further use or disclosure of that data by the service provider for purposes other than providing your business with the relevant services.  All businesses covered by the CCPA should consider revising their vendor and service provider agreements to include restrictions and prohibitions on the service providers’ use or sale of personal information disclosed to them other than to provide services to the business.  The new draft regulations clarify that service providers may use information disclosed to them for internal use to build or improve the quality of their services, detect data security incidents and fraud or illegal activity, or to retain and employ other service providers as subcontractors if they meet the requirements, without the disclosure being deemed a “sale.”

6. What Methods Must Be Offered For Submission Of Consumer Requests? 

Most businesses must provide two or more methods for submitting consumer requests, including a toll-free number (mandatory for requests to know), an online interactive form (mandatory for requests to opt-out of sale), a designated email address, a form submitted through mail, or, where interaction is primarily in-person, a printed form or a computer portal.   Requests to opt-out of sale should require minimal steps and be easy for consumers to execute.  Note that businesses that operate “exclusively online” and have a direct relationship with their consumers need only provide an email address for submission of requests to know.  More than two methods of submission for consumer requests may be advisable, and businesses should consider the way they primarily interact with consumers when determining what methods to offer.

Businesses will also need to provide a separate Notice to Opt-Out of Sale Of Personal Information if they are selling personal information, and/or a Notice of Financial Incentive if they are offering financial incentives to consumers to retain, disclose or sell their data.  These notices would typically be given via a link on the website homepage or mobile download page.  All notices should be easy to read and understand and accessible to persons with disabilities.

7. How Much Time Do I Have to Respond To Consumer Requests?

Businesses have 10 business days to acknowledge receipt of requests to know/delete and 45 calendar days to respond substantively to those requests (with an additional extension of 45 calendar days in some cases).  By contrast, businesses have only 15 business days to process and comply with requests to opt-out of the sale of information.  The new draft regulations excuse businesses from notifying all third parties to whom they have previously sold data about a consumer’s opt-out request, but businesses must still notify any third party to whom the business sells the consumer’s data after receiving the opt-out request (but before complying with request) and instruct that third party not to sell that consumer’s information.

8. What Processes or Procedures Are Necessary Or Sufficient To Verify Consumer Identities?

The guidance for how to verify consumer identities remains somewhat ambiguous.  In general, businesses are instructed to tailor a consumer identity verification process to the sensitivity and risk of the personal information at issue.  The regulations provide that no business should disclose certain sensitive categories of personal information (i.e., the data breach categories mentioned in No. 10 below) in response to a consumer request.  But aside from a couple of clear rules, the verification process is largely left to the business.  Businesses with password-protected accounts for their users are fortunate because they can use such accounts to verify identities by having consumers re-enter their credentials for the account.  Businesses without such accounts for their users, however, must match either 2 or 3 pieces of personal information maintained by the business with information provided by the consumer and, in some cases, require the consumer to provide a signed affidavit under penalty of perjury that they are the consumer who is the subject of the data request.  Because businesses are discouraged from collecting additional information in order to verify identities, but must also ensure that the process is sufficiently stringent for the data involved, businesses will need to determine what pieces of personal information can be used to sufficiently and accurately identify consumers.  For businesses that maintain customer purchase information, the regulations suggest that verifying the consumer’s identity might involve requiring the consumer to identify items recently purchased or dollar amounts of recent purchases.  In any event, the regulations require that a business deny requests to know specific pieces of personal information if the business cannot verify the identity of the requestor to the required level of certainty.  However, businesses that have no sufficient method to verify identities of consumer requestors may be subject to greater regulatory scrutiny.

9. What Is Required For Employee Data? 

An October 2019 amendment to the CCPA provided for a one-year exemption to employee or job applicant data (used only in the employment or application context) from full coverage of the CCPA.  This means that employees cannot make consumer requests to know or delete to their employers regarding their personal information collected as part of their employment.  Businesses are still required to provide employees and job applicants with notice regarding the collection, use, and disclosure of their personal information, however, and employees will still be able to bring a private right of action in the event of a data breach.

10. What Are Reasonable Security Procedures And Practices?

One of the most dreaded aspects of the CCPA for businesses is the private right of action, with statutory damages, arising from the unauthorized access to (i.e., breach of) certain sensitive categories of personal information (e.g., driver’s license, social security number, account number in combination with security code or password, medical or health insurance information, automated license plate recognition data, email address in combination with password or security question, or biometric data).  As a preliminary matter, the private right of action is limited to unauthorized access to this data in nonencrypted and nonredacted form, so businesses should store all such data in encrypted or redacted form.  Additionally, businesses should review their security practices and procedures for consistency with industry standards for security, including the Center for Internet Security (CIS) Top 20 Controls, the International Organization for Standardization (ISO) 27001 standards, and the National Institute of Standards and Technology (NIST) framework, among others.  While the CCPA does not identify a single standard as sufficient to be reasonable, following industry-standard guidelines for security is a safe bet.

Summary

This list is not intended to be comprehensive of all legal requirements and obligations under the statute and regulations.  For example, there are various statutory and subject matter exemptions to the statute (e.g., exemptions for certain personal health and financial information governed by other statutes and exceptions to the requirement to delete consumer data when needed for specified business purposes).  Additionally, there are special rules applicable to personal information of minors and to businesses that collect personal information of more than 10 million consumers annually or that offer financial incentives to allow them to use, retain, or sell consumer information.  You should consult legal counsel regarding compliance requirements for your specific business and practices.  However, the questions set forth above address many of the basic compliance questions companies may have about the CCPA as its enforcement data approaches.

For further information, contact Coblentz Cybersecurity & Data Privacy attorney Scott Hall (shall@coblentzlaw.com). You can also review additional CCPA articles and resources in our CCPA Resource Center.

On Friday, February 7, and Monday, February 10, 2020, the California Attorney General released proposed modified regulations in connection with the California Consumer Privacy Act (“CCPA”). The modified regulations provide businesses with some clarity, and arguable relief, from certain of the prior onerous regulatory obligations. Despite the modifications, however, there is still ambiguity about many aspects of the regulations, and the CCPA remains the most stringent privacy compliance law in effect in any state in the United States.

Below is a short summary of some of the more prominent changes to selected provisions of the regulations that may have an immediate effect on businesses. This summary is not meant to be an exhaustive list of the proposed modifications. These regulations are not final regulations, and additional changes may be made in the next few months as they are finalized. The deadline to submit written comments to the proposed modifications is February 25, 2020.

Changes to Definitions

“Personal Information” – Whether or not information collected by businesses is personal information now depends on how the business maintains the information. If the business maintains information in a manner that “identifies, relates to, describes, or is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household,” the information is “personal information.” So, according to the regulations, if a business only collects IP addresses of visitors to its website but does not link or could not link the IP address to a particular consumer or household, the IP address would not be “personal information.”

This new definition tries to narrow the scope of “personal information” but remains ambiguous as to what information “could be” linked to a consumer or household. For example, collection of data through automated technology such as cookies, pixels, and web beacons is arguably anonymous and not linked to a consumer at the time of collection, but this data, when combined with enough other data points, could be reasonably linked to a particular consumer or household. For instance, if a consumer is logged into Facebook and browsing a website with the Facebook analytics tool called Facebook pixel in the same session, information collected on the website (including IP address, click patterns, etc.) may be attributed to the consumer’s Facebook profile.  In this scenario, the collected data would presumably be “personal data.” Businesses will have to continue to analyze the types and amount of data they collect and how such data is used to determine if linkage to a consumer or household could reasonably be accomplished.

Categories of “Sources” and “Third Parties” – Businesses are now required to describe how the business collects personal information about consumers, and who it discloses the information to, with enough particularity to provide consumers with a “meaningful understanding.” Simply stating that the business collects information from or discloses information to “third parties” will not suffice. Businesses will have to explicitly list sources of the collected personal information and the types of third parties it shares that information with, such as advertising networks, internet service providers, data analytics providers, operating systems and platforms, social networks, government entities, and data brokers.

“Household” – Household means a person or group of people who: 1) reside at the same address; 2) share a common device or the same service provided by a business; and 3) are identified by the business as sharing the same group account or unique identifier.

“Signed” – The definition of “signed” means written attestation, declaration, or permission that is physically or electronically signed.

Changes to Consumer Rights and Requests Under the CCPA

“Requests to Delete” – The two-step process to confirm that a consumer wishes to delete his or her information is no longer required and is merely optional.

“Methods to Submit Request to Know and Requests to Delete” – Exclusively online businesses that have a direct relationship with consumers from whom they collect personal information only need to provide an email address for submitting requests to know. All other businesses must provide two methods, including a mandatory 1-800 number. For requests to delete, all businesses are still required to designate two or more acceptable methods. An interactive webform is an acceptable option but is no longer required for any consumer request.

Businesses that primarily interact with consumers in person should provide in-person methods such as printed forms that can be mailed, a tablet or computer portal for an online form, or a toll-free number to submit requests to know and delete.

“Right to Opt-Out” – If a business does not have proper notice of right to opt-out posted, it cannot sell personal information collected during that time unless it obtained affirmative authorization from the consumer.

“Request to Opt-Out” – A request to opt-out may now be made via global privacy controls or device settings. Any privacy control developed must clearly communicate or signal that a consumer intends to opt-out, so a pre-selected setting will not suffice. Consumers must affirmatively select their choice to opt-out. In case of a conflict with a consumer’s existing business-specific privacy setting or participation in a financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program. Similarly, if a consumer initiates a transaction or attempts to use a product or service that requires the sale of information, a business can inform the consumer that the action requires the sale of personal information and provide instructions on how the consumer can opt-in.

“Opt-Out Button” – If a business chooses to include the optional opt-out button, it must appear to the left of the “Do Not Sell My Personal Information” link, be approximately the same size as other buttons on the webpage, and explicitly look like this:

 

 

An example of a compliant opt-out button looks like:

 

 

“Methods to Submit Requests to Opt-Out” – Businesses should make Requests to Opt-Out easy for consumers and require minimal steps. Businesses cannot use a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.

“Time limits to Respond to Requests to Know and Requests to Delete and Opt-Out of Sale” – Businesses have some extra time to confirm receipt of consumer requests. Businesses must confirm receipt within 10 business days and can do so in the same manner in which the request was received. Similarly, businesses must now comply with a request to opt-out within 15 business days. The time to respond to requests to Know and Requests to Delete remains 45 calendar days from receipt of the request.

“Responding to Requests to Know” – A business does not need to search for personal information if: 1) it does not maintain the personal information in a searchable or reasonably accessible format; 2) it maintains the personal information only for legal or compliance purposes; 3) it does not sell information and does not use it for any commercial purpose; and 4) it describes to the consumer the categories of records that may contain personal information that it did not search because it met the above conditions. Note that all four of the above conditions must be met for the exception to apply.

“Responding to Requests to Delete” – Businesses no longer need to treat all requests to Delete as Requests to Opt-Out of Sale. However, if a business sells personal information and a consumer has made a request to delete, but not a request to opt-out, the business must ask the consumer if they would like to opt-out of sale of their personal information and will include a link to the right to opt-out or the contents of the notice of right to opt-out.

“Complying with a Request to Opt-Out” – Businesses that sell personal information no longer need to contact third parties to whom they sold a consumer’s personal information within 90 days prior to the business’s receipt of the consumer request. Instead, businesses now only need to notify those third parties that it sold personal information to after the consumer submitted the request but before the business complied with that request. Businesses must direct those third parties to not sell that consumer’s information.

Notice Requirements

Notice At Collection – For businesses that collect information online, the Notice at Collection may be given by a conspicuous link to the notice that must be posted on the introductory website page and on all webpages where personal information is collected.  Businesses that collect information by telephone or in-person can provide the notice orally. For mobile users, a link to the notice must be provided on the download page and within the application such as within the settings menu. Mobile devices also require a “just-in-time” notice containing a summary of the categories of personal information being collected and a link to the full notice if the personal information collected is for a purpose that the consumer would not reasonably expect.

Notice of Right to Opt-Out of Sale of Personal Information – A business must explain the opt-out right and state whether or not it sells personal information. If it sells personal information, it must provide a link to the Notice of Opt-Out Right.

Notice of Financial Incentive – If a business does not offer a financial incentive or price difference related to disclosure, deletion, or sale of personal information, it does not have to provide notice of financial information. For businesses that do offer financial incentives, the business must explain to the consumer the material terms of the incentive the business is offering to allow the consumer to make an informed decision on whether to participate, and the notice must be readily available where consumers will encounter it before opting into the offered financial incentive. The notice must now include a description of the value of the consumer data.

“Non-Discrimination Business Practices and Requests to Delete or Opt-out” – Businesses must ensure that any financial incentive they offer is reasonably related to the value of the consumer data or the price difference would be considered discriminatory. If a business cannot calculate in good faith the value of consumer data or show that the financial incentive is reasonably related to the value of the consumer data, it shall not offer the financial incentive. To calculate the value of the data, a business can consider the value to all natural persons, not just consumers.

Businesses can deny a consumer’s request to delete information if the information is necessary to the business’s financial offering and is reasonably anticipated within the context of the business relationship between the parties. For example, if a business offers a loyalty program whereby consumers receive a $5 coupon via email for every $100 spent and a consumer submits a request to delete information and informs that business he or she wants to continue participating in the loyalty program, assuming the $5 is worth the value of the consumer data collected, the business may deny the request to delete the email address and amount spent by the consumer. This information is necessary and is reasonably anticipated within the context of the business relationship between the parties. This practice would not be considered discriminatory.  However, if the business were offering discounts to consumers through a browser pop-up window while the consumer uses the website and the consumer were to submit a request to delete the email address on file, the business cannot deny the request because the email address is not necessary or reasonably aligned with the expectations of the consumer based on the parties’ business relationship. This practice would be discriminatory.

Privacy Policy – The privacy policy does not need to disclose the commercial purpose for which each category of information was collected. Rather, the privacy policy must only identify the categories of personal information collected in the preceding 12 months and identify the categories of personal information disclosed or sold to third parties in the preceding 12 months and, for each category of personal information sold or disclosed, provide the categories of third parties to whom the information was sold or disclosed.

The modified regulations also clarify that the privacy policy need only describe the consumer request verification process “generally.”

Purpose of Information Collected – Businesses cannot use a consumer’s personal information for any purpose materially different than those disclosed in the notice of collection. The addition of the terms “materially different” will limit the situations in which a business must provide notice and seek explicit consent when it has departed from using the information as previously disclosed.

Reasonable Accessibility to Consumers with Disabilities – Online notices must follow industry standards such as the Web Content Accessibility Guidelines, version 2.1 from the World Wide Consortium. These Guidelines provide accessibility guidance for consumers with cognitive or learning disabilities, low vision, and disabilities on mobile devices.

Collection of Employment-related Information – A business collecting employment-related information does not need to include a “Do Not Sell My Info” link, and may include a link to a business’s privacy policy for job applicants, employees or contractors in lieu of a link to the privacy policy for consumers.

Other Requirements

Personal Information Collected By Data Brokers – Businesses that buy information from data brokers registered with the State of California no longer need to perform due diligence about whether the business provided appropriate notice to the consumer and obtain signed attestations from the broker about how notice was given to consumers and request an example of the notice.

Service Providers – A business that collects information on behalf of another business may still fall under the “service provider” exemption of the CCPA if it uses the personal information collected for internal use to build or improve the quality of services provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.

This provides much-needed relief for service providers especially in the cloud industry, that rely on access to such data to improve their services and product offerings. Service providers can also use personal information to retain and employ another service provider as a subcontractor (if the subcontractor meets the service provider requirements under the CCPA), as well as to detect data security incidents, protect against fraudulent or illegal activity, or to perform the services specified in the contract. However, Service Providers cannot sell data on behalf of a business when a consumer has opted out of the sale of their personal information with the business.

Service providers also no longer have the burden to respond to a consumer request to know or delete.  Service providers can choose to do so on behalf of the business, or they can inform the consumer that the request cannot be completed because it was sent to the service provider.

Authorized Agent – A business’s privacy policy must now provide instructions on how an authorized agent can make requests under the CCPA (as opposed to instructing consumers how they can appoint an authorized agent, as required under the previous version of the regulations). Request to opt-out made by an authorized agent on behalf of a consumer must provide the authorized agent with written permission signed by the consumer. A business can also request the customer to directly confirm with the business that they provided the authorized agent permission to submit the request. An authorized agent now has the burden to implement and maintain reasonable security procedures and practices to protect consumer information and cannot use a consumer’s information for any purposes other than to fulfill the request, verification or fraud prevention.

Security – Businesses must implement and maintain reasonable security procedures and practices in maintaining records of consumer requests and how the business responded to such requests for at least 24 months. Such information shall only be maintained for record-keeping purposes except to review and modify the business’s compliance procedures. This information cannot be shared with any third party.

Identity Verification – A business may not require a consumer to pay a fee for the verification of the consumer’s request to know or delete. For example, a business may not require a consumer to submit a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization. If a business has no reasonable method by which it can verify the identity of a consumer, the business shall explain why it has no reasonable verification method in its privacy policy. The business must also evaluate and document on a yearly basis whether a reasonable method can be established.

If a business maintains personal information in a manner that is not associated with a named actual person, it may verify the request by asking the consumer to provide information that only the person associated with the information would know, including, if information is collected from a mobile application, requiring that the consumer respond to a notification sent to their device.

Consumer Metrics – Businesses that buy, receive, sell or disclose for a commercial purpose the personal information of over 10 million consumers in a calendar year must compile and disclose certain metrics regarding consumer requests in their privacy policies. This more than doubles the 4 million-consumer threshold triggering the metrics requirement under the previous version of the regulations.

Conclusion

Overall, the regulations provide some clarification and relief in terms of notice requirements, use of service providers, and submission of consumer requests. However, the modified regulations do not address many of the ambiguities regarding when sharing of personal information among businesses in the analytics or digital advertising context will be deemed a “sale” under the statute, nor has further guidance been provided regarding a uniform and sufficient process by which all businesses can securely and efficiently verify the identity of individuals making consumer requests. Although we may see some final tweaks before the July enforcement of the CCPA, businesses will likely have to continue to do the best they can to comply based on the current guidance.

For further information on how the modified regulations or the CCPA impacts your business, contact Cybersecurity & Data Privacy attorney Scott Hall at shall@coblentzlaw.com.