ATP Submits Follow-up Comments to California Attorney

General's Office

 

On December 6, 2019 ATP filed comprehensive comments with the California Attorney General addressing the concerns of the testing industry over the proposed regulations for implementing the California Consumer Privacy Act (“CCPA”).   Although the CCPA technically went into effect on January 1, 2020, final regulations are not expected to be released until the Spring.   As ATP General Counsel Alan Thiemann, reported in a December Legal/Legislative Alert to ATP Members: “The failure to have final regulations in place until after the law becomes effective makes it impossible to know exactly what is required to comply with the CCPA.”  Nevertheless, Thiemann urged ATP members to take “good faith steps” towards compliance yet this year.

On February 25, 2020 The Association of Test Publishers submitted further comments on behalf of the testing industry to the California Office of the Attorney General to address the Modified Regulations for implementing the California Consumer Privacy Act which were published by the California AG on February 7, 2020.

The ATP noted that numerous recommendations it made had not yet been acted on by the Attorney General. Thiemann further explained in the second comments, “we (ATP) remain hopeful that further modifications to the Proposed Regulations will occur before July 1, 2020.”

Among the concerns noted in the ATP comments were:      

1. Guidance on Interpretation of Definition of “Personal Information”

The Modified Regulations provide a single example to aid in the understanding of the definition of “personal information.”   The new language states that, “…if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’” While this example helps explain why the Legislature added the word “reasonably” to the statute, from the ATP’s perspective, it does not go far enough in exploring all of the variations of how a linkage between the information collected and a person must exist, including “how the information is maintained.”  Additionally, the ATP continues to assert that even if some information may be associated with a consumer, if it was not provided by the individual, but rather was generated or derived by the business as a result of a services contract, it should not be considered “personal information” (e.g., test results/scores).    

2. Requests to Opt-Out. 

The Modified Regulations discuss “global privacy controls” in browsers that might be developed and require anyone collecting personal information online to treat this approach as a valid “opt-out” or otherwise have to check with the consumer about a conflict with his/her specific browser setting. This requirement places an extreme and unnecessary burden on a covered business to consider possible future browser settings, even ones with which it is not familiar or that are rarely used.  The ATP contends that a business should not be obliged to support all possible browser plugins, including those that are not commonly used.

 3. Employee-related Information.

The ATP is extremely concerned that the new language in §999.305 regarding employee-related information is not consistent with the terms of AB 25, enacted by the California Legislature last September and signed into law by the Governor in October. The Legislature established a one year “moratorium,” excluding “employee-related information” from being considered as “personal information” under the CCPA until 2021. Consistent with the well-accepted legal definition of the word “moratorium,” the intention of the Legislature was to delay the effectiveness of the CCPA as to employee-related information for one year in order to allow itself time to consider further actions in 2020.  Rather than give effect to this clear legislative intent, the Modified Regulations improperly require that a business must still apply much of §999.305 to employees/job applicants. 

The Modified Regulations state that, until January 1, 2021, unless there is a further amendment to the CCPA, a covered business is only exempt from the following provisions in:

1)    The notice at collection of employment-related information does not need to include the link or web address to the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info;” and

(2) The notice at collection of employment-related information may include a link to, or paper copy of, a business’s privacy policies for job applicants, employees, or contractors in lieu of a link or web address to the business’s privacy policy for consumers.

But these two elements of Section 305 clearly do not comprise the full responsibilities that a business would normally have to meet if employee-related information were considered “personal information.”  Accordingly, the ATP submitted that the Modified Regulations, as written, are inconsistent with, and do not conform to, the “moratorium” as enacted into law.     

 4.  Enforcement of the CCPA.

One of the references added to Modified Regulations is Douglis, et al., “How the CCPA impacts civil litigation” (January 28, 2020) (available at https://iapp.org/news/a/how-the-ccpa-impacts-civil-litigation/#).   As the article notes, “It is not hard to imagine the CCPA could become weaponized against businesses....”   The ATP strongly agrees with the authors that a solution to this “weaponization” problem is for the final regulations to allow a business to refuse to provide access to information that is clearly part of a pre-litigation mining activity by the plaintiffs’ bar. In our view, the CCPA does not restrict a business’s ability to “exercise or defend legal claims.” The final regulations should allow a covered business to refuse to respond to mass-access requests that are clearly aimed at pre-litigation discovery. This problem is especially critical for testing organizations that engage in employment-related and certification testing services, which are highly vulnerable to such “weaponized” requests for personal information surrounding actions by covered businesses that use testing services.

5. Service provider” regulations.

In its December 6 letter, the ATP contended that the Proposed Regulations should not be interpreted in such a manner as to prevent specific business contracts from being entered into and performed. The modified language of §999.341(b)(1) adopts a position consistent with the one advocated by the ATP in its December 6 letter,  namely, that a service provider may use or disclose personal information it obtains in the course of providing services to a covered business “to perform the services specified in the written contract with the business that provided the personal information.”  Although this modification represents a major improvement over the original proposed regulations, the ATP remains tremendously concerned about the Attorney General’s apparent refusal to clarify the definition of what constitutes a sale and what is “other valuable consideration.”   Again, the ATP extensively explained the appropriateness of “sharing” personal information between a covered business and its service providers in order to fulfill a

consumer’s contract for testing services – it would be useful to have the definitions of “sale” and “valuable consideration” clarified in the context of service providers.

Moreover, the Modified Regulations also permit a service provider to use customers’ personal information to retain/employ another subcontractor, improve its services, comply with law or legal obligations, and defend or pursue legal claims – and importantly, to detect data security incidents, or protect against fraudulent or illegal activity.” The ATP applauded this clarification; however, ATP also noted that further modifications should be made to clarify that, in the context of a services contract, the service provider may give the required notice to a consumer.  In performing such internal activities, however, the service provider is not allowed to use personal information to build consumer profiles, “clean” personal data, or augment the data with data obtained from another source. Unfortunately, since none of these terms are defined, the ATP fears that the meaning for services providers remains unclear and will result in inadvertent violations.  ATP urged the Attorney General to provide definitions and clarity around these restrictions in the final regulations.

 6.  “Methods for Submitting Requests to Know and Requests to Delete”

The Modified Regulations clarify that a business does not need to maintain three methods for receiving consumer requests, including no longer requiring in-person methods for receiving requests.  As such, a business operating exclusively online only needs to provide an email address for receiving requests to know and delete.  All other types of businesses must provide two methods to receive requests, but because the Modified Regulations provide that “a business only needs to provide one method that reflects the way in which it primarily interacts with consumers” there remains a huge concern over the use of toll-free numbers.  The ATP identified a number of issues with the use of toll-free numbers in its December 6, 2019 comments.

Further, a business now will have 10 business days to confirm receipt of a request to know or delete instead of 10 calendar days. The timeline to comply with a request to opt-out is being expanded from 15 calendar days to 15 business days.  These extensions are welcome, but they do not address the main concern raised by the ATP that no confirmation notice ought to be required, given that a full response is required within 45 days – confirmation takes time away from working on the actual verification/response to meet the deadline.

However, the ATP sees the most important change in this section of the Modified Regulations (see §999.312(a)) is that a business is now able to deny a request to know or delete

if the request cannot be verified within 45 days.  If a business cannot verify a request to delete, it no longer must treat the unverified request as a request to opt-out.

7.   Request to opt-in after opting out.

The Modified Regulations allow a business to obtain an opt-in if the customer initiates a post-opt-out purchase of a service. This approach requires that, in response to a sale of goods or services initiated by the customer, the business is permitted to request an opt-in once it informs the customer the purchase or requested transaction requires the selling of personal information to third parties.  The ATP submits that this requirement is inconsistent with the revised §999.341(b)(1), that a service provider may use or disclose personal information it obtains in the course of providing services to a covered business “to perform the services specified in the written contract with the business that provided the personal information.”  ATP sees no reason why the business must execute a second step to inform the consumer that the purchase requires the “selling” of personal information – indeed, as we noted, supra. in paragraph 5, when the purchase only requires a “sharing” of personal information with a service provider, there is absolutely no need to inform the consumer because no “sale” of personal information is taking place.

8.     Verification for non-account holders

The Modified Regulations added the ability of verifying a consumer to include a response to an in-app and (for retailers) providing a transaction amount or item purchased (instead of credit card number).  In its December comments, the ATP urged the Attorney General to use this same concept of verification through transaction information, applying it to testing events that would be known by the test taker/consumer.  ATP requested that the Attorney General confirm that the language of the Modified Regulations covers the testing event situation.

The Modified Regulations also clarify that when any member of a household is under 13, verified parental consent must be obtained before a business may fulfill requests for access or deletion of specific personal information.  In its December letter, the ATP contended that affirmative parental consent ought to be sufficient, so we are gratified that the Attorney General now seems to agree with that position.  However, the testing industry would welcome further clarification that affirmative parental consent is also sufficient across the board for the collection and use of personal information of a child under the age of 13.