Alerts

Privacy Update for Private Fund Managers: Attorney General Issues Further Revisions to the California Consumer Privacy Act Regulations, as Businesses Call for Enforcement Delay Due to COVID-19

March 24, 2020

Due to the challenges presented by the COVID-19 pandemic, numerous trade associations and companies have asked the California Attorney General to delay enforcement[1] of the California Consumer Privacy Act (“CCPA”) until after July 1, 2020.[2] Nonetheless, the Attorney General’s work on finalizing the CCPA regulations continues to move forward.

Our March 10, 2020 Alert discussed key considerations for private fund managers raised by revisions to the proposed regulations for the CCPA (“Proposed Regulations”) issued by the California Attorney General in February.[3] On March 11, 2020, the Attorney General issued further revisions to the Proposed Regulations, two of which are of particular relevance to private fund managers. Absent a delay, the Proposed Regulations are expected to be finalized in the coming months and become effective on July 1, 2020.

Guidance on IP Addresses Withdrawn. Each draft of the Proposed Regulations seems to add confusion to issues regarding IP addresses. Under the CCPA, information is not “personal information” unless it is “reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”[4] The February revisions to the Proposed Regulations provided an example, “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’”[5] The March revisions eliminate this guidance, without explanation from the Attorney General,[6] leaving managers again with a lack of clarity as to how the CCPA treats the collection of IP addresses from website visitors. Absent further guidance, fund managers who collect IP addresses through their websites are advised to disclose this practice in their website privacy notice, whether or not they have associated IP addresses with specific consumers.

Further Clarification to Service Provider Exception. The CCPA permits service providers to use personal information provided such use is limited to the “specific purpose of performing services specified” in a written contract.[7] The February revisions to the Proposed Regulations loosened this requirement to permit service providers to undertake certain activities not expressly set out in the written contract, such as improving the quality of its services or detecting against data security incidents.[8] The March revisions further clarify the CCPA’s service provider exception. In particular, the Proposed Regulations, as modified:

Permit service providers “to process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA”; and
Specify that, in using data internally “to build or improve the quality of its services,” service providers may build or modify household or consumer profiles for the business that engaged them (but not for another business).[9]

Authored by Brian T. Daly, Marc E. Elovitz, Edward H. Sadtler, Kelly Koscuiszka and Jennifer A. Gordon.

If you have any questions concerning this Alert, please contact your attorney at Schulte Roth & Zabel or one of the authors.

[1] See, e.g., “COVID-19 Warrants CCPA Enforcement Delay, Calif. AG Told,” Law360, March 19, 2020, available here.

[2] The CCPA provides that the Attorney General may commence enforcement on July 1, 2020. However, a delay in enforcement would not provide businesses with full relief. While the CCPA precludes enforcement prior to July 1, 2020, actions brought after July 1 may relate back to conduct on or after the statute’s Jan. 1, 2020 effective date.

[3] The Attorney General’s website provides the complete text and updates on the rulemaking process for the Proposed Regulations.

[4] California Consumer Privacy Act, CAL. CIV. CODE § 1798.140(o)(1).

[5] Proposed Regulations, former 11 C.C.R. § 999.302(a).

[6] The numerous objections to the example expressed in comments submitted to the Attorney General after the release of the February draft provide some context for its deletion. Among the concerns voiced were that the example (1) would create a significant loophole for targeted advertising as IP addresses permit targeted advertising even if they cannot be tied to a consumer or household, (2) creates additional confusion as to whether other unique personal identifiers (as enumerated by the CCPA, such as cookies) are also exempt from the definition of personal information in similar circumstances, (3) fails to clarify what it means to “link” an IP address with a particular consumer or household, and (4) is contrary to legislative intent (as demonstrated by the prior rejection of proposed amendments with similar effect). Comments submitted to the Attorney General are available here.

[7] CAL. CIV. CODE § 1798.140(v).

[8] See our March 10, 2020 Alert for further details.

[9] 11 C.C.R. § 999.314(c).

This communication is issued by Schulte Roth & Zabel LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising. ©2020 Schulte Roth & Zabel LLP.