1. A simpler opt-out process
The proposed modifications mandate an easy opt-out process, eliminating multiple steps or pre-selected settings, which can create technical burdens for consumers. Consumers are required to make a choice to opt out, and the method for opting out must be clearly communicated. The example of an opt-out button provided in the first set of draft regulations was removed in the second set of modifications. The format of the notice of the right to opt out should draw the consumer’s attention, and be easily readable, even on smaller screens.
2. Less stringent parameters to notify third parties of the sale of personal information
A business that receives a consumer’s opt-out request is only required to notify third parties to refrain from selling that consumer’s personal information if it sells the personal information in the time period between the submission of request and the fulfillment of that request. Prior to this change, the business was required to notify all third parties to which it sold the consumer’s personal information within the 90 days preceding the request.
3. Requests to search records declined under certain conditions
Businesses may decline to search certain records in response to right-to-know requests if the business meets these four conditions
- It does not maintain personal information in a searchable or reasonably accessible format
- It maintains the personal information only for legal or compliance purposes
- It does not sell the information or use it for a commercial purpose
- It describes to the consumer the categories of records not searched because it satisfied the three conditions above.
4. Unverified requests to delete no longer treated as opt-out requests
The new requirements eliminate the obligation to treat unverified deletion requests as an opt-out request. Instead, if a business engaging in the sale of personal information cannot verify the identity of the individual submitting the request for deletion, the business must ask the consumer if they would like to opt out. Additionally, if a business denies a request to delete information and the consumer has not already submitted a request to delete, the business must inform the consumer of their right to opt out of the sale of their personal information.
5. Just-in-time notices required for mobile
The modified draft includes a specific focus on data collection involving mobile technology. Now, when a business uses an atypical or unexpected method to gather personal information from a consumer’s mobile device, like a flashlight application that collects geolocation data, the business must provide just-in-time notice detailing the type of personal information being collected. Studies suggest that about 70% of mobile applications collect such information, ranging from weather apps to navigation to music sharing services.
6. Biometric data now covered under data not to be disclosed in a “Right to Know” request
Biometric data is now on the list of data categories that organizations shall not disclose in response to a “Right to Know” request, along with data such as a consumer’s Social Security number, driver’s license number, health insurance or medical identification numbers, or any other government issued identification number. Biometric data is increasingly used in many applications and services, and is collected from facial recognition, fingerprint scanners, iris recognition, hand geometry and tracking behaviors like keystrokes. The business must inform consumers with sufficient particularity that it collects this data, but must not disclose the actual data collected (e.g., actual fingerprint scan, Social Security number, medical identification number, etc.).