Blog
California Attorney General Issues Second Set of CCPA Modifications
Blog
March 30, 2020
The California Attorney General’s office released a second set of modifications to regulations implementing the California Consumer Privacy Act (CCPA) on March 11, 2020. These revisions address the concerns raised following the two-week comment period for the first revisions issued by the Attorney General’s first set of revisions (released February 10, 2020). The new modifications include changes to certain definitions, alterations to notice requirements, and adjustments to “Request to Know” requirements.
Definitions
The newest modifications delete Section 999.302—a section that was added to the February modifications to clarify the definition of “Personal Information” (PI). The now-deleted section, entitled “Guidance Regarding the Interpretation of CCPA Definitions” stated that information is only considered PI if it was maintained in such a way that it could be reasonably associated with a particular consumer or household. The section stated that IP addresses, for example, would not qualify as personal information, so long as the information was not maintained by a business in such a way that identification of a consumer was reasonably possible. This guidance has now been pulled. The definition of “Financial Incentive” has also been broadened to include any “program, benefit or other offering, including payments to consumers related to the collection, retention, or sale of personal information.”
Notice Requirements
The March 11th modifications cover several minor changes to various notice requirements. Under Section 999.305(d), businesses that do not collect PI directly from a consumer are not required to provide notice at collection to the consumer if the business does not sell the consumer’s personal information. And under Section 999.305(f)(2), employee notices are no longer required to link to the business’s privacy policies. The modifications also remove the suggested “Opt Out Button” design, (Section 999.306(f)), and require that a business who has actual knowledge that it sells the PI of minors under age 16 must update its privacy policy to include a description of the process required for minors or their guardians to opt in to the sale of PI (Section 999.308(c)(1)(g)).
Request to Know
Finally, the CCPA modifications will now require businesses to use “sufficient particularity” when informing consumers that the business has collected PI such as biometric data, Social Security numbers, government-issued identification numbers (i.e., driver’s license numbers), and other similar PI. Notably, the CCPA still prohibits businesses from disclosing the information itself.
The comment period for these new revisions ended on March 27, 2020, at 5:00 pm PST (the notice of second set of modifications to the CCPA can be found here). The redlined version of the regulations are available here.
TIP: We expect at least one more round of revisions to the regulations prior to the CCPA’s enforcement on July 1, 2020, which the Attorney General’s Office has stated COVID-19 will not delay. Companies that fall under the CCPA should monitor additional guidance or work with counsel to ensure compliance as the enforcement deadline looms.
This entry has been created for information and planning purposes. It is not intended to be, nor should it be substituted for, legal advice, which turns on specific facts.