CCPA Tweaked Again: California Attorney General Modifies Proposed Regulations

February 2020

On February 7, 2020, the California Attorney General released a modified draft of the initial proposed regulations from October 2019 (discussed here) relating to the California Consumer Privacy Act (CCPA), and then quickly fixed an omission from that draft a few days later. In addition to minor “clean up” items, the modified regulations also made a number of substantive changes. The modified draft of the proposed regulations is open to public comment until February 25, 2020.

Notable changes in the modified draft regulations include the following:

  • Scope of Personal Information. The modified regulations clarify that information only constitutes “personal information” if a business maintains such information in a manner that is reasonably capable of being linked to a particular consumer or household. For example, if a business collects an IP (internet protocol) address but does not link the IP address to a consumer or household, then that IP address would not be considered “personal information” under the CCPA. Businesses should review what they consider personal information in light of this clarification.
  • Access and Deletion Rights. The modified regulations include minor updates to the procedures for making and responding to access and deletion requests. Businesses would no longer be required to use two-step authorization for requests to delete, but doing so is permissible. The regulations also clarify when a business would not need to search for information in response to a request that a business disclose personal information that it has collected about the consumer, which could ease the burden for businesses in responding to requests. For example, a business would not be required to search for specific personal information in response to a request if it does not sell personal information and does not use personal information for any commercial purpose, or if it maintains the personal information solely for legal or compliance purposes. Last, if a business operates exclusively online and has a direct relationship with a consumer from whom it collects personal information, the modified regulations would permit the business to designate an email address as the sole method for submitting requests that a business disclose personal information that it has collected about the consumer, instead of having to provide at least two methods as previously required. All other businesses must provide two or more methods, including a toll-free number.
  • Opt-out Requests. The modified regulations would eliminate the requirement that a business convey opt-out requests from a consumer to all parties to which the business sold a consumer’s personal information in the 90 days before the consumer exercised this right. However, if a business sells a consumer’s personal information to any third parties after the consumer submits his or her request, the business would be required to notify such third parties that the consumer has exercised the right to opt-out and direct them not to sell the information.
  • Service Provider Limitations. The modified regulations contain additional limitations for service providers that businesses may consider referencing in service provider contracts. For example, the modified regulations would restrict a service provider from using personal information it receives from a business, except in the following circumstances: (1) performing services in the contract with the business that provided the personal information; (2) engaging a subcontractor as its service provider; (3) using the personal information internally to build or improve the quality of its services (provided that it does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source); (4) detecting data security incidents or protecting against fraudulent or illegal activity; or (5) processing in accordance with certain exemptions to the CCPA. Additionally, if a service provider receives a consumer request, the modified regulations would permit the service provider to respond to the request directly instead of merely advising the consumer to submit the request to the business.
  • Mobile Application Notices. The modified regulations also address mobile applications, including where businesses should post notices within such applications and when businesses need to post certain “just-in-time” notices. For example, a mobile application that collects personal information for a purpose that the consumer would not reasonably expect must provide a just-in-time notice (e.g., a popup message) to explain the information being collected.
  • Website Accessibility. The modified regulations would mandate that in providing notices online, businesses follow generally recognized industry standards for website accessibility, such as the Web Content Accessibility Guidelines (Version 2.1). In providing notices through other media, businesses must provide information on how a consumer with a disability can access the notice in an alternative format.

Although the modified regulations are only proposed, their release indicates that the California Attorney General is closer to finalizing them. The effective date of the finalized regulations depends on when they are officially filed with the California Secretary of State. For more information on compliance with the CCPA and its regulations, please contact one of our Cybersecurity & Data Privacy attorneys.