CCPA Tweaked Again: California Attorney General Modifies Proposed Regulations

February 2020

On February 7, 2020, the California Attorney General released a modified draft of the initial proposed regulations from October 2019 (discussed here) relating to the California Consumer Privacy Act (CCPA), and then quickly fixed an omission from that draft a few days later. In addition to minor “clean up” items, the modified regulations also made a number of substantive changes. The modified draft of the proposed regulations is open to public comment until February 25, 2020.

Notable changes in the modified draft regulations include the following:

  • Scope of Personal Information. The modified regulations clarify that information only constitutes “personal information” if a business maintains such information in a manner that is reasonably capable of being linked to a particular consumer or household. For example, if a business collects an IP (internet protocol) address but does not link the IP address to a consumer or household, then that IP address would not be considered “personal information” under the CCPA. Businesses should review what they consider personal information in light of this clarification.
  • Access and Deletion Rights. The modified regulations include minor updates to the procedures for making and responding to access and deletion requests. Businesses would no longer be required to use two-step authorization for requests to delete, but doing so is permissible. The regulations also clarify when a business would not need to search for information in response to a request that a business disclose personal information that it has collected about the consumer, which could ease the burden for businesses in responding to requests. For example, a business would not be required to search for specific personal information in response to a request if it does not sell personal information and does not use personal information for any commercial purpose, or if it maintains the personal information solely for legal or compliance purposes. Last, if a business operates exclusively online and has a direct relationship with a consumer from whom it collects personal information, the modified regulations would permit the business to designate an email address as the sole method for submitting requests that a business disclose personal information that it has collected about the consumer, instead of having to provide at least two methods as previously required. All other businesses must provide two or more methods, including a toll-free number.
  • Opt-out Requests. The modified regulations would eliminate the requirement that a business convey opt-out requests from a consumer to all parties to which the business sold a consumer’s personal information in the 90 days before the consumer exercised this right. However, if a business sells a consumer’s personal information to any third parties after the consumer submits his or her request, the business would be required to notify such third parties that the consumer has exercised the right to opt-out and direct them not to sell the information.
  • Service Provider Limitations. The modified regulations contain additional limitations for service providers that businesses may consider referencing in service provider contracts. For example, the modified regulations would restrict a service provider from using personal information it receives from a business, except in the following circumstances: (1) performing services in the contract with the business that provided the personal information; (2) engaging a subcontractor as its service provider; (3) using the personal information internally to build or improve the quality of its services (provided that it does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source); (4) detecting data security incidents or protecting against fraudulent or illegal activity; or (5) processing in accordance with certain exemptions to the CCPA. Additionally, if a service provider receives a consumer request, the modified regulations would permit the service provider to respond to the request directly instead of merely advising the consumer to submit the request to the business.
  • Mobile Application Notices. The modified regulations also address mobile applications, including where businesses should post notices within such applications and when businesses need to post certain “just-in-time” notices. For example, a mobile application that collects personal information for a purpose that the consumer would not reasonably expect must provide a just-in-time notice (e.g., a popup message) to explain the information being collected.
  • Website Accessibility. The modified regulations would mandate that in providing notices online, businesses follow generally recognized industry standards for website accessibility, such as the Web Content Accessibility Guidelines (Version 2.1). In providing notices through other media, businesses must provide information on how a consumer with a disability can access the notice in an alternative format.

Although the modified regulations are only proposed, their release indicates that the California Attorney General is closer to finalizing them. The effective date of the finalized regulations depends on when they are officially filed with the California Secretary of State. For more information on compliance with the CCPA and its regulations, please contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
News

David W. Sweeney Represents Advantes Group in $7.2 Million Apartment Project

More
News

Lewis Rice Wins Nearly $500,000 in Compensation for Sarasota Landowners

More
Client Alert

Property Owners Can Push the Issue Under Illinois Mechanic’s Lien Law

More
News

Michael R. Thiessen Recognized as Pro Bono Spotlight by KCMBF for August

More
Client Alert

FTC Adds Teeth to the ‘Made in USA’ Rule

More
News

Lauren R. Carey Creates New Blog for Social Media Influencers

More
Diversity & Inclusion

Golf Foundation of Missouri Awards First Larry L. Deskins, Sr. Scholarship

More
News

Matthew J. Haas Offers Commentary for Inside P&C Article on Business Interruption Insurance and COVID-19

More
News

Four Lewis Rice Attorneys Named 2022 “Lawyer of the Year” by Best Lawyers

More
News

Lewis Rice Wins $1.5 Million in Compensation for Covington Landowners

More
Client Alert

Missouri Now Requires Employers to Provide Leave and Accommodations for Victims of Domestic and Sexual Violence

More
News

Lewis Rice Recognized as Top M&A Firm by BTI Consulting Group

More
Client Alert

Supreme Court Limits Ability to Compel Access to Private Property Without Compensation

More
News

Brian P. Pezza Quoted in SHRM Articles on Employee Vaccination Status Disclosure and Employer Vaccination Policies

More
News

Michael D. Mulligan Publishes Article in ACTEC Law Journal Comparing Sales to an Intentionally Defective Irrevocable Trust and a to Beneficiary Intentionally Defective Irrevocable Trust

More
Client Alert

FTC Reverses Course on Treatment of Debt Payoff Under HSR Act

More
Client Alert

OSHA’s New Guidance Regarding Indoor Mask Wearing, COVID-19 Vaccination Mandates, Regular Testing of Unvaccinated Workers, and More

More
News

John C. Bodnar Named BTI M&A Client Service All-Star

More
News

Neal F. Perryman Named to Missouri’s POWER List in Employment Law by Missouri Lawyers Media

More
News

61 Lewis Rice Attorneys Named Best Lawyers for 2022, 16 Named Ones to Watch

More