CCPA Tweaked Again: California Attorney General Modifies Proposed Regulations

February 2020

On February 7, 2020, the California Attorney General released a modified draft of the initial proposed regulations from October 2019 (discussed here) relating to the California Consumer Privacy Act (CCPA), and then quickly fixed an omission from that draft a few days later. In addition to minor “clean up” items, the modified regulations also made a number of substantive changes. The modified draft of the proposed regulations is open to public comment until February 25, 2020.

Notable changes in the modified draft regulations include the following:

  • Scope of Personal Information. The modified regulations clarify that information only constitutes “personal information” if a business maintains such information in a manner that is reasonably capable of being linked to a particular consumer or household. For example, if a business collects an IP (internet protocol) address but does not link the IP address to a consumer or household, then that IP address would not be considered “personal information” under the CCPA. Businesses should review what they consider personal information in light of this clarification.
  • Access and Deletion Rights. The modified regulations include minor updates to the procedures for making and responding to access and deletion requests. Businesses would no longer be required to use two-step authorization for requests to delete, but doing so is permissible. The regulations also clarify when a business would not need to search for information in response to a request that a business disclose personal information that it has collected about the consumer, which could ease the burden for businesses in responding to requests. For example, a business would not be required to search for specific personal information in response to a request if it does not sell personal information and does not use personal information for any commercial purpose, or if it maintains the personal information solely for legal or compliance purposes. Last, if a business operates exclusively online and has a direct relationship with a consumer from whom it collects personal information, the modified regulations would permit the business to designate an email address as the sole method for submitting requests that a business disclose personal information that it has collected about the consumer, instead of having to provide at least two methods as previously required. All other businesses must provide two or more methods, including a toll-free number.
  • Opt-out Requests. The modified regulations would eliminate the requirement that a business convey opt-out requests from a consumer to all parties to which the business sold a consumer’s personal information in the 90 days before the consumer exercised this right. However, if a business sells a consumer’s personal information to any third parties after the consumer submits his or her request, the business would be required to notify such third parties that the consumer has exercised the right to opt-out and direct them not to sell the information.
  • Service Provider Limitations. The modified regulations contain additional limitations for service providers that businesses may consider referencing in service provider contracts. For example, the modified regulations would restrict a service provider from using personal information it receives from a business, except in the following circumstances: (1) performing services in the contract with the business that provided the personal information; (2) engaging a subcontractor as its service provider; (3) using the personal information internally to build or improve the quality of its services (provided that it does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source); (4) detecting data security incidents or protecting against fraudulent or illegal activity; or (5) processing in accordance with certain exemptions to the CCPA. Additionally, if a service provider receives a consumer request, the modified regulations would permit the service provider to respond to the request directly instead of merely advising the consumer to submit the request to the business.
  • Mobile Application Notices. The modified regulations also address mobile applications, including where businesses should post notices within such applications and when businesses need to post certain “just-in-time” notices. For example, a mobile application that collects personal information for a purpose that the consumer would not reasonably expect must provide a just-in-time notice (e.g., a popup message) to explain the information being collected.
  • Website Accessibility. The modified regulations would mandate that in providing notices online, businesses follow generally recognized industry standards for website accessibility, such as the Web Content Accessibility Guidelines (Version 2.1). In providing notices through other media, businesses must provide information on how a consumer with a disability can access the notice in an alternative format.

Although the modified regulations are only proposed, their release indicates that the California Attorney General is closer to finalizing them. The effective date of the finalized regulations depends on when they are officially filed with the California Secretary of State. For more information on compliance with the CCPA and its regulations, please contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
News

Michael D. Mulligan, Mysun Charitable Foundation Recognized at Greensfelder Park Ribbon Cutting Ceremony

More
Client Alert

DOL Publishes Cybersecurity Guidance for Benefits Plans

More
Client Alert

FTC Adds Teeth to the ‘Made in USA’ Rule

More
Client Alert

Supreme Court Hands Down Unanimous Decision Limiting FTC’s Ability to Seek Monetary Relief

More
Diversity & Inclusion

Lewis Rice Launches “Next Level” Diversity and Inclusion Programs

More
News

A Lawyer’s Guide to the Galaxy Podcast Named Among Best Copyright Law Podcasts for 2021 by Welp Magazine

More
Client Alert

The Changing Workplace Following the Latest CDC Mask Guidance

More
Client Alert

EEOC Issues Updated Guidance on COVID Vaccination Policies

More
Diversity & Inclusion

Law Firm ILN-telligence Podcast Hosts Ronald A. Norwood to Discuss Mentorship, Diversity & Inclusion in the Legal Industry, and the Importance of Equity for All

More
Client Alert

Missouri Supreme Court Reverses Overtime Wages Judgment Resulting from Employer-Mandated Screenings Under the Portal-to-Portal Act

More
Client Alert

Missouri Supreme Court Holds that Public Governmental Bodies May Not Charge for Attorney Review Time

More
News

Jeannine Moentmann Becomes President of St. Louis Paralegal Association for 2021-2022

More
News

Claims Filed for Compensation in North Carolina Ecusta Trail Rail-to-Trail Case

More
News

Jeremy P. Brummond Presents at Webinar for Experienced Construction Attorneys

More
Client Alert

Supreme Court Limits Ability to Compel Access to Private Property Without Compensation

More
Client Alert

Colorado Joins the Bandwagon, Enacts Comprehensive Privacy Law

More
Client Alert

First-Issued Interim Final Rule Gives Guidance on No Surprises Act

More
News

Lewis Rice Welcomes 2021 Summer Associates

More
Client Alert

CROWN Act Legislation on the Verge of Passage in St. Louis City & County

More
Client Alert

The New Standard Contractual Clauses: Scope, Impact, and Next Steps

More