Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

California AG releases second set of modified proposed CCPA regulations

State Issues State Attorney General CCPA Regulation Consumer Protection Privacy/Cyber Risk & Data Security

State Issues

On March 11, the California attorney general released a second set of draft modifications to the proposed regulations implementing the California Consumer Privacy Act (CCPA). These modifications follow the initial proposed regulations published last October and the first set of draft modifications published last month (covered by Buckley Special Alerts here and here). According to a notice issued by the California Department of Justice, these changes are in response to roughly 100 comments received by the Department to the proposed February modifications and are intended “to clarify and conform the proposed regulations to existing law.”

Key modifications are as follows:

  • Personal Information. In the February modifications, a section was added to provide guidance regarding the interpretation of CCPA definitions and specifically defined the term “personal information” and provided an example of when IP addresses were not considered “personal information.” In the recent modifications, the Attorney General (AG) struck this section of the regulations.
  • Indirectly Receiving Personal Information. The modifications clarify that a business that does not collect personal information directly from a consumer is not required to provide a consumer with a notice at collection if it does not sell the consumer’s personal information.
  • Notice at Collection for Employees. The modifications clarify that the notice at collection of employment-related information is not required to include a link to the business’s privacy policy.
  • “Opt-Out Button” Button. The modifications strike a provision that previously provided a model for the opt-out button that companies could include on their websites as an additional way for consumers to opt out of selling their information, as well as information about when the button should be used.
  • Privacy Policy. The privacy policy section appears to have been updated to further align with the CCPA. In addition to the currently proposed disclosure requirements, the modifications provide that privacy policies also identify: (i) the categories of sources from which personal information is collected, and describe these categories in such a way that allows consumers to meaningfully understand the information being collected; and (ii) all business or commercial purposes for collecting or sending consumers’ personal information, and describe the purposes in a way that allows consumers to meaningfully understand why the information is collected and sold. Further, if a “business has actual knowledge that it sells the personal information of minors under 16 years of age,” it must provide a description of the processes as required by sections 999.330 and 999.331, which outline special rules regarding minors.
  • Responding to Requests to Know. While the regulations have made clear that there are certain types of data that a business must never disclose in response to a request to know, such as Social Security number, driver’s license or government ID number, biometric data, etc., the modifications clarify that when responding to a request to know, businesses must inform consumers “with sufficient particularity” that they have collected that type of information. The modifications provide the following example – the business must respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
  • Responding to Requests to Delete. The modifications provide that if a business denies a consumer’s request to delete, the business sells personal information, and the consumer has not already made a request to opt out of the sale, then the business must ask the consumer if he/she would like to opt out and include either the contents of, or a link to, the notice of right to opt-out.
  • Service Providers. The modifications clarify that a service provider may not retain, use, or disclose personal information obtained while providing services unless the information is used to “process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information” and complies with the CCPA’s requirements for a written contract for services. The modifications also add that while the service provider may use the personal information to build or improve the quality of it services, it may not build or modify household or consumer profiles to use in providing services to another business.
  • Training: Record-Keeping. The modifications clarify that information retained for record-keeping purposes may not be shared with third parties “except as necessary to comply with a legal obligation.”
  • Authorized Agent. The modifications clarify that businesses shall not require consumers, or a consumer’s authorized agent, to pay a fee to verify requests to know or to delete.
  • Calculating the Value of Consumer Data. The modifications provide that for the purpose of calculating the value of consumer data, a business may consider the value of the data of all natural persons in the United States and not just consumers.

Comments on the second set of proposed modifications are due by March 27. As a reminder, the CCPA became effective January 1.