Updates To The CCPA Proposed Regulations – What Changes Now?

Feb
17

On Friday, February 7, 2020, the California Office of the Attorney General (OAG) released revisions to its proposed implementing regulations to the California Consumer Privacy Act (CCPA). The OAG will accept comments regarding the proposed changes until Monday, February 24, 2020.

While the majority of the changes are made for clarification purposes, there are modifications or additions that likely affect a business’s CCPA compliance plan.

Below is a list of some of the material modifications or clarifications set forth in the revised proposed regulations:

I.  Privacy Policy Updates.

  • Express requirement written into the regulations that a business who must comply with the CCPA must have a privacy policy that complies with the CCPA.
  • A business that operates online need only provide an email for submitting requests to know in lieu of the prior inferred requirement that the business have an interactive webform accessible on the business’s website.

II.  New/Modified Requirements.

  • If personal information is collected from a consumer’s mobile device for a purpose the consumer would not reasonably expect, then a just-in-time notice must be provided.
  • A business registered as a data broker with the OAG does not need to provide a notice at collection to the consumer if it has included a link in its registration submission to its online privacy policy that includes instructions on how a consumer may opt-out.
  • The rules governing additional disclosures of a large quantity of personal information of California consumers for a commercial purpose (i.e. sale, purchase, sharing for commercial purpose) have been adjusted to apply to 10,000,000 or more California consumers affected in any calendar year

III. Procedural Clarifications.

  • The definition of “personal information” has been revised to provide that if the business does not link the IP address to any particular consumer or household, and could not reasonably link the IP address, then the IP address is not “personal information”.
  • Revised examples setting forth appropriate delivery of the initial notice have been provided, specifically for delivery through a mobile application and over the telephone and notice at collection of employment-related information.
  • Clarification has been provided that electronic signatures complying with the Uniform Electronic Transactions Act qualify with respect to obtaining a signed attestation.
  • The two-step process for online requests for deletion has been made optional.
  • Additional clarification has been provided on the required content in a response to a request to know categories.
  • The CCPA accessibility requirements may be satisfied if the business generally follows recognized industry standards, including the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the Worldwide Consortium.
  • Additional details on the “Do Not Sell My Personal Information” link and opt-out button have been provided for clarity.
  • Revised the actions required with respect to back-up or archived data to narrow the scope of when deletion is required.
  • Clarifies certain actions allowed by a service provider, including internal use of personal information to improve the quality of services and the ability of service providers to respond to requests on behalf of a business.

The OAG did us a favor and included a redline to the originally proposed regulation.

To discuss the implications these proposed changes may have on your business’s compliance with the CCPA, please reach out to a member of our Privacy & Cybersecurity Practice Group .

Refer to the Privacy & Cybersecurity Practice Group’s prior publications on the CCPA for additional information on whether the CCPA applies to your business:

Lurking In The Shadows – How The California Consumer Privacy Act May Affect Your Business 

Tackling The California Market From The Midwest? What A Business Needs To Know About The California Consumer Privacy Act

CCPA Doesn’t Apply To Financial Institutions? Think Again – Big Impacts On Banks Privacy Operations

HIPAA-Covered Entity Exemption To CCPA, Don’t Be Mistaken – You May Still Have To Comply

Share Button