General

Key Changes in the AG’s Updated Proposed CCPA Regulations

Published: Feb. 09, 2020

Updated: Jun. 13, 2023


This post was updated on 2/11/2020 to reflect revisions made by the California Attorney General on 2/10/2020.


The California Attorney General released an update to its proposed California Consumer Privacy Act Regulations, and companies have until 5 pm PT on February 24 to submit comments on this updated draft. Key changes include: 

Definitions

  1. Clarifying that to qualify as personal information (“PI”), information must be maintained in a manner such that it could be reasonably linked to a particular consumer or household. For example, IP addresses are not necessarily PI if a business cannot reasonably link them to a particular consumer or household. Therefore, a company that collects only IP addresses that are not tied to any other PI would not qualify as a “business” under the CCPA, or a business that cannot reasonably link IP addresses to a consumer would not need to process access or deletion requests for such data. 999.302(a).

Notice Requirements

  1. Confirming that the notice at collection is different than the privacy policy and must be given at or before collection of PI from a consumer but clarifying that this notice can be provided via a link on the business’s introductory page and any page on which PI is collected. 999.305(a)(3).
  2. Clarifying that for mobile apps, the link to the privacy policy, link to the DNS opt-out page, and the notice at collection should be in the settings menu (in addition to the download page as previously proposed). 999.306(b) and 308(b). 
  3. Adding a new requirement for “Just-in-Time” notices on mobile for any unexpected use of data. 999.305(a)(4). 
  4. Removing the requirement that the purpose of uses of PI and the categories of sources have to be listed separately for each category of information collected. This may remove the practical need to include charts in the privacy policy or in response to access requests.  However, it is still the case that for each category of PI collected, businesses must disclose (both in privacy policy and in response to access requests) the categories of third parties to which the information was disclosed or sold. 999.308(c).
  5. Clarifying that the requirement to obtain explicit consent from consumer if using PI for a previously undisclosed purpose applies only to previously-collected PI (which effectively codifies the FTC’s expectation that businesses obtain consent for material retroactive changes). 999.305(a)(5).
  6. Removing the requirement for data resellers to ensure that a “notice at collection” or “direct notice” was provided to consumers, provided they register as data brokers and, in that registration, include a link to their privacy policy containing opt-out instructions. 999.305(d).  

Do Not Sell 

  1. Clarifying that businesses do not need to offer employees or job applicants a “Do Not Sell” link but requiring that businesses present employees and applicants with a notice at collection, which can be a link to an employee-specific privacy policy. 999.305(e).
  2. Adding a new section that clarifies that businesses may not sell data collected while a Do Not Sell link was not posted, but that consumers whose data was collected during that time period are no longer deemed to have opted out, and therefore need not be counted for the reporting requirements. However, businesses must obtain affirmative authorization from those consumers to sell such data at a later time. 999.306(e).
  3. Providing a new Do Not Sell icon that can be used in addition to, but not instead of, a Do Not Sell link. 999.306(f).
  4. Clarifying that to be enforceable, a browser or other automated sale opt-out signal must be user-enabled and not set on by default.  999.315(d). Where that is the case, the signal cannot be ignored even if it conflicts with a user’s choice for that business, but rather the conflict has to be presented to the consumer to decide how to proceed. 999.315(d)(2).
  5. Replacing the 90-day lookback (i.e., the requirement to transmit a Do-Not-Sell request to parties to which a business sold PI in the 90 days prior to receipt of a Do-Not-Sell request), with a lookback only for all sales that occurred between the submission of a Do-Not-Sell request and the honoring of that request. 999.315(f).
  6. Noting that agents who submit access, deletion or opt-out requests must present something “signed by the consumer” giving them this authority. 999.315(g) and 999.326(a)(1).

Submission and Verification of Consumer Requests

  1. Clarifying that the verification process need only be described “in general” in the privacy policy. 999.308(c)(1).
  2. Incorporating an amendment to the statute whereby businesses that operate exclusively online and have a direct relationship with a consumer can satisfy the law by offering an email address for submitting access requests. However, such businesses must still provide two designated methods for deletion requests. 999.312(a).
  3. Explaining that a two-step process for submitting deletion requests is allowed, but no longer required. 999.312(d).
  4. Removing the requirement that businesses must treat an unverifiable request to delete as a request to opt out of sales but noting that in such situations businesses do have to ask consumers if they want to opt out of sales and point them to where they can go to opt out. 999.313(b).
  5. Clarifying when consumer requests pertaining to “households” must be honored – namely, when the household (and not an individual consumer living within a household) has a password-protected account with a business. Absent a password-protected household account, a business can only process a household access or deletion request if every member of the household submits a request, is independently verified by the business, and is able to show that they are currently members of that household. 999.318(a).

Responding to Requests 

  1. Clarifying that the right to request access relates to personal information (“PI”) that the business has “collected” about the consumer – not information that the business merely “has” about the consumer. 999.300(g).
  2. Creating new exceptions for access requests that eliminate the need to provide PI that is kept solely for legal or compliance purposes and is not reasonably accessible or searchable and not sold or used for commercial purposes. 999.313(c)(3).
  3. Clarifying that a service provider can disclose information to other service providers and use information it has to improve its services and for the standard legal and compliance uses specified in 1798.145 (a)(1) – (a)(4) of the statute.  However, these permissible uses do not include “building or modifying household or consumer profiles” or “cleaning or augmenting data obtained from another source.” 999.314(c). 
  4. Requiring service providers to respond to access or deletion requests they receive directly from consumers by either acting upon the request or informing the consumer that they cannot act on the request because they are acting as a service provider. 999.314(e).

Discrimination 

  1. Clarifying that refusing to delete information that is necessary to participate in a loyalty program that provides discounts is not discriminatory if that information is needed for the program but is discriminatory if the information is NOT needed to operate the program.   
  2. Providing additional guidance on ways a company can calculate the “value” of a consumer’s data, to justify price or service differentials related to CCPA data rights. 999.336 and 999.337. 

Recordkeeping

  1. Raising the threshold for recordkeeping and transparency requirements to 10,000,00 consumers, up from the 4,000,000 level (per calendar year).

Notably, the verification examples provided still do not help specify what needs to be collected to verify at a “reasonably high” degree of certainty.

Visit this page for more details on the AG’s CCPA rulemaking process, including background documents. After considering comments on the modified Regulations, the AG has the option to make further changes or finalize this modified version.  Once a final version of the regulations are released, they cannot take effect for at least one month, and enforcement cannot begin until July 1.