On Friday, February 7, 2020, California’s Office of the Attorney General (AG) posted modifications to the proposed California Consumer Privacy Act (CCPA) regulations along with a Notice of Modifications, a redline version showing the changes and an updated list of relied upon documents and information. According to the Notice, the “changes are in response to comments received regarding the proposed regulations and/or to clarify and conform the proposed regulations to existing law.” The AG will accept written comments regarding the proposed changes or materials added to the rulemaking file until Monday, February 24, 2020.
The proposed modifications provide some much-needed clarity to covered businesses in advance of the enforcement deadline and show that the AG seriously considered the comments and feedback it received. Below is a very brief summary of some (but not all) of the notable changes. A review of the redline version is recommended for a full understanding of all proposed modifications.
The modifications to the proposed regulations:
- fine-tune several definitions and add others, including “employment benefits” and “employment-related information”;
- provide an example illustrating that an IP address alone that cannot be reasonably connected to any specific consumer or household is not “personal information” under the CCPA;
- address the effect of amendment AB 25 related to the exemption of certain employment-related information from the CCPA and, like the AB 25, those regulations are set to expire on January 1, 2021 unless the CCPA is amended again;
- offer more structure and clarity on the required
consumer notices and handling requests to know and/or delete, including:
- an overview of required notices in a new section;
- request to know or delete submission methods including allowing on-line businesses to accept requests only via email and removing the interactive webform requirement for receiving requests;
- guidance on handling confirmation of receipt of requests to know or delete and changing the two-step confirmatory process from required to permissive; and
- circumstances under which a business is not required to search for personal information in response to a request to know.
- revise many of the examples and/or offer additional examples relating to personal information, notice (including providing notices on mobile devices), responding to requests, verification, and non-discrimination;
- provide the Do Not Sell button that was absent from the initial version of the regulations and remove the concept of a Do Not Sell logo;
- add language to address mobile device use and methods for providing required notices;
- refine timeframes including changing the time to confirm receipt of a request to know or delete from “10 days” to “10 business days” and to respond to an opt-out request from “15 days” to “15 business days;”
- clarify process for handling requests to know or delete related to household information (including a substantially revised definition of “household”); and,
- when a financial incentive or price or service difference are involved, make clear that a good-faith calculation of the value of consumer data is required and provide some flexibility in selecting the calculation method.
The AG’s office published the initial set of regulations on October 11, 2019 and the comment period closed on December 6, 2019. With the comment period closing on the recently modified regulations on February 24, 2020, there is a chance, but no guarantee, that finalized regulations will be available well before the July 1, 2020 enforcement date. Therefore, it would be wise for businesses with operations that fall under the CCPA to proceed as if these modified regulations will be finalized.