California AG Modifies Draft CCPA Regulations — Again!
Over three months after the California Consumer Privacy Act (CCPA) went into effect, the California Attorney General’s Office (AG’s Office) still has not finalized regulations that are intended to give businesses better guidance on how to operationalize this complex and burdensome law. This week, the AG’s Office took another step in this process, releasing a new round of edits to its proposed rules.
For those keeping track: the AG’s office first released draft regulations in October 2019 and then released a First Set of Modifications in February 2020. With each release, the AG’s office sought public comments. This latest action is the Second Set of Modifications. The AG’s Office is again seeking public comments, which are due March 27, 2020.
However, in the category of rolling back helpful clarifications, the Second Set of Modifications removes a provision that had been added in the First Set of Modifications (and was welcomed by many businesses) that explained that “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’” See First Set of Modifications § 999.302(a). As a result, businesses are left with uncertainty as to how to treat collection of and consumer requests for IP addresses that are otherwise not associated with identifiable consumers or households.
In general, the continued stream of edits to these implementing regulations shows just how complex and confusing CCPA application is. Additionally, it makes it quite burdensome for covered businesses—who already have to comply with the law—to keep up.
If your business would like to weigh in (by March 27) on these draft regulations, or if you have questions about what these proposed modifications mean for your CCPA compliance efforts, do not hesitate to reach out to our team.