California AG Modifies Draft CCPA Regulations — Again!
Over three months after the California Consumer Privacy Act (CCPA) went into effect, the California Attorney General’s Office (AG’s Office) still has not finalized regulations that are intended to give businesses better guidance on how to operationalize this complex and burdensome law. This week, the AG’s Office took another step in this process, releasing a new round of edits to its proposed rules.
For those keeping track: the AG’s office first released draft regulations in October 2019 and then released a First Set of Modifications in February 2020. With each release, the AG’s office sought public comments. This latest action is the Second Set of Modifications. The AG’s Office is again seeking public comments, which are due March 27, 2020.
As with the First Set of Modifications, some of the proposed modifications in this latest round help to clarify application of the CCPA. But others roll back helpful provisions that the AG’s Office had earlier proposed. For example, in the category of helpful changes, the Second Set of Modifications makes clear that: “A business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.” See Second Set of Modifications § 999.305(d). The originally proposed draft regulations essentially came to the same conclusion, but the First Set of Modifications introduced confusion. This latest edit clears up that confusion. Another helpful clarification is that: “The notice at collection of employment-related information is not required to provide a link to the business’s privacy policy.” See Second Set of Modifications § 999.305(f)(2).
However, in the category of rolling back helpful clarifications, the Second Set of Modifications removes a provision that had been added in the First Set of Modifications (and was welcomed by many businesses) that explained that “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’” See First Set of Modifications § 999.302(a). As a result, businesses are left with uncertainty as to how to treat collection of and consumer requests for IP addresses that are otherwise not associated with identifiable consumers or households.
Examples of other modifications in this latest draft include changes to the Privacy Policy provisions, edits to the definitions for “financial incentive” and “price or service difference,” and deletion of the opt-out button or logo that had been proposed in the First Set of Modifications.
In general, the continued stream of edits to these implementing regulations shows just how complex and confusing CCPA application is. Additionally, it makes it quite burdensome for covered businesses—who already have to comply with the law—to keep up.
If your business would like to weigh in (by March 27) on these draft regulations, or if you have questions about what these proposed modifications mean for your CCPA compliance efforts, do not hesitate to reach out to our team.
