California AG Modifies Draft CCPA Regulations — What Do They Mean for Compliance?

February 10, 2020

On February 7, 2020, over a month after the California Consumer Privacy Act (CCPA) went into effect, the California Attorney General (AG) released a second draft of its proposed CCPA regulations. The first draft, released in October 2019, was met with significant concern from businesses that are trying to comply with the complex, burdensome, and unclear law. The second draft provides additional guidance on some but not all areas of concern. Stakeholders interested in providing feedback on this latest round of proposals can submit written comments until February 24, 2020.  

Below we recap the development of the regulations to date and offer a high-level description of the new proposals. Big picture, we assess what this all means for covered businesses. For a detailed summary of the regulations or for CCPA-compliance guidance, please contact our Privacy Team.

The CCPA Regulations Have Been Under Development for Over a Year

The CCPA went into effect on January 1, 2020 and while covered businesses are currently required to comply with the statute as written, the California AG continues to finalize the implementing regulations. The AG’s office conducted preliminary rulemaking activity starting in January 2019 and released draft regulations in October 2019, after which it hosted a series of public hearings and accepted written comments. Last Friday, the AG released further modified draft regulations. 

The Modified Draft Regulations Provide Some Guidance, But Not Certainty

The latest round of proposed CCPA regulations keeps the vast majority of the regulations proposed in October, with targeted edits to address specific issues. In part, the second draft: 

  • Attempts to clarify key definitions and concepts. For example, the new proposal offers some insight into the threshold term “personal information,” explaining that “whether information is ‘personal information’ . . . depends on whether the business maintains information in a manner that ‘identifies, relates to, describes, is reasonably linked, or could be reasonably linked, directly or indirectly with a particular consumer or household,’” and providing an example of when an IP address may not be personal information. The proposal also attempts to clarify the meaning of “household.”
  • Affirms that under the CCPA, four consumer notices may be required. The modifications clarify that all covered businesses must provide a privacy policy, and that depending on a business’s practices, the CCPA may require up to three other notices: (i) notice at collection, (ii) notice of right to opt-out, and (iii) notice of financial incentive or price or service difference. The modifications clarify the accessibility requirements attached to these notice provisions, and make other edits to each of these individual notice requirements.
  • Modifies and/or clarifies requirements for enabling and responding to consumer requests. For example, the new draft removes the requirement for businesses to provide interactive web forms to facilitate requests to know and requests to delete. The new proposal also addresses how to calculate certain deadlines—in business or calendar days.
  • Clarifies service provider options. The modifications include a discussion of when a service provider may retain, use, or disclose personal information. They also clarify a service provider’s role in responding to consumer requests.
  • Proposes the long-awaited “Do Not Sell My Personal Information” button. The regulations make clear that the button can be used in addition to — but not in lieu of — the notice of the right to opt-out. The proposal would mandate placement and size requirements for the button to appear on private websites. The proposal provides the below sample:

Next Steps for Businesses: Compliance Amidst Uncertainty

While key details are still being interpreted in the active rulemaking process, covered businesses are already bound to comply with the law. The California AG — who has enforcement authority over the law’s privacy provisions—may not begin to enforce the law until July 2020. But the AG has made clear that once enforcement begins, it will look backward to January 1, 2020. The final regulations must be adopted by July 1, 2020.  

Accordingly, covered businesses should evaluate their existing compliance plans in light of the new modifications to the proposed regulations. In a number of areas, such as posting notices, responding to consumer requests, and dealing with service providers, businesses should assess those compliance plans to determine whether changes are needed. The latest revisions provide important indications of where the AG is headed in a number of areas, which should be considered. At the same time, in considering what changes to make, businesses will need to continue to keep in mind that the final regulations are still subject to change.

Finally, interested stakeholders have a new opportunity to comment on these modified draft regulations. The AG is accepting written comments until February 24, 2020 at 5 PM PST.

Read Time: 4 min
Jump to top of page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.