Client Alert: California Attorney General Releases Third Draft of Proposed CCPA Regulations
Yesterday, California Attorney General Xavier Becerra released a third set of draft regulations (the New Modifications) implementing the California Consumer Privacy Act (CCPA). The New Modifications incorporated comments provided after release of the Modified Draft Regulations on February 7, 2020 (February Draft Regulations). The deadline to submit written comments to the New Modifications is March 27, 2020. The final set of rules must be issued by July 1, 2020, the date enforcement of the CCPA is set to begin.
While there are fewer changes in the New Modifications than in the February Draft Regulations, these changes could still have a significant impact on your company’s CCPA compliance strategy. Some of the key changes include:
- DO NOT SELL BUTTON
- The New Modifications remove the confusing and highly-discussed “Do Not Sell” toggle button which was added in the February Draft Regulations.
- DEFINITION OF PERSONAL INFORMATION
- The New Modifications remove prior clarifications regarding data that will be considered “personal information.” For instance, the prior relaxation of when IP addresses would be considered “personal information” has been removed.
- The New Modifications add more specific requirements for businesses to include sources and reasons for collecting consumer information and remove certain other requirements for businesses to provide each category of third parties with whom the business shares personal information.
- RESPONSES TO INDIVIDUAL RIGHTS REQUESTS
- The Attorney General continues to pivot on the actions businesses must take when a request to delete personal information is denied. Originally, businesses were required to opt consumers out of the sale of personal information upon denial of a request to delete. Under the New Modifications, businesses must provide consumers with the option to opt-out of the sale of personal information at the time a deletion request is denied.
- When responding to a request to know, businesses must now disclose when the business has the consumer’s SSN, without actual disclosure of the SSN.
- SERVICE PROVIDERS
- The New Modifications revise the exemptions to the general rule that service providers may not retain, use, or disclose personal information obtained in the course of providing services by setting further limitations on the use of personal information.
For assistance with your CCPA compliance program or privacy laws in general, please contact John Landolfi, Christopher Ingram, Christopher LaRocco, Sarah Boudouris, Gretchen Rutz, or your Vorys attorney.