Client Alert: California Attorney General Releases Modified CCPA Draft Regulations

Related Practices

Attorneys & Professionals

On February 7, 2020, California Attorney General Xavier Becerra released proposed modifications (the Modifications) to the previously-released draft regulations implementing the California Consumer Privacy Act (CCPA).  The deadline to submit written comments to the proposed Modifications is February 24, 2020.

Contrary to initial suggestions from the Attorney General, the newly-released Modifications add numerous changes to the initial draft regulations. The Attorney General will begin enforcing the CCPA on July 1, 2020.

The Modifications include the following notable changes and clarifications:

The Definition of “Personal Information” and “Household”

Under the Modifications, whether data is considered “personal information” will now depend on how a business maintains that information. For instance, even if certain data collected (e.g., IP address) may technically satisfy the CCPA’s definition of “personal information,” if the business does not and cannot reasonably link that data to any particular consumer or household, that data would not be “personal information.”

The Modifications also clarify that a “household” means those who reside at the same address, share a common device or the same service provided by a business, and are identified by the business as sharing the same group account or unique identifier.

The Relationship Between Loyalty Programs and the Right Not to Be Discriminated Against

When the CCPA first passed, a concern of companies offering loyalty programs was that honoring a deletion request could be considered discriminatory because the consumer would no longer have access to the loyalty program’s benefits once the information was deleted. However, the Modifications suggest that if a consumer requests deletion but informs the business that he or she would like to remain in a loyalty program, the business may deny the deletion request as to the information necessary for participation in the loyalty program.

Service Providers Use of Personal Information Provided By or Obtained on Behalf of a Business

The Modifications state that a service provider may use a business’s personal information to build or improve the quality of the service provider’s services, so long as the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source. This represents a substantial change from the initial draft regulations and could lessen the challenge of establishing your business’s vendors as service providers–a key component in simplifying compliance under the CCPA. 

Notice Provided By Third Parties

Third parties that purchase personal information are no longer required to contact the consumer directly to provide notice and an opt-out, or to contact the source and confirm that the source provided the required notice.

Privacy Policy Requirements

The Modifications have added new components which must be disclosed in a business’s privacy policy. For instance, the Modifications require disclosure of the categories of personal information the business sold in the preceding 12 months and, for each category, the categories of third parties to whom they sold it. The Modifications also provide clarity for privacy policy compliance where a business collects personal information from a mobile application.

Responses to Individual Rights Requests

The Modifications add several clarifications surrounding how a business can respond to a consumer request:

Do Not Sell Button

The Modifications provide additional information about the voluntary use of an opt-out button. When the opt-out button is used, it should be the same size as other buttons on the webpage.

Website Accessibility

The Modifications incorporate the Web Content Accessibility Guidelines version 2.1 of June 5, 2018, from the World Wide Web Consortium (WCAG) for website accessibility compliance.

For assistance updating your privacy policy or for questions regarding the Modifications, the CCPA, or privacy laws in general, please contact John Landolfi, Christopher Ingram, Sarah Boudouris, Chris LaRocco, or your Vorys attorney.