Skip to main content

Updated Attorney General Regulations to the CCPA – A Series

The revised draft regulations to the California Consumer Privacy Act were issued by the California Attorney General’s office on February 7, and then modified on February 10.   These amendments are open for public comment under Tuesday, February 25, 2020 at 5 pm PST.

Starting tomorrow, we will update our October 2019 series of analyses of the various provisions of the draft regulations and operational impacts.  There are some key takeaways that will be examined in further detail in each installment of our series.

Notice Requirements Updated and Added

The revised regulations make clear that there are different notices required at different times, including a privacy policy, a notice at collection of the personal information, and a notice of right to opt-in if the business sells personal information.    Illustrative examples have been added and should be reviewed in the context of your business and information collection practices.

Requirements regarding accessibility have been further defined.   You will need to ensure that all notices are “reasonably accessible to consumers with disabilities” and for notices provided online, the revision specifies that this means that “at a minimum … the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium, incorporated herein by reference.  In other contexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format.”

Service Providers    

The revisions make clear that a service provider may use a business’ personal information “for internal use … to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.”   This is a significant improvement for service providers and any amendments to contracts entered into before January 1, 2020 should be reviewed again to ensure that service providers are able to avail themselves of this clarification.   Uses of personal information beyond obtained in the course of providing services should be analyzed to ensure that internal use would not include activities in the proviso for the service provider’s own use and not in the course of services rendered to the business.

Third Parties

The revised regulations no longer require that a third party that purchases personal information to contact the consumer directly to provide notice and an opt-out, or to contact the source and confirm that the source provided the required notice with attestations.

Nature of Personal Information

The revisions clarify that whether information is actually “personal information” for purposes of the CCPA will depend upon how the business maintains and uses the information.   New Section 999.302 says, for example, “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”

Our series will analyze the revisions in detail in the five key areas:

Tomorrow:  Notices to Consumers

Friday:  Business Practices for Handling Consumer Requests

Tuesday:  Verification of Requests

Wednesday:  Special Rules Regarding Minors

Thursday:  Non-Discrimination

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.