1. Home
  2. Insights
  3. California Attorney General Releases Modified Proposed CCPA Regulations

California Attorney General Releases Modified Proposed CCPA Regulations


12 minute read | February.13.2020

The California attorney general last week released modifications to the proposed regulations announced last October (covered by a Special Alert) implementing the California Consumer Privacy Act (CCPA). The CCPA—enacted in June 2018 (also covered by a Special Alert) and amended several times—became effective Jan. 1.

A summary of key modifications to the proposed regulations follows:

  • Definitions. The modifications clarify certain definitions and add a few definitions, including (i) clarifying the persons or entities that fall within “categories of sources” and “categories of third parties”; (ii) adding definitions for the terms “employment benefits” and “employment-related information”; (iii) clarifying the definition of the term “household,” which will now include a person or a group of people who “reside at the same address,” “share a common device or the same service provided by a business,” and “are identified by the business as sharing the same group account or unique identifier”; and (v) adding the term “signed,” which means “the written attestation, declaration, or permission has either been physically signed or provided electronically per the Uniform Electronic Transactions Act.”
  • Personal Information. The modifications reiterate that whether information is “personal information” depends on how the business maintains the information, noting, for example, “if a business collects the IP addresses of visitors to its website but does not and could not link the IP address to any particular consumer or household, then the IP address would not be ‘personal information.’”

  • Required Notices. The modifications stipulate when businesses are required to provide privacy policies, notices at collection, and opt-out notices, as well as notices of financial incentives. The modifications further provide the following guidance with respect to the various notices:

    • For online notices provided at or before the point of collection, businesses should follow industry recognized standards, such as the Web Content Accessibility Guidelines version 2.1 of June 5, 2018, to ensure that the notice is reasonably accessible to consumers with disabilities.
    • In addition, when personal information is collected through mobile applications, businesses may provide a link on the app’s download page and “within the application, such as through the application’s settings menu.” For information collected over the telephone or in person, the business may provide the notice orally. However, if a business collects personal information from a consumer’s mobile device for a purpose not reasonably expected by the consumer, the business must provide a “just-in-time notice” that contains a summary of categories being collected as well as a link to the full notice at collection.
    • The modifications clarify that a business may not use a consumer’s personal information for purposes that are materially different from those disclosed in the notice at collection, unless the business directly notifies the consumer of the new use and obtains explicit consent.
  • Data Brokers. The modifications provide that data brokers registered with the AG do not need to provide a notice at collection to a consumer if their registration submission includes a link to the company’s online privacy policy with instructions on how a consumer can submit a request to opt-out.
  • Employee Notices. The modifications state that employment-related notices do not need to contain links to the “Do Not Sell” options. However, notices may provide a link to a business’s privacy policy for job applicants, employees, or contractors instead of a link to its privacy policy for consumers. This subsection will become inoperative on January 1, 2021, unless the CCPA is amended otherwise.
  • “Do Not Sell” Button. The modifications provide a model for the opt-out button and additional information about when this button should be used. For example, when the opt-out button is used, it must appear to the left of the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link, and be approximately the same size as other buttons on the business’s webpage. Further, a business cannot sell the personal information it collected during the time it did not have a notice of right to opt-out posted unless it obtains the consumer’s consent.

  • Privacy Policy. The modifications streamlined the privacy policy requirements to remove some of the duplicative disclosure requirements related to the sale and disclosure of personal information. Specifically, the modifications state that a privacy policy’s “right to know” section should meaningfully disclose, among other things:

    • The categories of personal information collected in the preceding 12 months;
    • The categories of personal information disclosed for a business purpose or sold to a third party in the past 12 months, and for each category, the categories of third parties to whom the information was disclosed or sold; and
    • Whether the business sells personal information, and if the business sells personal information, it must either link or provide the opt-out notice.
  • Methods for Submitting Requests to Know and Requests to Delete. The AG’s office modified the proposed regulations to align with the CCPA requirements (e.g., permitting a business that operates exclusively online and has a direct relationship with a consumer to only provide an e-mail for submitting requests to know). The modifications also provide examples of in-person methods for submitting requests, but removes the illustrative examples of the methods for submitting requests.
  • Responding to Requests to Know and Requests to Delete. The modifications clarify that businesses must confirm requests within 10 business days and may provide confirmation in the same manner in which the request was received. Furthermore, responses to requests must be given within 45 calendar days, and if a business cannot verify a consumer within this time period, the business may deny the request. If necessary, businesses may take up to an additional 45 calendar days to respond to the consumer’s request, for a maximum total of 90 calendar days from the day the request is received, as long as the business provides the consumer with notice and an explanation of the reason that it will take longer to respond to the request. The modifications also clarify the information that a business must provide when responding to a verified request to know the categories of personal information.

  • “Right to Know” Exceptions: The modifications struck the exception prohibiting a business from providing specific pieces of personal information “if the disclosure creates a substantial, articulable, and unreasonable risk to the security of the personal information, the consumer’s account with the business, or the security of the business’s systems or networks.” Now a business will not need to search for personal information in response to a request if the business (i) does not maintain the personal information in a searchable or reasonably accessible format; (ii) maintains it only for legal and compliance purposes; (iii) does not sell the information or use it for any commercial purpose; and (iv) describes in its response to the consumer the categories of records that it did not search but which may contain the information. The modifications further state that a business may deny a consumer’s verified request for specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or based an exception to the CCPA, but must inform the requestor and explain the basis for the denial, unless prohibited from doing so by law.

    • Request to Delete/Opt Out Notice: For requests to delete, if the business is unable to verify the requestor’s identity and it sells personal information, it also must ask consumers—even if they have not made the opt-out request—if they want to opt out of the sale of their personal information and include a link to the opt out. In fulfilling a deletion request, the business must inform the consumer whether it complied with the request but does not need to specify the manner in which it deleted the personal information and will not be required to (but may) use a two-step deletion confirmation process.
    • No Fee for Verification: A business cannot require a consumer to pay a fee for the verification of a request to know or request to delete. “For example, a business may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization.”
  • Service Providers. The modifications provide that if a business directs a second business to act as its service provider and the second business otherwise meets the requirements and obligations of a “service provider,” the second business will be considered the “service provider” of the business for purposes of the CCPA. The modifications also clarify that service providers may not retain, use, or disclose personal information obtained while providing services unless the information is used (i) to perform specific outlined services; (ii) to retain and employ another service provider as a subcontractor that meets and complies with the necessary requirements; (iii) for internal use to build or improve the quality of the service provider’s services, “provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source”; or (iv) to detect security incidents or to prevent fraudulent or illegal activity. The modifications also require the service provider to stop selling data on behalf of a business when a consumer has opted out of the business’s sale of their personal information, and outline requirements for service providers when receiving requests to know or requests to delete.
  • Requests to Opt-Out of Sale of Personal Information. The modifications emphasize that the opt-out method must be easy for consumers to execute and require minimal steps. “A business shall not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.” Further, specifications related to global privacy controls state that “[a]ny privacy control developed in accordance with these regulations shall clearly communicate or signal that a consumer intends to opt-out of the sale of personal information.” This privacy control must require a consumer to affirmatively select a choice and must not be designed with pre-selected settings. Should conflicts arise with existing business-specific settings or a business’s financial incentive program, the business must respect the global privacy control but may notify the consumer of the conflict and allow the consumer the opportunity to confirm the settings or program. The modifications also clarify that a business has 15 business days to comply with an opt-out request. Notably, the modifications stipulate that businesses will not need to notify third parties to whom they sold the consumer’s data within 90 days; rather, business will only be required to notify third parties when the business sells personal information to third parties between the date of the opt-out request and the date of compliance. In these circumstances, the business must direct the third parties not to sell the consumer’s information.
  • Requests to Opt-In After Opting Out. The modifications clarify that if a consumer who has opted-out of the sale of their personal information initiates a transaction or attempts to use a product or service that requires the sale of personal information, businesses may inform consumers that the transaction, product, or service requires the sale of their personal information, as well as provide instructions for opting in.
  • Training: Record-Keeping. The modifications require businesses to “implement and maintain reasonable security procedures and practices in maintaining” consumer requests and responses to requests. Moreover, information retained for record-keeping purposes may not be shared with third parties.
  • Large-Volume Businesses. Businesses that buy, receive for the business’s commercial purposes, sell, or share for commercial purposes, the personal information of ten million or more consumers (up from four million or more consumers) in a calendar year must compile and disclose required information by July 1 of every calendar year in their privacy policy (or on their website and accessible from a link included in their privacy policy) with certain outlined metrics and information.
  • Household Requests. The modifications set forth when a business may respond to a “household” request and clarify that, in terms of responding to “household” requests, if “a consumer has a password-protected account with a business that collects personal information about a household, the business may process requests to know and delete relating to household information through the business’s existing business practices and in compliance with [the] regulations.” If a member of a household is under the age of 13, a business must obtain verifiable parental consent before complying with a request to access specific pieces of information for the household or the deletion of household personal information pursuant to CCPA-mandated parental consent. The modifications further add that businesses must establish a reasonable method for determining whether a person submitting a request to know or delete the personal information for a child under 13 is the parent or guardian of that child.
  • Authorized Agent. The modifications provide that a privacy policy must provide instructions on how a consumer can designate an authorized agent to make a request under the CCPA on the consumer’s behalf instead of how a consumer can designate an authorized agent. When a consumer uses an authorized agent to submit requests to know or delete, the business may request that the consumer directly confirm the authorized agent has permission to submit the request. In addition, the modifications set forth requirements for authorized agents. Authorized agents now will be responsible for implementing and maintaining reasonable security measures to protect the consumer’s personal information, and may not use the consumer’s personal information, or any other collected information, for any purpose other than to fulfill a consumer’s request, for verification, or to prevent fraud.
  • Non-Discrimination. The modifications specifically provide that a “business’s denial of a consumer’s request to know, request to delete, or request to opt-out for reasons permitted by the CCPA or these regulations shall not be considered discriminatory.” The modified regulations provide a number of illustrative examples related to whether particular scenarios would be considered discriminatory, including certain loyalty program examples.
  • Calculating the Value of Consumer Data. The modifications clarify that for the purpose of calculating the value of consumer data, a business may consider the value of the data of all natural persons to the business and not just consumers. In addition, the modifications provide that if a business is unable to calculate a good-faith estimate of the value of the consumer’s data or is unable to show that the incentive or price or service difference is reasonable related to the value of the data, the business must not offer the financial incentive or price or service difference.

According to a press release issued by the AG, the proposed modifications are subject to another public comment period ending Feb. 25, and no enforcement actions under the CCPA will be issued before July 1.

If you have any questions regarding the CCPA or other related issues, please visit our Cyber, Privacy & Data Innovation practice page or contact an Orrick attorney with whom you have worked in the past.