On February 10, the California Attorney General’s (AG) office released revised proposed modifications to the draft regulations for the California Consumer Privacy Act (CCPA).
Version 1.0 of the proposed regulations was released in October 2019 and offers a roadmap for compliance with the landmark consumer privacy law, which is now in effect.
The release of Version 2.0 came after a confusing day on Friday, February 7, when the AG’s office released another draft of Version 2.0 that inadvertently omitted a proposed revision to Section 999.317(g). Due to the confusion, the AG’s office has extended the deadline for public comments to February 25, 2020, at 5:00 p.m. PST.
Version 2.0 of the proposed regulations is a disappointment for those hoping to see finalized regulations now that the CCPA is in effect.
But, the new draft regulations offer further clarity for businesses seeking to comply with the hastily-passed law. They also scale back some provisions that were seen as exceeding the plain language of the statute.
Key changes to the proposed regulations
- Clarifies and provides added guidance for interpreting the CCPA’s defined terms. The regulations now offer guiding examples, including illustrations of:
- How to determine whether maintained information is “personal information”
- Categories of data sources and third parties that must be disclosed
- How to disclose information in a manner that is understandable to consumers
- Discriminatory and non-discriminatory practices
- Expands Version 1.0’s notice requirements at the point of collection of data to include “all web pages where personal information is collected,” mobile app download pages and within the app itself.
- Explains that a service provider in possession of a request to delete or request to know must either act on the business’s behalf in responding to the request or inform the consumer that it cannot process the request because it is a service provider.
- Allows for short-form notices that are in line with industry standards, such as the World Wide Consortium’s Web Content Accessibility Guidelines.
- Removes the requirement for a “Do Not Sell” link with regard to notices at collection for employment-related data.
- Permits website operators to provide consumers with an email address to use for submitting right-to-know requests, rather than mandating the creation of an interactive webpage. However, Version 2.0 still requires the creation of a toll-free number for consumers to call with their requests.
- Tweaks the timing of certain response requirements. Businesses would now have 10 business days to confirm receipt of a request to delete or right to know.
Adams and Reese’s previous alerts on the CCPA provide more detail on the data privacy rights established by the act, as well as additional potential action items for covered entities.
Our Privacy, Cybersecurity and Data Management team will continue to share the latest developments and provide insights on this issue.