California Attorney General Releases Second Set of Modifications to Proposed Regulations

On March 11, 2020, the California Attorney General’s office announced the release of a second set of modifications to the proposed regulations for the California Consumer Privacy Act (CCPA). The release includes the text of the new modifications in both a redline version and clean version.

 

The Attorney General has allowed for a written comment period regarding the new proposed changes by mail or e-mail until March 27, 2020. Final regulations are expected to be issued following the new comment period, and in no event later than the July 1, 2020 enforcement deadline.

 

The second set of modifications make several notable changes and provide some further clarification to the proposed modifications including:
 
►Removal of Section 999.302: Guidance Regarding the Interpretation of CCPA Definitions. The Section was previously added in the February modifications, and provided guidance on what should be considered personal information.
►Removal of Opt-out Button or Logo. Section 999.306(f) has been removed from the latest version of the modified regulations after being added in the last release in February. It provided a sample of an opt-out button or logo that could be provided in addition to providing a notice of right to opt-out.
►Clarification for Notice at Point of Collection. Section 999.305(d), added in the second set of modifications, provides that a “business that does not collect personal information directly from a consumer does not need to provide a notice of collection to the consumer if it does not sell the consumer’s personal information.”
 
Additionally, a data broker registered with the Attorney General does not need to provide a notice at point of collection to a consumer if it has included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out.
 
►Update to Employee Notices. Employee notices for collection of employment-related information is no longer required to provide a link to the business’s privacy policy.
►Update to Request to Know. In response to a request to know, a business cannot disclose personal information specific to a consumer such as Social Security Number, driver’s license number or unique biometric data. However, the latest modification adds that a business “shall inform customers with sufficient particularity that it has collected the type of information.”
►Update to Content of Privacy Policy. The second set of proposed modifications adds back some of the content requirements for privacy policies that were removed by the initial modifications. Specifically, privacy policies must identify both the categories of sources from which the personal information is collected and the business or commercial purpose for which it is being collected or sold.

---