Keypoint: This modified draft of proposed regulations retracts some of the modifications as published on February 10 and adds new revisions. There is an additional comment period, which delays publication of final regulations and further shortens the time businesses will have to drive compliance before the July 1, 2020 enforcement date.

On Wednesday, March 11, 2020, the California Attorney General’s office published a notice of second set of modifications to the text of the proposed regulations regarding the California Consumer Privacy Act (CCPA). The Attorney General’s office also published redline and clean versions of the second set of modified regulations.

In the below post, we first provide a brief background of the regulatory process. We then discuss the most significant changes made in this latest round of revisions.

Background on Regulatory Process

The Attorney General’s office first published proposed CCPA regulations on October 11, 2019. On February 10, 2020, the Attorney General published modified proposed regulations that significantly revised the proposed regulations (see prior post here).

During the approximately two-week comment period that followed, the Attorney General’s office fielded approximately 100 comments concerning the modifications. Per the notice released March 11, the second set of modifications is in response to such comments as well as to “clarify and conform the proposed regulations to existing law.” The Attorney General’s office has stated that it will accept written comments on the proposed changes until 5:00 p.m. on March 27, 2020.

As with the February 10 modified proposed regulations, based on guidance previously published by the Attorney General’s office, this abbreviated comment period reflects the Attorney General’s determination that the changes are “substantial and sufficiently related,” but not “major,” which would require a new 45-day comment period. Following review of written comments (and assuming no further modified regulations are published), the Attorney General’s office will publish an updated informative digest and final statement of reasons (with summary and response comments) in addition to the final text of the regulations.

Notably, there is no indication that the Attorney General’s office has considered postponing the July 1, 2020, enforcement deadline. At this point, given that final regulations will not be published until April (at the earliest), businesses will only have three months to comply with the final regulations.

Analysis of Most Significant Changes

As a starting point, members of Husch Blackwell’s privacy and data security practice group will host a webinar on Tuesday, March 17, to review and discuss the second set of modified draft regulations in greater detail. Register for the webinar.

The most significant changes made in the latest set of revisions are:

  • Deletion of Guidance on Definition of Personal Information – The Attorney General’s last round of proposed regulations added a new section 999.302, which explained that, to qualify as personal information, the information must be reasonably capable of being associated with a consumer or household. The regulation also explained that IP addresses that cannot be linked to consumers or households do not qualify as personal information. The second set of modified regulations now delete section 999.302. At this point, businesses will be left to wonder why this section was added in February and then deleted in March.
  • Notice at Point of Collection – The regulations now state that “[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.” This addition resolves (assuming there are no other changes) a glaring omission in the modified regulations with respect to the provision of notices by entities that do not interact directly with consumers.
  • Employee Notices – Employee notices are no longer required to provide a link to any privacy policies (either online privacy policies or employee privacy policies).
  • Deletion of Opt-Out Button/Logo – The much-maligned opt-out button/logo has been deleted. The opt-out logo/button was first introduced in February and met with substantial criticism from privacy advocates who faulted it for being unclear or misleading. Presumably, the Attorney General’s deletion is in reaction to that criticism.
  • Changes to Privacy Policy Requirements – The Attorney General’s office once again modified the requirements for what businesses must state in their online privacy policies. The regulations now require businesses to “[i]dentify the categories of sources from which the personal information is collected” and “[i]dentify the business or commercial purpose for collecting or selling personal information.” The modifications also now require businesses that have actual knowledge that they collect the personal information of minors under 16 years of age to make additional disclosures in their privacy policies.
  • Responding to Requests to Know – The regulations still forbid businesses from disclosing certain types of personal information such as Social Security numbers and biometric information. However, the regulations now require businesses to inform consumers with sufficient particularity that the business has collected that type of information. For example, a business shall respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Stauss David Stauss

David is leader of Husch Blackwell’s privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also represents…

David is leader of Husch Blackwell’s privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also represents clients in data security-related litigation. David is certified by the International Association of Privacy Professionals as a Privacy Law Specialist, Certified Information Privacy Professional (US), Certified Information Privacy Technologist, and Fellow of Information Privacy.

Photo of Malia Rogers Malia Rogers

Clients of all sizes – from innovative startups to Fortune 500 corporations – value Malia’s counsel on a broad range of privacy and cybersecurity issues, including incident response in times of emergency. She advises clients on privacy compliance planning, which encompasses cybersecurity measures…

Clients of all sizes – from innovative startups to Fortune 500 corporations – value Malia’s counsel on a broad range of privacy and cybersecurity issues, including incident response in times of emergency. She advises clients on privacy compliance planning, which encompasses cybersecurity measures as well as drafting breach response and action plans.

Photo of Bob Bowman Bob Bowman

Bob advises clients on a range of intellectual property issues and keeps them current on emerging technologies. Bob is a forward thinker who keeps up with the changing landscape of technical innovation and the law surrounding the Internet of Things, blockchain, smart contracts

Bob advises clients on a range of intellectual property issues and keeps them current on emerging technologies. Bob is a forward thinker who keeps up with the changing landscape of technical innovation and the law surrounding the Internet of Things, blockchain, smart contracts and data privacy.

Photo of Megan Herr Megan Herr

Whether clients are forming, growing or governing businesses, Megan assists in the corporate deals and transactions necessary to move forward. A corporate attorney, Megan focuses her practice on helping clients of all sizes – from emerging startups to international corporations – establish, grow…

Whether clients are forming, growing or governing businesses, Megan assists in the corporate deals and transactions necessary to move forward. A corporate attorney, Megan focuses her practice on helping clients of all sizes – from emerging startups to international corporations – establish, grow and protect business.