skip to main content
CookiePro Blog March 20, 2020

California Attorney General Releases Modified CCPA Regulations

On Tuesday, March 11, the California Attorney General (AG) released the third draft of proposed CCPA regulations for public comment. The draft contains a series of updates, along with a handful of incremental modifications to the prior draft. Areas focused on include consumer notices, privacy policies, consumer requests, and verification rules.

Summary of Key Modifications

Notice at Point of Collection – A business that does not collect personal information directly from a consumer is not required to provide a notice at the point of collection if that business will not sell the consumer’s personal information.

Responding to Requests to Know/Delete

  • Businesses cannot provide social security numbers (SSN), health insurance numbers, biometrics, etc. But should inform the consumer that they have collected that type of information
  • Unverified request to delete – requirement to ask if they want to opt-out deleted but kept in a different section – see next
  • If a business that sells PI denies request to delete, that business shall ask if they want to opt-out and include a link to or contents of the notice of right to opt-out

Guidance on IP Addresses – The AG abruptly removed guidance indicating that an IP address that does not link to a particular consumer or household would not be “personal information.” 

Sensitive Data Disclosures – The AG proposes that even if a business withholds sensitive data in response to a request to know, the business must still provide a description of the information withheld.  For example, a business should not provide an actual social security number but should state that it holds the consumer’s social security number.

Denial of Deletion Request – When a business that sells personal information denies a deletion request, the business must ask the consumer if the consumer wants to opt-out of the sale of their personal information.

Annual Privacy Policy Disclosures – The requirement to disclose metrics when a business buys, receives, sells, or shares personal information of more than 10 million consumers in a calendar year will now only apply to businesses that know or should reasonably know that they meet the threshold for such a disclosure.

The deadline to submit written comments to the proposed modifications is March 27, 2020. Our team will continue to review the draft regulations as we work with clients to develop practical guidance on complying with the CCPA.

Recent Posts

CookiePro by OneTrust is an IAB Europe TCF...
Today, we’re excited to share the news that we are […]
+ View Article
Introducing OneTrust Athena to CookiePro...
We’re excited to share the launch of OneTrust Athena, a […]
+ View Article
What’s the Difference Between IAB TCF...
The Interactive Advertising Bureau (IAB) is gearing up for the […]
+ View Article
IAB TCF v2.0: Top 10 Things to Know
Ready to learn the nitty-gritty facts about this framework? Here’s a list of 10 top things you need to understand about the IAB TCF 2.0.
+ View Article
Contact Us Close
Contact Us
Contact Sales
Contact Support
Request Quote
This site is protected by reCaptcha and the Google Privacy Policy and Terms of Service apply.
Request Demo
This site is protected by reCaptcha and the Google Privacy Policy and Terms of Service apply.
General Request
This site is protected by reCaptcha and the Google Privacy Policy and Terms of Service apply.
Open a Ticket
This site is protected by reCaptcha and the Google Privacy Policy and Terms of Service apply.
Thank You
Thank You!
We have received your submission and will be in touch with you soon.
There was an error with your form submission. Please reload the page and try again.