California Attorney General Releases Modified CCPA Regulations
The Attorney General released a second set of modifications to its proposed California Consumer Privacy Act (CCPA) Regulations.
On Tuesday, March 11, the California Attorney General (AG) released the third draft of proposed CCPA regulations for public comment. The draft contains a series of updates, along with a handful of incremental modifications to the prior draft. Areas focused on include consumer notices, privacy policies, consumer requests, and verification rules.
Summary of Key Modifications
Notice at Point of Collection – A business that does not collect personal information directly from a consumer is not required to provide a notice at the point of collection if that business will not sell the consumer’s personal information.
Responding to Requests to Know/Delete
- Businesses cannot provide social security numbers (SSN), health insurance numbers, biometrics, etc. But should inform the consumer that they have collected that type of information
- Unverified request to delete – requirement to ask if they want to opt-out deleted but kept in a different section – see next
- If a business that sells PI denies request to delete, that business shall ask if they want to opt-out and include a link to or contents of the notice of right to opt-out
Guidance on IP Addresses – The AG abruptly removed guidance indicating that an IP address that does not link to a particular consumer or household would not be “personal information.”
Sensitive Data Disclosures – The AG proposes that even if a business withholds sensitive data in response to a request to know, the business must still provide a description of the information withheld. For example, a business should not provide an actual social security number but should state that it holds the consumer’s social security number.
Denial of Deletion Request – When a business that sells personal information denies a deletion request, the business must ask the consumer if the consumer wants to opt-out of the sale of their personal information.
Annual Privacy Policy Disclosures – The requirement to disclose metrics when a business buys, receives, sells, or shares personal information of more than 10 million consumers in a calendar year will now only apply to businesses that know or should reasonably know that they meet the threshold for such a disclosure.
The deadline to submit written comments to the proposed modifications is March 27, 2020. Our team will continue to review the draft regulations as we work with clients to develop practical guidance on complying with the CCPA.