On February 10, 2020, the California Attorney General’s Office released modified California Consumer Privacy Act (CCPA) regulations. There are some notable differences in the regulations from the first draft, which can be seen in this redlined version. This article will highlight some of the new language added in the latest draft of the regulations.
What’s not Personal Information?
The first important clarification comes with respect to the definition of personal information. For example, Section 999.302(a) of the regulations states that if a business collects the IP addresses of visitors to its website, but does not link that IP address to any particular consumer or household and could not reasonably link the IP address with a particular consumer, then those IP addresses collected would not be considered personal information for CCPA purposes.
The regulations continue to emphasize accessibility as a critical component of consumer rights. The accessibility language in the regulations is repeated in several sections addressing various consumer rights. The regulations specify that notices must be reasonably accessible to consumers with disabilities and that for notices provided online, businesses shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium, which are incorporated into the regulations.
Processes for Handling Consumer Requests
The regulations clarify that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address to which consumer requests concering personal information can be submitted. The regulations add that the time period for businesses to confirm receipt of a consumer request to delete personal information is within ten (10) business days. The regulations also state that if a business is unable to verify the identity of the consumer within the 45-day time period, that the business may deny the request.
Opt Out Button
The regulations provide an example of an opt out button that, if used, should be displayed to the left of the statement, “Do Not Sell My Personal Information.”
The regulations require that businesses must maintain records of responses to consumer requests and how the business responded to the requests for at least twenty-four (24) months. New language included in the regulations also specifies that businesses must implement and maintain reasonable security procedures and practices in maintaining such records.
It is important to note that the regulations still provide that a violation of the regulations shall constitute a violation of the CCPA, and may be subject to the remedies provided therein.
The deadline to submit written comments to this latest version of the regulations is February 25, 2020, at 5:00 p.m. (PST).