On March 11, 2020, the California Attorney General released the second set of modifications to the draft California Consumer Privacy Act (CCPA) regulations. This set of modifications contains deletions to language that was included in the February modifications to the regulations as well as some new language. Notable changes include the deletions of the “do not sell my personal information” logo/button as well as the section that provided guidance regarding the interpretation of CCPA definitions, particularly the language that indicated that if a business collected the IP address, but did not link it to an individual, that it did not fall within the definition of personal information.
The March regulations added some additional definitions as well as language that specifies that a business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information. In addition, language was added to provide that the notice at collection of employment-related information is not required to provide a link to the business’s privacy policy.
For businesses that sell a consumer’s personal information, if a business denies a consumer’s deletion request, it must ask the consumer if they would like to opt-out of the sale of their personal information if the consumer has not already made a request to do so.
With respect to privacy policies, the March regulations added language that a privacy policy must identify the categories of sources from which the personal information is collected and that the categories be described in a manner that provides consumers a meaningful understanding of the information being collected. For businesses that sell personal information, the March regulations also specified that the business must Identify the business or commercial purpose for collecting or selling personal information and that the purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is collected or sold.
With respect to information that a business may collect such as social security numbers or driver’s license numbers, the March regulations now specify that although a business cannot release such information, it is required to disclose that it collects such information.
The deadline to submit comments to the regulations is March 27, 2020, by 5 p.m. PDT. Detailed information on the CCPA regulatory process is on the Attorney General’s website.