California AG Updates CCPA Regulations

The long wait—two excruciating months from the end of initial public comment—is over. The California Attorney General’s office, in a bid to ruin the weekend for privacy professionals around the country, released modified CCPA regulations late in the work day on Friday, February 7. Dutifully, we took a look. And suffice it to say, we were quite surprised at the extent of the makeover.

Previously, we thought there was a good chance the modifications to the regulations would be limited. Attorney General Xavier Becerra had even stated that no “major” changes were planned to the proposed regulations. But the redline version (a public good for which we can’t express enough gratitude to the AG’s office) has so many strikethroughs and red additions that the regulations have the appearance of a confused tiger.

The implication of all those changes is that the Attorney General’s office took seriously the approximately 1,700 pages of comment submitted by the public, not to mention the hours and hours of public hearings. And for that, the tireless individuals in that office (who, remember, have a large swath of other California laws they must administer and enforce) should be applauded.

So, you ask, what’s the final tally? The changes, overall, look like they will reduce compliance burdens compared to the regulations as they were first proposed. We won’t provide an exhaustive list, but here are the things that most caught our eyes:

• Clarifying the definitions of such terms as “categories of sources,” “categories of third parties,” and “household.” §999.301.
• Providing guidance on whether information is personal information, focusing on whether a business “maintains” the information in a manner that is reasonably capable of being associated with a consumer or household. The guidance includes an important note that IP addresses are not necessarily personal information. §999.302.
• Dropping requirements to provide extensive disclosures for “each” category of information (e.g., categories of sources, purposes, and categories of third parties). §999.305(b)(2), 308(c), 313(c)(10).
• Nixing the need for a business that doesn’t collect personal information directly to contact the consumer or get an attestation from the source before selling the information. §999.305(d).
• Showing us—finally—what the DNS link should look like (halfway between “snazzy” and “ominous”). §999.306(f).
• Keeping the requirements of providing an estimate of the value of consumer data and the calculation method. §999.307(b)(5).
• Ditching the “interactive webform” as a required method to allow consumer requests. §999.312(a).
• Making the two-step-confirmation process for deletion requests optional, instead of mandatory. §999.312(d).
• Providing a limited exception from having to search for information in response to a request for access. §999.313(c)(3).
• Scrapping the need to specify how personal information was deleted. §999.315(d).
• Clarifying that user-enabled “global” privacy controls must be treated as an opt-out request, and that the control must “clearly” signal the user’s intent to opt out and require the consumer to “affirmatively select” their choice to opt out. §999.312(d).
• Prohibiting the use of a financial incentive if a business cannot estimate the value of consumer data or cannot show the incentive is reasonably related to that value. §999.336(b).
• Confirming that information necessary to provide a loyalty program falls under an exception to the right to deletion. §999.336(d)(2).

The public-comment period is once again open, until 5:00 p.m. Pacific on February 25. After that, assuming no further modifications and additional public-comment periods, if the process is wrapped up and final regulations are filed with the California Secretary of State by May 31, then we’ll have an effective date of July 1, 2020—the same day the Attorney General’s office will begin enforcing the CCPA.