In the detailed summaries of comments to the final California Consumer Privacy Act (CCPA) regulations, responses from the California Office of the Attorney General indicate that some areas and issues flagged in the comments may warrant additional, future regulations.
A representative list is below:
Scope
- Calculation of 50,000 consumers, households or devices
- When the $25 million business threshold applies as a business is approaching it, or recently crossed it
- Definitions of "business," "service provider" and "third party"
Sale
- Definition/examples of "business purpose" and "commercial purpose"
- Definition of "sale" in relation to real-time bidding, targeted advertising, third party cookies, transfers between unrelated companies and sharing with licensed professionals
- Exemptions from the definition of "sale"
- Use of user-enabled privacy controls as an opt-out mechanism
- "Do not sell" button and implementation of the "do not sell" requirement
Personal Information
- IP addresses as personal information
- Scope of publicly available information
Notices and Templates
- Notice at collection where device changes hands without notice to the business
- Guidance/sample templates for drafting the privacy policy and consumer request denial notices, notices at collection, HR notices etc.
- "Just in time" notices
Other
- Inconsistencies between CCPA and Children's Online Privacy Protection Act (COPPA)
- Transparency requirements for large businesses
- Franchisor – Franchisee compliance with CCPA
- The complaint process and enforcement of CCPA
- Guidance for determining what is an unfounded of excessive consumer request
- Handing "household" consumer requests
- Communication with authorized agents
[View source.]