The California Attorney General ("AG") issued modified regulations to the California Consumer Privacy Act ("CCPA"). The CCPA went into effect on January 1, 2020. The modified regulations revise initial regulations first proposed in late 2019. As previously covered, the AG released the "Initial Statement of Reasons" and proposed regulations to provide clarity on several provisions of the CCPA dealing with the collection and use of personal data by businesses and organizations.

A partial list of the now-modified regulations implementing the CCPA:

  • establishes additional requirements as to information collected concerning minors;
  • provides guidance on the definition of the term "personal information";
  • requires businesses that are subject to the CCPA to (i) provide consumers with a privacy policy, (ii) provide a notice of collection if the business collects personal information, (iii) provide a right to "opt out" if the business sells personal information, or (iv) provide a notice of financial incentives if the business offers an incentive for the use of the personal information;
  • implements specific methods for consumers to use to submit various types of requests or instructions to the business, including, for example, the right to opt out of having one's personal information sold;
  • requires prescribed standards for verifying the identity of a customer making a request;
  • requires appropriate training employees; and
  • establishes "reasonable security procedures" in connection with the maintenance of required records.

Comments on the modified regulations must be submitted by February 24, 2020.

Commentary Joseph Moreno

The modified regulations make several tweaks to clarify issues with the original proposed regulations that had been flagged by industry insiders.

What exactly constitutes "personal information" was refined to data that can be tied to a specific consumer or household - so, for example, the general collection of IP addresses of website visitors not linked to personal names would not qualify. A prohibition against how businesses may use personal information was softened, and the extent to which businesses must disclose how they intend to use personal information at the point of collection was made less onerous. The timing of making certain notice requirements was modified, and a greater distinction was made between the collection of consumer data and the collection of employment-related data. On balance the modified regulations provide some relief in a few areas, but do little to reduce the overall magnitude of the CCPA and the not-insubstantial efforts companies must continue to focus on to ensure compliance.

Commentary Steven Lofchie

The revisions are materially more of the same. There are a lot of requirements. There is also a good deal of specificity as to what is required. For many businesses, strict compliance with the requirements will be costly and difficult to achieve.

Further, the amount of time that the California AG allowed for public comment on the revisions (approximately two weeks) is unduly short. Given the scope/complexity/costs of these regulations, denying a reasonable timeframe to understand these changes and comment on them is simply no way to run an economy.

That said, businesses affected by these regulations have no choice. They should be actively building compliance programs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.