A third version of the California Consumer Privacy Act (CCPA) draft regulations were released by the California Attorney General’s (AG) office last week. The AG’s office revised the draft regulations again after reviewing an estimated 100 comments it received in response to its first set of revisions, released on February 10th. Public comments regarding these latest revisions can be submitted to the AG's office until March 27th, 5 p.m. PST.
CCPA Draft Regulations Changes
While most of the changes from the last version of the draft regulations are minor, there are some notable changes to consider:
- The deletion of the IP address example and the entirety of Section 999.302, which was added in the first set of revisions and provided that information not maintained in a manner which made it reasonably identifiable to a consumer or household did not constitute “personal information” under CCPA. The addition of this language in the prior version of the draft regulations provided some indication that, perhaps, the collection of non-directly identifying personal information, like IP addresses through cookies, may not be considered personal information. However, the deletion of this language suggests otherwise.
- The previous requirement that user-enabled privacy controls developed for CCPA opt-out signals should not have pre-selected settings and required consumers to affirmatively opt-out, has been deleted.
- The definition of “financial incentive” is expanded to a program, benefit or other offering to consumers related to the collection, retention or sale of personal information. Previously, it was defined as such programs or benefits provided as compensation for the disclosure, deletion or sale of personal information. Similarly, “price or service difference” is difference in price or quality or level of service or goods as related to the collection, retention or sale of personal information.
- Language was added to state that businesses that do not collect personal information directly from a consumer do not have to abide by the required notice at collection if the business does not sell the consumer’s personal information.
- The “Do Not Sell My Personal Information” toggle button has been deleted.
- In responses to requests to know, businesses cannot disclose certain sensitive information, such as social security numbers and unique biometric data. However, the new revisions require a business to disclose that it collects this type of information with “sufficient particularity” without revealing such information itself.
- Revisions were made to the circumstances where service providers are allowed to use personal information obtained while providing services to a business. These changes indicate that the permitted purposes cannot be used to benefit the service provider’s other clients. The changes include:
- Processing or maintaining personal information on behalf of the business that provided that information or directed the service provider to collect the information and in compliance with the written contract for services as required by CCPA; or
- Using such information for internal use to build or improve the quality of its services if the use does not include building or modifying household or consumer profiles to use in providing services to another business or correcting or augmenting data acquired from another source.
Keep in mind that these regulations are still not final. With a July 1 enforcement date looming, final regulations can be expected soon.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.