California Attorney General Releases Additional Modifications to Draft CCPA Regulations

Robinson+Cole Data Privacy + Security Insider

On March 11, 2020, the California Attorney General released the second set of modifications to the draft California Consumer Privacy Act (CCPA) regulations. This set of modifications contains deletions to language that was included in the February modifications to the regulations as well as some new language. Notable changes include the deletions of the “do not sell my personal information” logo/button as well as the section that provided guidance regarding the interpretation of CCPA definitions, particularly the language that indicated that if a business collected the IP address, but did not link it to an individual, that it did not fall within the definition of personal information.

The March regulations added some additional definitions as well as language that specifies that a business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information. In addition, language was added to provide that the notice at collection of employment-related information is not required to provide a link to the business’s privacy policy.

For businesses that sell a consumer’s personal information, if a business denies a consumer’s deletion request, it must ask the consumer if they would like to opt-out of the sale of their personal information if the consumer has not already made a request to do so.

With respect to privacy policies, the March regulations added language that a privacy policy must identify the categories of sources from which the personal information is collected and that the categories be described in a manner that provides consumers a meaningful understanding of the information being collected. For businesses that sell personal information, the March regulations also specified that the business must Identify the business or commercial purpose for collecting or selling personal information and that the purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is collected or sold.

With respect to information that a business may collect such as social security numbers or driver’s license numbers, the March regulations now specify that although a business cannot release such information, it is required to disclose that it collects such information.

The deadline to submit comments to the regulations is March 27, 2020, by 5 p.m. PDT. Detailed information on the CCPA regulatory process is on the Attorney General’s website.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.