By way of background, section 999.308 of the final regulations prescribes the information businesses must provide in their privacy policies. Among other things, section 999.308 requires businesses to:
The office was presented with a host of comments, criticisms, and suggestions regarding that regulation.
To facilitate the drafting process, many commentators requested that the Attorney General’s office provide model notices. The office rejected that request, stating that “[f]urther analysis is required to determine whether to provide models, sample language, and/or templates in the future.” See Appendix A, Response ##917 & 269.
The Attorney General also refused to state whether businesses could use existing notices, such as those required by the Gramm-Leach-Bliley Act (GLBA), to comply with the CCPA’s requirements. The office stated that “[g]iven the wide variety of different industries subject to both the CCPA’s notice requirements and additional notice requirements under other laws, there are many different ways in which businesses may comply with the laws.” However, “[n]either the CCPA nor the regulations proscribe that [the] CCPA notice must be separate, as long as the CCPA notice complies with the CCPA and its regulations.” See Appendix A, Response #269; see also Appendix A, Response #268 (stating, in response to comment that “[b]usinesses should be permitted to use and appropriately modify existing formats, such as under GLBA,” that the “comment’s proposed change is not more effective in carrying out the purpose and intent of the CCPA because it is not necessary for the OAG to state whether a business may use and appropriately modify existing formats.”).
The office also rejected many commentators’ request to “harmonize and align the CCPA’s requirements with existing privacy laws” such as the California Online Privacy Protection Act (CalOPPA), the European Union’s General Data Protection Regulation (GDPR), and the Children’s Online Privacy Protection Act (COPPA). The office observed that the CCPA and GDPR “differ in several important respects” and that it had “made every effort to utilize existing privacy frameworks in the regulations, where appropriate.” See Appendix A, Response #856.