CCPA Update: Second Set of Modified Proposed Regulations Published
On Wednesday, March 11, the California Attorney General's office published a notice of second set of modifications to the text of the proposed regulations regarding the California Consumer Privacy Act (CCPA).
March 23, 2020 at 06:58 PM
5 minute read
On Wednesday, March 11, the California Attorney General's office published a notice of second set of modifications to the text of the proposed regulations regarding the California Consumer Privacy Act (CCPA). The attorney general's office also published redline and clean versions of the second set of modified regulations.
In the below post, we first provide a brief background of the regulatory process. We then discuss the most significant changes made in this latest round of revisions.
|Background on Regulatory Process
The Attorney General's office first published proposed CCPA regulations on Oct. 11, 2019. On Feb. 10, the attorney general published modified proposed regulations that significantly revised the proposed regulations (see prior post here).
During the approximately two-week comment period that followed, the attorney general's office fielded approximately 100 comments concerning the modifications. Per the notice released March 11, the second set of modifications is in response to such comments as well as to "clarify and conform the proposed regulations to existing law." The Attorney General's office has stated that it will accept written comments on the proposed changes until 5 p.m. on March 27.
As with the Feb. 10 modified proposed regulations, based on guidance previously published by the attorney general's office, this abbreviated comment period reflects the attorney general's determination that the changes are "substantial and sufficiently related," but not "major," which would require a new 45-day comment period. Following review of written comments (and assuming no further modified regulations are published), the attorney general's office will publish an updated informative digest and final statement of reasons (with summary and response comments) in addition to the final text of the regulations.
Notably, there is no indication that the attorney general's office has considered postponing the July 1, 2020, enforcement deadline. At this point, given that final regulations will not be published until April (at the earliest), businesses will only have three months to comply with the final regulations.
|Analysis of Most Significant Changes
- Deletion of Guidance on Definition of Personal Information—The attorney general's last round of proposed regulations added a new Section 999.302, which explained that, to qualify as personal information, the information must be reasonably capable of being associated with a consumer or household. The regulation also explained that IP addresses that cannot be linked to consumers or households do not qualify as personal information. The second set of modified regulations now delete Section 999.302. At this point, businesses will be left to wonder why this section was added in February and then deleted in March.
- Notice at Point of Collection—The regulations now state that "[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer's personal information." This addition resolves (assuming there are no other changes) a glaring omission in the modified regulations with respect to the provision of notices by entities that do not interact directly with consumers.
- Employee Notices—Employee notices are no longer required to provide a link to any privacy policies (either online privacy policies or employee privacy policies).
- Deletion of Opt-Out Button/Logo—The much-maligned opt-out button/logo has been deleted. The opt-out logo/button was first introduced in February and met with substantial criticism from privacy advocates who faulted it for being unclear or misleading. Presumably, the Attorney General's deletion is in reaction to that criticism.
- Changes to Privacy Policy Requirements—The attorney general's office once again modified the requirements for what businesses must state in their online privacy policies. The regulations now require businesses to "identify the categories of sources from which the personal information is collected" and "identify the business or commercial purpose for collecting or selling personal information." The modifications also now require businesses that have actual knowledge that they collect the personal information of minors under 16 years of age to make additional disclosures in their privacy policies.
- Responding to Requests to Know—The regulations still forbid businesses from disclosing certain types of personal information such as Social Security numbers and biometric information. However, the regulations now require businesses to inform consumers with sufficient particularity that the business has collected that type of information. For example, a business shall respond that it collects "unique biometric data including a fingerprint scan" without disclosing the actual fingerprint scan data.
David M. Stauss is a partner at Husch Blackwell and co-leader of the firm's privacy and data security practice group. He regularly assists clients in preparing for and responding to data security incidents, including managing multistate b reach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), and state information security statutes. He can be reached at [email protected].
Malia Rogers is an attorney in the firm's Denver office and assists clients on emerging data privacy issues.
Robert J. Bowman is a Denver-based partner in the firm's technology, manufacturing and transportation industry group and a co-leader of the firm's Internet of Things team. He can be reached at [email protected].
Megan Herr is an attorney in the firm's Denver office and assists clients on emerging data privacy issues.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllA Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute readThree Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Corporate Confidentiality Unlocked: Leveraging Common Interest Privilege for Effective Collaboration
11 minute readLaw Firms Mentioned
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250