On Wednesday, March 11, the California Attorney General's office published a notice of second set of modifications to the text of the proposed regulations regarding the California Consumer Privacy Act (CCPA). The attorney general's office also published redline and clean versions of the second set of modified regulations.

In the below post, we first provide a brief background of the regulatory process. We then discuss the most significant changes made in this latest round of revisions.

Background on Regulatory Process

The Attorney General's office first published proposed CCPA regulations on Oct. 11, 2019. On Feb. 10, the attorney general published modified proposed regulations that significantly revised the proposed regulations (see prior post here).

During the approximately two-week comment period that followed, the attorney general's office fielded approximately 100 comments concerning the modifications. Per the notice released March 11, the second set of modifications is in response to such comments as well as to "clarify and conform the proposed regulations to existing law." The Attorney General's office has stated that it will accept written comments on the proposed changes until 5 p.m. on March 27.

As with the Feb. 10 modified proposed regulations, based on guidance previously published by the attorney general's office, this abbreviated comment period reflects the attorney general's determination that the changes are "substantial and sufficiently related," but not "major," which would require a new 45-day comment period. Following review of written comments (and assuming no further modified regulations are published), the attorney general's office will publish an updated informative digest and final statement of reasons (with summary and response comments) in addition to the final text of the regulations.

Notably, there is no indication that the attorney general's office has considered postponing the July 1, 2020, enforcement deadline. At this point, given that final regulations will not be published until April (at the earliest), businesses will only have three months to comply with the final regulations.

Analysis of Most Significant Changes

• Deletion of Guidance on Definition of Personal Information—The attorney general's last round of proposed regulations added a new Section 999.302, which explained that, to qualify as personal information, the information must be reasonably capable of being associated with a consumer or household. The regulation also explained that IP addresses that cannot be linked to consumers or households do not qualify as personal information. The second set of modified regulations now delete Section 999.302. At this point, businesses will be left to wonder why this section was added in February and then deleted in March.
• Notice at Point of Collection—The regulations now state that "[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer's personal information." This addition resolves (assuming there are no other changes) a glaring omission in the modified regulations with respect to the provision of notices by entities that do not interact directly with consumers.
• Employee Notices—Employee notices are no longer required to provide a link to any privacy policies (either online privacy policies or employee privacy policies).
• Deletion of Opt-Out Button/Logo—The much-maligned opt-out button/logo has been deleted. The opt-out logo/button was first introduced in February and met with substantial criticism from privacy advocates who faulted it for being unclear or misleading. Presumably, the Attorney General's deletion is in reaction to that criticism.
• Changes to Privacy Policy Requirements—The attorney general's office once again modified the requirements for what businesses must state in their online privacy policies. The regulations now require businesses to "identify the categories of sources from which the personal information is collected" and "identify the business or commercial purpose for collecting or selling personal information." The modifications also now require businesses that have actual knowledge that they collect the personal information of minors under 16 years of age to make additional disclosures in their privacy policies.
• Responding to Requests to Know—The regulations still forbid businesses from disclosing certain types of personal information such as Social Security numbers and biometric information. However, the regulations now require businesses to inform consumers with sufficient particularity that the business has collected that type of information. For example, a business shall respond that it collects "unique biometric data including a fingerprint scan" without disclosing the actual fingerprint scan data.

David M. Stauss is a partner at Husch Blackwell and co-leader of the firm's privacy and data security practice group. He regularly assists clients in preparing for and responding to data security incidents, including managing multistate b reach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), and state information security statutes. He can be reached at [email protected].

Malia Rogers is an attorney in the firm's Denver office and assists clients on emerging data privacy issues.

Robert J. Bowman is a Denver-based partner in the firm's technology, manufacturing and transportation industry group and a co-leader of the firm's Internet of Things team. He can be reached at [email protected].

Megan Herr is an attorney in the firm's Denver office and assists clients on emerging data privacy issues.