On March 11, 2020, the California Attorney General’s office published its second set of modifications to the proposed regulations implementing the California Consumer Privacy Act. The second set of modifications is available here. One of the major frustrations for businesses is that the second set of modifications reverses some of the changes implemented by the first set of modifications (proposed just last month). Here are four key takeaways from the second set of modifications to the proposed CCPA regulations.
1. Guidance regarding “personal information.” Last month, the first set of CCPA regulations provided new guidance regarding the interpretation of the CCPA definition of “personal information.” Those regulations stated that whether information is “personal information” depended on whether the business maintained information in a manner that identifies, relates to, describes or could reasonably be linked with a particular consumer or household. For instance, if a business collected IP addresses of visitors to its website but did not link the IP address with any particular consumer or household, then the IP address would not be “personal information.” This additional guidance was both practical and helpful to businesses because most businesses do not link IP addresses to individuals. But the second set of modified CCPA deletes this guidance.
2. Notices at Collection. A business that collects employment-related information still must provide a notice at collection to its employees, but the notice at collection does not need to include a link or web address to the link entitled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” Similarly, the notice at collection of personal information does not need to contain a link to the business’s privacy policy. These are sensible and practical revisions in the context of the notices at collection.
3. Opt Out Button. One month ago, the Attorney General’s office proposed a uniform “opt-out button” or “logo” consisting of a red button or toggle switch with the words “Do Not Sell My Personal Information.” The idea was that consumers would benefit from an opt-out button that would be uniform across different websites. Today’s second set of modifications to the CCPA regulations scraps the proposed uniform “opt-out button.” The Attorney General has not proposed a new opt-out button or logo.
4. Privacy Policy Changes. Try to follow the bouncing ball on this one. The first modifications to the proposed CCPA regulations required businesses to publish a privacy policy identifying the categories of personal information that they collected about consumers in the last 12 months, the categories of sources from which that information was collected, and the business or commercial purpose for collecting the information. The first set of modified regulations deleted the requirements to disclose the categories of sources from which the information was collected and the business or commercial purpose for collecting it. The second set of modified regulations now reinserts those requirements. If you are a business that has published a privacy policy in compliance with first proposed modifications, you may have to revise your privacy policy to include this originally required, then deleted, and now again required information.
Stay tuned. The second set of modifications is open for public comment until March 27, 2020. We expect more changes before the CCPA regulations are finalized.
– Keesal, Young & Logan Privacy and Data Security Group
This information has been prepared by Keesal, Young & Logan for informational purposes only and is not legal advice. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship between you and Keesal, Young & Logan. You should not act upon this information without seeking professional counsel.