On February 10, 2020, California Attorney General (AG), Xavier Becerra, released a modified text of his proposed regulations for the California Consumer Privacy Act (CCPA). These modifications were made to the initial draft regulations that were released in October of 2019. The Modified Proposed Regulations are not necessarily the final draft of the Regulations and AG Becerra can still make additional changes before the final version is released in the Spring of 2020.

The modified Proposed Regulations include modifications to definitions and further guidance relating to consumer notices, handling consumer requests, and rules regarding minors and non-discrimination.

To see if you’re compliant with the CCPA, download this checklist.


The modified Proposed Regulations include new definitions for certain terms and also amend the majority of the definitions that already existed in the original text. Some notable changes include:

  • Clarified ‘categories of sources’ to include a description that allows consumers to understand the type of person or entity
  • Added ’employment benefits’ and ’employment-related information’
  • Redefined ‘Household’ – reside at the same residence, share common device or service from business, and business has identified household as sharing the group account or unique identifier

Consumer Notices

The updated Proposed Regulations also provide a general overview of the required notices businesses must disclose to consumers, which include:

  • a privacy policy, for any business that must comply with the CCPA;
  • a notice at the collection of information, for any business that collects information from a consumer;
  • a notice of right to opt-out, for a business that sells personal information; and
  • a notice of financial incentive for a business that offers a financial incentive or price or service difference.

Notices at the point of collection must be readily available for consumers to encounter it at or before the point of collection of personal information. Notable updates include:

  • Business may not use personal information (PI) for purposes materially different from those disclosed at the time of collection
  • Mobile app collection
  • Registered data brokers do not need to provide notice to consumers if they have included, in their registration submission to the Attorney General, a link to the online privacy policy with instructions on how an opt-out request may be submitted by a consumer
  • Employee-related information is exempt from the  “Do Not Sell My Personal Information” link requirement; instead, businesses may include a link to, or paper copy of, a business’s privacy policies for job applicants, employees, or contractors.
  • This provision would expire on Jan. 1, 2021

Opt-Out of Sale / Do Not Sell My Personal Information 

The biggest change relating to the right to opt-out is the introduction of the opt-out button, which may be used in addition to posting the notice of the right to opt-out, but not in lieu of any posting of the notice of right to opt-out. When this button is used, it must be placed to the left of the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link and must be approximately the same size as other buttons on the business’s webpage.

Specifically, for opt-out requests, the modified CCPA proposed regulations add that the methods of submission must be easy for consumers to execute and must require minimal steps to allow opting out. Some notable updates include:

  • Privacy controls that are created according to regulations shall communicate the opt-out signal clearly, with no pre-selected settings
  • If global privacy control conflicts with business specific privacy settings/participation in financial incentive, respect global signal
  • May notify consumer of conflict and give them choice to confirm business specific privacy setting /participation in financial incentive
  • Timeline – 15 business days to comply
  • If PI is sold between date request is made and date the request is fulfilled, business must inform those third parties of the exercised right to opt-out and direct them to stop selling that consumer’s info
  • Replaces 90-day look-back requirement
  • Can use authorized agent with written, signed attestation
  • If consumer is opted out and initiates transaction/service that requires sale of data, inform consumer that requested service requires sale of data and provide instructions on opting in

Join the conversation on LinkedIn: CCPA Compliance Forum

Handling Consumer Requests

For the purpose of submitting requests to know and to delete, the modifications distinguish between businesses that operate exclusively online and have direct relationships with consumers, stating they are only required to provide an email address for submitting requests to know. In contrast, all other businesses must provide two or more methods for submitting requests, including at least a toll-free telephone number.

For circumstances where a business interacts with the consumer in person, the business must consider providing an in-person method, such as a printed form, a tablet or computer portal, or a telephone. Note, it is no longer required that businesses use a two-step process for online requests to delete.

Regarding responses to requests to know and to delete, it is clarified that the confirmation of the receipt of the request must be given within 10 business days, in the same manner in which the request was received. Additionally, the 45-day deadline to respond to the request and the 45-day extension have been clarified to mean 45 calendar days.

Furthermore, businesses are not required to search for personal information if the following conditions apply cumulatively:

  • Business doesn’t keep PI in searchable or reasonably accessible format
  • PI is maintained only for legal or compliance purposes
  • Business doesn’t sell PI or use it for commercial purposes
  • A description is provided to the consumer, of the categories of records that may contain personal information that were not searched because the conditions stated above were met

Further updates relating to the handling of consumer requests include:

  • No disclosure of biometric data for request to know
  • If conflicting with state or federal law; business can explain denial as such unless prohibited by law
  • No need to delete from archived system unless back-up is restored to active system or accessed/used for a sale/disclosure/commercial purpose
  • No need to inform consumer of how deletion occurred (aggregation, deidentification, deletion, etc.)
  • For an unverified request to delete, do not delete.
  • If the consumer hasn’t requested to opt-out, the business shall ask the consumer if they’d like to opt-out of sale and include contents of/link to notice of right to opt-out
  • Replaces requirement to treat unverified request to delete as a request to opt-out

Additionally, the threshold for the online publication of request metrics has been raised from the handling of information of 4 million consumers or more to 10 million consumers or more.

The provisions on service providers have been slightly amended by the modified Proposed Regulations, mainly with regard to retaining, using or disclosing of personal information in the course of providing services, which is not allowed, with exceptions such as performing contracted services and to detect security incidents, fraud, and illegal activity. Service providers are also prohibited from building profiles or augmenting data collected from other sources.

Register nowOneTrust for CCPA 2020 Master Class Webinar Series

Verification of Requests

The modified CCPA regulations stipulate that:

  • A consumer cannot be required to pay a fee for identity verification
  • Business can deny a request if it can’t verify the identity of the requestor
  • If there is no reasonable method to verify a consumer, the business must explain why it has no reasonable verification method in its privacy policy

Rules Regarding Minors

Consent forms that must be signed by a parent or guardian of a child can be done either physically or electronically. Additionally, businesses must establish, document, and comply with a reasonable method for determining whether a person submitting a request of a child under the age of 13 is, in fact, the parent or guardian of that child.


The modified CCPA regulations provide that a business should not offer financial incentives, or price or service difference if it is unable to calculate a good-faith estimate of the value of the consumer’s data or can’t show that the financial incentive or price or service difference is reasonably related to that value. Additionally, denying a consumer request for reasons permitted by the CCPA or the Regulations is not considered discriminatory.

Examples were provided showing that loyalty programs can be acceptable and nondiscriminatory under the Modified Regulations. Finally, in order to calculate the value of consumer data, businesses can consider the value of data of all-natural persons to the business and not just consumers.

Is your business compliant with the CCPA? Download this checklist to find out.

What’s Next

The California Department of Justice is accepting written comments regarding the modified Proposed Regulations until Tuesday, February 25, 2020. Written comments must be submitted no later than 5:00 p.m. on February 25, 2020 by email to [email protected], or by mail at the following address:

Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013

Email: [email protected]


Check out our CCPA blog series: