On February 10, 2020, California Attorney General (AG), Xavier Becerra, released a modified text of his proposed regulations for the California Consumer Privacy Act (CCPA). These modifications were made to the initial draft regulations that were released in October of 2019The Modified Proposed Regulations are not necessarily the final draft of the Regulations and AG Becerra can still make additional changes before the final version is released in the Spring of 2020. 

The modified Proposed Regulations include modifications to definitions and further guidance relating to consumer notices, handling consumer requests, and rules regarding minors and non-discrimination. 

To see if you’re compliant with the CCPA, download this checklist. 

Definitions 

The modified Proposed Regulations include new definitions for certain terms and also amend the majority of the definitions that already existed in the original text. Some notable changes include:  

Consumer Notices 

The updated Proposed Regulations also provide a general overview of the required notices businesses must disclose to consumers, which include:  

Notices at the point of collection must be readily available for consumers to encounter it at or before the point of collection of personal information. Notable updates include: 

Opt-Out of Sale / Do Not Sell My Personal Information  

The biggest change relating to the right to opt-out is the introduction of the opt-out button, which may be used in addition to posting the notice of the right to opt-out, but not in lieu of any posting of the notice of right to opt-out. When this button is used, it must be placed to the left of the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link and must be approximately the same size as other buttons on the business’s webpage.

Specifically, for opt-out requests, the modified Proposed Regulations add that the methods of submission must be easy for consumers to execute and must require minimal steps to allow opting out. Some notable updates include: 

Join the conversation on LinkedIn: CCPA Compliance Forum 

Handling Consumer Requests 

For the purpose of submitting requests to know and to delete, the modifications distinguish between businesses that operate exclusively online and have direct relationships with consumers, stating they are only required to provide an email address for submitting requests to know. In contrast, all other businesses must provide two or more methods for submitting requests, including at least a toll-free telephone number. 

For circumstances where a business interacts with the consumer in person, the business must consider providing an in-person method, such as a printed form, a tablet or computer portal, or a telephone. Note, it is no longer required that businesses use a two-step process for online requests to delete.  

Regarding responses to requests to know and to delete, it is clarified that the confirmation of the receipt of the request must be given within 10 business days, in the same manner in which the request was received. Additionally, the 45day deadline to respond to the request and the 45-day extension have been clarified to mean 45 calendar days. 

Furthermore, businesses are not required to search for personal information if the following conditions apply cumulatively: 

Further updates relating to the handling of consumer requests include:  

Additionally, the threshold for the online publication of request metrics has been raised from the handling of information of 4 million consumers or more to 10 million consumers or more. 

The provisions on service providers have been slightly amended by the modified Proposed Regulations, mainly with regard to retaining, using or disclosing of personal information in the course of providing services, which is not allowed, with exceptions such as performing contracted services and to detect security incidents, fraud, and illegal activity. Service providers are also prohibited from building profiles or augmenting data collected from other sources.

Register nowOneTrust for CCPA 2020 Master Class Webinar Series 

Verification of Requests 

The modified Regulations stipulate that: 

Rules Regarding Minors 

Consent forms that must be signed by parent or guardian of a child can be done either physically or electronically. Additionally, businesses must establish, document, and comply with a reasonable method for determining whether a person submitting a request of a child under the age of 13 is, in fact, the parent or guardian of that child. 

Non-Discrimination 

The modified Regulations provide that a business should not offer financial incentives, or price or service difference if it is unable to calculate a good-faith estimate of the value of the consumer’s data or cant show that the financial incentive or price or service difference is reasonably related to that value. Additionally, denying a consumer request for reasons permitted by the CCPA or the Regulations is not considered discriminatory.   

Examples were provided showing that loyalty programs can be acceptable and nondiscriminatory under the Modified Regulations. Finally, in order to calculate the value of consumer data, businesses can consider the value of data of all-natural persons to the business and not just consumers. 

Is your business compliant with the CCPA? Download this checklist to find out. 

What’s Next 

The California Department of Justice is accepting written comments regarding the modified Proposed Regulations until Tuesday, February 252020. Written comments must be submitted no later than 5:00 p.m. on February 25, 2020 by email to [email protected], or by mail at the following address: 

Lisa B. Kim, Privacy Regulations Coordinator 

California Office of the Attorney General 

300 South Spring Street, First Floor 

Los Angeles, CA 90013 

Email: [email protected] 

Resources:

Check out our CCPA blog series: