July 8, 2020

Volume X, Number 190

July 08, 2020

Subscribe to Latest Legal News and Analysis

July 07, 2020

Subscribe to Latest Legal News and Analysis

July 06, 2020

Subscribe to Latest Legal News and Analysis

And the Modified Proposed CCPA Regulations are Here!

On February 10, the California Attorney General’s office released a highly anticipated updated draft of the proposed CCPA regulations. This draft corrected a version first issued on February 7, 2020. These latest updates follow the four public hearings held in December 2019 and nearly 1,700 pages of comments submitted after the AG first released the initial proposal in October 2019.  While these modified regulations are still not final, some of the notable changes include:

  • Clarifying that businesses do not collect “personal information” when it collects IP addresses but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address (999.302);

  • Removing the 90-day claw back period on businesses to pass on an individual’s opt-out of the sale of information (instead requiring the lookback only for sales between the submission of a request and the honoring of that request) (999.315(f));

  • Deleting the prior requirement to treat unverifiable deletion requests as opt-out requests, but requiring the business to ask the consumer if they would like to opt out of the sale of their personal information (999.313(d)(1));

  • Introducing the opt-out button that can be used in addition to (but not in place of) the notice of the right to opt-out (999.306(f));

  • Explaining that the requirement to have a two-step process for online requests to delete is allowed but not required (999.312(d)); and

  • Increasing the threshold for the number of consumers from 4 million to 10 million for the metrics and transparency reporting requirement (999.317(g))

The deadline to submit written comments is Tuesday, February 25, 2020 at 5pm PST. If no additional changes are made, a final rulemaking record will be submitted to the Office of Administrative Law. The OAL has 30 working days to review the record for approval.

Putting it Into PracticeAs companies are beginning to see how CCPA compliance is playing out in practice, now is the time to conduct an initial evaluation of successes and challenges and use the opportunity to submit additional comments to the Attorney General. Organizations should continue to be mindful that additional changes may be forthcoming – with potentially not a lot of time to review before the July enforcement date.  

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 44


About this Author


Craig Cardon serves as Co-chair of Sheppard Mullin’s Privacy & Data Security Group and as the International Liaison for the firm’s China offices. Craig is a partner in the Entertainment, Technology and Advertising and the Intellectual Property Groups in Sheppard Mullin's San Francisco and Century City offices.

Areas of Practice

Craig enjoys a broad advertising, privacy and ecommerce focused practice. He primarily represents brands, retailers, ad agencies, ad networks and other business involved in...

Rachel Hudson, Lawyer, Sheppard Mullin, Intellectual Property Practice Group

Rachel Tarko Hudson is an associate in the Intellectual Property Practice Group in the firm's San Francisco office.

Areas of Practice

Rachel advises clients in the retail, technology, media, and other industries in online and mobile e-commerce transactions and vendor agreements, intellectual property licensing, commercial and development agreements, and other transactional matters. She assists clients in complying with domestic and international privacy laws, clearing advertising campaigns, conducting contests and sweepstakes promotional initiatives, and conducting e-mail, mobile, cause, and other forms of marketing. She also helps clients with trademark prosecution matters.

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...


Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...