August 8, 2020

Volume X, Number 221

August 07, 2020

Subscribe to Latest Legal News and Analysis

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

California Attorney General Releases Additional Modifications to Draft CCPA Regulations

On March 11, 2020, the California Attorney General released the second set of modifications to the draft California Consumer Privacy Act (CCPA) regulations. This set of modifications contains deletions to language that was included in the February modifications to the regulations as well as some new language. Notable changes include the deletions of the “do not sell my personal information” logo/button as well as the section that provided guidance regarding the interpretation of CCPA definitions, particularly the language that indicated that if a business collected the IP address, but did not link it to an individual, that it did not fall within the definition of personal information.

The March regulations added some additional definitions as well as language that specifies that a business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information. In addition, language was added to provide that the notice at collection of employment-related information is not required to provide a link to the business’s privacy policy.

For businesses that sell a consumer’s personal information, if a business denies a consumer’s deletion request, it must ask the consumer if they would like to opt-out of the sale of their personal information if the consumer has not already made a request to do so.

With respect to privacy policies, the March regulations added language that a privacy policy must identify the categories of sources from which the personal information is collected and that the categories be described in a manner that provides consumers a meaningful understanding of the information being collected. For businesses that sell personal information, the March regulations also specified that the business must Identify the business or commercial purpose for collecting or selling personal information and that the purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is collected or sold.

With respect to information that a business may collect such as social security numbers or driver’s license numbers, the March regulations now specify that although a business cannot release such information, it is required to disclose that it collects such information.

The deadline to submit comments to the regulations is March 27, 2020, by 5 p.m. PDT. Detailed information on the CCPA regulatory process is on the Attorney General’s website.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume X, Number 79


About this Author

Deborah A. George, Robinson Cole, Cybersecurity lawyer

Deborah George is a member of the firm’s Business Litigation Group as well as its Data Privacy + Cybersecurity Team.

Deb advises clients on and focuses her practice on data privacy and security, cybersecurity, and compliance with related state and federal laws. She also has experience providing counsel in civil litigation and employment law matters.  She has significant experience offering advice and counsel on legal issues related to human services agencies, including Medicaid, as well as  drafting and reviewing contracts, business associate agreements, and data use agreements. ...