July 9, 2020

Volume X, Number 191

July 09, 2020

Subscribe to Latest Legal News and Analysis

July 08, 2020

Subscribe to Latest Legal News and Analysis

July 07, 2020

Subscribe to Latest Legal News and Analysis

July 06, 2020

Subscribe to Latest Legal News and Analysis

California Attorney General Releases Modified CCPA Regulations

On February 10, 2020, the California Attorney General’s Office released modified California Consumer Privacy Act (CCPA) regulations. There are some notable differences in the regulations from the first draft of the regulations, differences which can be seen in this redlined version.  This article will highlight some of the new language added by the latest draft of the regulations.

What’s not Personal Information?

The first important clarification came with respect to the definition of personal information. Section 999.302(a) of the regulations states that if a business collects, for example, the IP addresses of visitors to its website, but does not link that IP address to any particular consumer or household and could not reasonably link the IP address with a particular consumer, then the IP addresses collected would not be considered personal information for CCPA purposes.


The regulations continue to emphasize accessibility as a critical component of consumer rights. The accessibility language in the regulations is repeated in several sections addressing various consumer rights. The regulations specify that notices must be reasonably accessible to consumers with disabilities and that for notices provided online, businesses shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium, which are incorporated into the regulations.

Processes for Handling Consumer Requests

The regulations clarify that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests to know. The regulations added that the time period for businesses to confirm receipt of a consumer request to delete is within ten (10) business days. The regulations also state that if a business is unable to verify the identity of the consumer with the 45-day time period, that the business may deny the request.

In providing examples with respect to the verification of non-account holders, the regulations eliminated the use of a consumer’s credit card security code as a method of verification. Instead, the regulations now (wisely) suggest that if a retailer maintains a record of purchases made by the customer, the business may require the consumer to identify items recently purchased from the store or the dollar amount of their most recent purchase to verify identity. The regulations also state that if a business has no reasonable method by which it can verify identity of any consumer, the business shall explain why it has no reasonable verification method in its privacy policy.

Employment Information

The regulations also state that a business collecting employment related information does not need to include the link or web address to the link titled “Do Not Sell My Personal Information.” The notice at collection for employment related information may include a link to or paper copy of a business’s privacy policies for job applicants, employees, or contractors in lieu of a link or web address to the business’s privacy policy for consumers.

Opt out Button

The regulations provide an example of an opt out button that, if used, should be used to the left of the statement, “Do Not Sell My Personal Information.”

Record-Keeping Requirements

The regulations require that businesses must maintain records of responses to consumer requests and how the business responded to the requests for at least twenty-four (24) months. New language added in the regulations also specifies that businesses must implement and maintain reasonable security procedures and practices in maintaining such records.

It is important to note that the regulations still provide that a violation of the regulations shall constitute a violation of the CCPA and may be subject to the remedies provided therein.

The deadline to submit written comments to this latest version of the regulations is February 25, 2020, at 5:00 p.m. (PST).

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume X, Number 43


About this Author

Deborah A. George, Robinson Cole, Cybersecurity lawyer

Deborah George is a member of the firm’s Business Litigation Group as well as its Data Privacy + Cybersecurity Team.

Deb advises clients on and focuses her practice on data privacy and security, cybersecurity, and compliance with related state and federal laws. She also has experience providing counsel in civil litigation and employment law matters.  She has significant experience offering advice and counsel on legal issues related to human services agencies, including Medicaid, as well as  drafting and reviewing contracts, business associate agreements, and data use agreements. ...