California Attorney General Releases Modified CCPA Regulations
On February 10, 2020, the California Attorney General’s Office released modified California Consumer Privacy Act (CCPA) regulations. There are some notable differences in the regulations from the first draft of the regulations, differences which can be seen in this redlined version. This article will highlight some of the new language added by the latest draft of the regulations.
What’s not Personal Information?
The first important clarification came with respect to the definition of personal information. Section 999.302(a) of the regulations states that if a business collects, for example, the IP addresses of visitors to its website, but does not link that IP address to any particular consumer or household and could not reasonably link the IP address with a particular consumer, then the IP addresses collected would not be considered personal information for CCPA purposes.
The regulations continue to emphasize accessibility as a critical component of consumer rights. The accessibility language in the regulations is repeated in several sections addressing various consumer rights. The regulations specify that notices must be reasonably accessible to consumers with disabilities and that for notices provided online, businesses shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium, which are incorporated into the regulations.
Processes for Handling Consumer Requests
The regulations clarify that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests to know. The regulations added that the time period for businesses to confirm receipt of a consumer request to delete is within ten (10) business days. The regulations also state that if a business is unable to verify the identity of the consumer with the 45-day time period, that the business may deny the request.
Opt out Button
The regulations provide an example of an opt out button that, if used, should be used to the left of the statement, “Do Not Sell My Personal Information.”
The regulations require that businesses must maintain records of responses to consumer requests and how the business responded to the requests for at least twenty-four (24) months. New language added in the regulations also specifies that businesses must implement and maintain reasonable security procedures and practices in maintaining such records.
It is important to note that the regulations still provide that a violation of the regulations shall constitute a violation of the CCPA and may be subject to the remedies provided therein.
The deadline to submit written comments to this latest version of the regulations is February 25, 2020, at 5:00 p.m. (PST).