June 6, 2020

June 05, 2020

Subscribe to Latest Legal News and Analysis

June 04, 2020

Subscribe to Latest Legal News and Analysis

Can you Zigzag? California AG Releases Latest Draft of CCPA Regulations

On March 11, 2020, the second set of modifications (or the third version) of the CCPA draft regulations were released. While the number of substantive changes dwindled in this version, there are a number of drafting corrections and a few modifications of note. Namely:

  • Removal of the suggested UX for the “do not sell” opt-out button, with no alternative proposed. The statute still contemplates that a “recognizable and uniform” opt-out logo or button will be made available on or before July 1, 2020, so stay tuned for something in the final draft! (§1798.185(a)(4)(C); 999.306(f));

  • Removal of the addition that was made to the last draft attempting to clarify when IP addresses constitute “personal information” or not (999.302);

  • Reinsertion of the requirement for businesses to identify the categories of sources from which personal information is collected and the business/commercial purpose for collecting or selling the information in its privacy policy. Unlike the first draft, this language does not require such disclosures “for each” category of personal information (999.308(c)(1)(e)-(f));

  • Addition to clarify that even if a business withholds sensitive data in a request to know, the business should provide a description of that information withheld (999.313(c)(4)); and

  • Clarification that permitted service provider purposes includes internal use to build or improve the quality of its services, provided however that such use does not include building or modifying household or consumer profiles to use in providing services to another business (999.314(c)(3)).

As with the last set of modifications, which we discussed here, the public has another 15 days (March 27, 2020) to submit written comments. If no additional changes are made, a final rulemaking record will be submitted to the Office of Administrative Law. The OAL has 30 working days to review the record for approval.

Putting it Into Practice: With just 106 days to go until enforcement, now is the time for companies to take a hard look at the state of their CCPA compliance and prepare for some potential last minute updates once the AG releases the final regulations. The limited number of changes in this last draft signals that the next draft may (finally) be final!

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.

TRENDING LEGAL ANALYSIS


About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Rachel Hudson, Lawyer, Sheppard Mullin, Intellectual Property Practice Group
Associate

Rachel Tarko Hudson is an associate in the Intellectual Property Practice Group in the firm's San Francisco office.

Areas of Practice

Rachel advises clients in the retail, technology, media, and other industries in online and mobile e-commerce transactions and vendor agreements, intellectual property licensing, commercial and development agreements, and other transactional matters. She assists clients in complying with domestic and international privacy laws, clearing advertising campaigns, conducting contests and sweepstakes promotional initiatives, and conducting e-mail, mobile, cause, and other forms of marketing. She also helps clients with trademark prosecution matters.

415.774.2999
Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335