July 11, 2020

Volume X, Number 193

July 10, 2020

Subscribe to Latest Legal News and Analysis

July 09, 2020

Subscribe to Latest Legal News and Analysis

July 08, 2020

Subscribe to Latest Legal News and Analysis

CCPA Compliance Update: Three Key Revisions to Regulations

California Attorney General Xavier Becerra somewhat unexpectedly proposed revisions to the CCPA regulations last week, including several substantive modifications to what was previously thought of as potentially final regulations (see our prior alert describing five changes companies should address now). While many businesses are currently consumed with managing the effects of the coronavirus pandemic, we have yet to hear of any postponement of the July 1 compliance deadline. With that in mind, here are three key revisions made by the latest regulations:

  1. Regulation § 999.312(a) previously provided that IP addresses would not be considered “personal information” for purposes of the CCPA, so long as a business does not link collected IP addresses with an individual consumer or household. However, the most recent revisions deleted this section. This means that the definition of “personal information” has reverted to its broad formulation, which explicitly includes IP addresses. Businesses using website analytics providers or ad tech platforms (or otherwise sharing IP addresses or other device identifiers of their web visitors with third parties) now need to consider whether they need to disclose that they are “selling” web visitors’ personal information and provide a Do Not Sell opt-out. In evaluating this issue, a business should investigate whether each platform that it uses (a) provides functionality to limit collection or to anonymize IP addresses or identifiers, or (b) is otherwise prevented via a written contract from retaining, using or disclosing collected IP addresses and identifiers for any purpose other than providing services to the business (in this latter case that the platform would qualify as a service provider under the CCPA).

  2. The latest revisions have also reinserted a version of the privacy policy disclosure requirements related to the source and commercial purpose for the collection of personal information that does not require disclosure for each category of personal information collected. Privacy policies must now generally (1) identify the categories of sources from which personal information is collected, and (2) identify the business or commercial purpose for collecting or selling personal information. This additional information will add to the length of privacy policies but represents a compromise from the more comprehensive disclosure requirements in the initial version of the regulations.

  3. Finally, the CCPA charged the AG to develop a recognizable and uniform logo or button that could be used in connection with a notice of the right to opt-out of the sale of personal information. The AG had proposed a logo in the prior version of the regulations, but the March 11 revisions deleted reference to this proposed logo. Until the AG puts forth a new logo, website opt-outs should be facilitated via a link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.”

With the comment period for the revised regulations set to close on March 27, 2020, it is unlikely that a finalized version of the regulations will be posted by the California Secretary of State by the CCPA’s enforcement deadline of July 1. Practically speaking, this means that as of July 1, the AG will have the authority to enforce the provisions of the CCPA, but will likely not yet have enacted regulations to guide enforcement. Regardless, businesses need to continue to make the steps now to ensure compliance by July 1.

© 2020 Schiff Hardin LLPNational Law Review, Volume X, Number 78


About this Author

Chad F. Watson Intellectual Property Attorney Schiff Hardin Law Firm Chicago

Chad is a member of the Intellectual Property Practice Group. He focuses his practice on Hatch-Waxman and biosimilar patent litigation. With a background in biochemistry, Chad brings both legal and scientific knowledge when counseling generic pharmaceutical clients. Chad’s past academic and laboratory experience synthesizing highly conjugated organic compounds allows him to approach pharmaceutical cases from a development scientist’s perspective.

Chris Bollinger, Schiff Hardin, Information Technology industry lawyer, e-commerce internet legal counsel, corporate transaction attorney, intellectual property law

Chris Bollinger concentrates his practice on matters relating to intellectual property licensing, trademark and copyright, technology law, e-commerce, and computer and Internet law. His prior experience as a software engineer informs his legal practice and allows Chris to provide his clients with in-depth and nuanced advice on a wide range of technology, IP, compliance and “e-“ related issues. Chris crafts legal and business solutions to fit the rapidly evolving and increasingly complex digital marketplace— and the unique needs of his clients.

In addition to his work with hardware, software, telecom and technology companies, Chris provides guidance to corporate clients across the business spectrum, including many in the manufacturing, consumer product, energy, financial, medical device, biotech, electronic and industrial service sectors.