September 19, 2020

Volume X, Number 263

September 18, 2020

Subscribe to Latest Legal News and Analysis

September 17, 2020

Subscribe to Latest Legal News and Analysis

CCPA Update: The Ever-Moving Target of the AG’s Draft Regulations

Little more than a month after modifying the draft regulations for the California Consumer Privacy Act (CCPA), the California Attorney General (AG) issued yet another set of modifications on March 11, 2020. The draft regulations were first issued on Oct. 11, 2019 and were later modified on Feb. 10, 2020. Presently, the AG is accepting comments on this third version of the draft regulations until March 27, 2020 at 5 p.m. PT. Given the amount of change between the versions, we recommend that businesses hold off on updating their compliance documents until closer to the July 1, 2020 enforcement date.  


Some of the more frustrating changes to the draft regulations include requirements that have disappeared and reappeared in the various versions. For example, disclosure requirements, the opt-out button and guidance on what constitutes personal information have all fluctuated through the versions. The following is a brief summary of notable changes in the March 11 draft:

Privacy policy disclosure requirements

Privacy policies must disclose the source from which personal information is collected. This requirement is not new. The AG first introduced it in the initial draft regulations. However, the requirement was removed in the second version. Now, only one month later, it has returned—although, not quite in the same form as before. This third version of the draft regulations does not require that the disclosure is made on a per category basis (i.e., for each category of personal information collected), as was previously required by the initial draft regulations. 

Opt-out button

The AG eliminated the opt-out button entirely. While the opt-out button was not mandatory, many saw it as a beacon of consumers’ right to opt out. As such, the long-awaited, highly anticipated button has already gained much attention. Indeed, software vendors have begun selling solutions for it—solutions that are no longer needed. 

Responding to access requests

If a business has collected Social Security numbers, biometric information or other sensitive information it cannot disclose pursuant to the regulations, then it must inform the consumer that the business collected such information. Under the second version of the draft regulations, businesses could simply deny the consumer’s request without further explanation.

Entities that do not collect personal information from consumers directly

This latest version of the draft regulations provides some reprieve for some businesses that do not collect personal information directly from consumers. If a business does not collect personal information directly from a consumer and does not sell the personal information, then it does not need to provide notice at collection to consumers. 

Guidance regarding the interpretation of CCPA definitions

The updated regulations remove guidance regarding the interpretation of “personal information.” This guidance included an example that IP addresses did not constitute personal information so long as they were not linked to a particular consumer or household. Given how most businesses collect and use IP addresses for marketing purposes (such as through Google Analytics and other similar tools), many businesses interpreted this guidance to mean that an IP address is only personal information if it links directly to a consumer or household. This would mean that businesses could still use certain online tracking technologies without collecting personal information. Alas, businesses may no longer rely on this guidance to conclude that they do not collect personal information when using such tracking technologies.  


For many businesses—especially larger ones that do not move as nimbly—early efforts to implement the AG’s draft regulations are essential if they are to comply with the regulations in time for the July 1, 2020 enforcement date. At the same time, the AG’s continued modifications disrupt efforts to operationalize the regulations’ requirements. Additionally, the rulemaking process has included major, unexpected shifts, which seem to have not yet met an end.  

To date, the AG has issued three versions of the draft regulations. The second and third versions of the regulations saw barely one month between them, and a comment period on the third version is presently underway. Therefore, businesses should wait to make any further compliance changes for CCPA until after the AG publishes the final regulations.

Copyright © 2020 Godfrey & Kahn S.C.National Law Review, Volume X, Number 86


About this Author

Sarah A. Sargent Associate Milwaukee Cybersecurity Practice Group, Technology & Digital Business Practice Group

Sarah Sargent is a member of the Data Privacy & Cybersecurity Practice Group and Technology & Digital Business Practice Group. She holds the CIPP/US and CIPP/E certifications from the International Association of Privacy Professionals, allowing her to draw from both domestic and international best practices when it comes to questions of data privacy.

Sarah’s practice focuses on assisting clients in implementing innovative technology and finding practical business solutions for privacy compliance. She counsels clients on privacy compliance with a variety of state, federal,...

Andy Schlidt Shareholder Milwaukee Technology & Digital Business, the Data Privacy & Cybersecurity

Andy Schlidt is a shareholder in the Technology & Digital Business, the Data Privacy & Cybersecurity and the Corporate legal practice groups.  He advises clients in commercial transactions and compliance matters, drawing on his prior consulting work at Accenture and his Masters in Technology from Purdue University.

As Chair of the Technology & Digital Business practice, Andy negotiates a wide variety of commercial transactions.  Recent engagements include domestic and offshore outsourcing deals (ITO/BPO), XaaS and cloud subscriptions, IT licensing, software development, hardware acquisition, IT joint developments, and strategic alliances.  He also counsels clients on telecommunications matters including wireless, wireline, fiber optic, small cell, DAS, broadband, and telecom infrastructure deployment.  

As Co-chair of the firm’s Data Privacy & Cybersecurity practice, Andy helps  demystify IT compliance for clients with a focus on data breach response, privacy and cybersecurity programs, vendor management, cyber insurance, and IT dispute resolution.  Emerging areas of interest include the IoT, IIoT, AI, Blockchain, smart contracts, smart cities, and connected environments.  He supports the firm’s internal compliance initiatives as the firm’s Chief Privacy Officer.

While at Purdue, Andy wrote his thesis on the technology risk management practices of Fortune 200 companies.  He is a member of ITechLaw (a worldwide technology law community), the International Association of Outsourcing Professionals (IAOP), the International Association of Privacy Professionals (IAPP) and the Federal Communications Bar Association.  He has served on the Advisory Board of the University of Wisconsin E-Business Consortium, and as a member of the Telecommunications Committee of the Wisconsin Public Utilities Institute.

Justin Special counsel  co-chair Data Privacy & Cybersecurity Practice Group
Special Counsel

Justin serves as special counsel and is co-chair of the firm’s Data Privacy & Cybersecurity Practice Group. He is also a member of the firm’s Technology & Digital Business Practice Group. Justin holds the Certified Information Privacy Professional/US (CIPP/US) certification from the International Association of Privacy Professionals.

Justin’s practice focuses on helping clients with the legal issues that arise from technology and data in an increasingly digital world, with a specific focus on cybersecurity and data privacy matters. His work includes:

  • Compliance...