July 9, 2020

Volume X, Number 191

July 09, 2020

Subscribe to Latest Legal News and Analysis

July 08, 2020

Subscribe to Latest Legal News and Analysis

July 07, 2020

Subscribe to Latest Legal News and Analysis

July 06, 2020

Subscribe to Latest Legal News and Analysis

UPDATE: Analysis of Attorney General Regulations to the CCPA (as Updated February 10, 2020) – Part 1: Notices to Consumers

Back in October, we provided a summary of Article 2 of the California Attorney General’s Initial Proposed CCPA draft regulations, which specify certain notices that must be given to consumers at the time of collection of their personal information, including consumers’ rights to opt-out of the sale of their personal information, and notices of financial incentives a business may offer in exchange for consumers’ personal information. Article 2 also provides specific CCPA requirements for company privacy policies

On February 10, 2020, the California Attorney General published updated proposed CCPA regulations.  Below, we discuss several notable changes in the updated proposed CCPA regulations.

Guidance Regarding the Interpretation of CCPA Definitions – Clarification of “Personal Information”

A new Section 999.302 provides that whether information is “personal information” as defined in the CCPA depends on “whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”   The new section goes on to provide an actual example of how businesses should analyze “personal information” that will be helpful to online businesses:  “For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.””

Notices at Collection

  • Mobile Applications, Telephone, and In-Person Notice Format:  The updated regulations provide new illustrative examples for mobile application, telephone, and in-person notices:  “When a business collects personal information through a mobile application, it may provide a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.”  Telephone and in-person notices may be provided orally.

  • Mobile Applications: The updated regulations give specific guidance about mobile application notices, with useful examples: When a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection.  For example, if the business offers a flashlight application and the application collects geolocation information, the business shall provide a just-in-time notice, such as through a pop-up window when the consumer opens the application.


The updated regulations add a “reasonableness” qualifier to the requirement that notices be accessible to consumers with disabilities, and a new requirement to follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Consortium.

Business that Do Not Collect Personal Information Directly from Consumers

The previous draft regulations included a broad exemption from notices at collection for businesses that do not collect information directly from consumers.  The revised regulations narrow that exemption to apply now only to data brokers that have registered with the Attorney General and that provide a privacy policy that includes instructions on how a consumer can request an opt-out.

Employment-Related Information

The new regulations clarify the employment-related information exemption (set to sunset on January 1, 2021 unless the CCPA is amended), providing that businesses that collect employment-related information must comply with all notices at time of collection except, (i) the notice does not need to include the “Do Not Sell My Personal Information” or “Do Not Sell My Info”; and (ii) the notice at collection may include a link or copy of the business’s privacy policies for applicant, employee or contractors in lieu of a link to the business’s privacy policy for consumers.

Notice of Right to Opt-Out

The updated regulations no longer require businesses to include information about proof required when a consumer uses an authorized to exercise his or her right to opt-out to sale of personal information, nor a link to the privacy policy in notices of opt-out rights. The updated regulations also make clear that a business may not sell personal information collected while during any time it did not post an opt-out notice unless it obtains the affirmative authorization of the consumer to do so.

Opt-Out Button – “Do Not Sell My Personal Information”

The updated draft regulations now include specific recommended visual buttons that businesses should use in different scenarios.  The buttons have a toggle-like appearance, and the draft regulations also include instructions regarding text placement next to the buttons.



Financial Incentives

Businesses that do not offer financial incentives or price or service differences related to the disclosure, deletion or sale of personal information are no longer required to provide a notice of financial incentive.  However, those that do offer financial incentives or price or service differences, now have an additional new requirement to include the value of the consumer’s data, and how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, in their notices.

Privacy Policy

The updated regulations make several minor changes to privacy policy disclosure requirements that may have an outsized impact.  The following language from the previous proposed regulations has been deleted in the updated version:  “The privacy policy shall not contain specific pieces of personal information about individual consumers and need not be personalized for each consumer.”   On the other hand, the updated regulations clarify and simplify required privacy policy disclosures about the categories of personal information collected by businesses, and disclosure or sale of personal information.   

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume X, Number 44


About this Author

Christopher Buontempo Corporate Lawyer Mintz

Chris is a corporate attorney and a Certified Information Privacy Professional (CIPP). He has significant experience handling legal and business issues relating to technology, data privacy and security, brand protection, contract negotiation, licensing, and product development. 

Chris has held several leadership positions at technology, consumer product, and e-commerce companies. Prior to joining Mintz, he was Director of Legal Affairs and Privacy Officer at The Predictive Index, a high-growth, SaaS-based personnel assessment and technology company with an expansive international...

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-demand media commentator and speaker on privacy and cybersecurity issues.

Cynthia is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E).

She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions. She is also a key contributor to MintzEdge, an online resource for entrepreneurs that includes useful tools and information for starting and growing a company.

Cynthia has extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions.

She conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise.

She is a frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies.

During law school, she was editor-in-chief of the Probate Law Journal.