In the midst of a global pandemic, readers may have overlooked the recent issuance by the California Office of Attorney General (OAG) of a second set of modifications to the California Consumer Privacy Act (CCPA) regulations.
As background, the proposed regulations were first published and noticed for public comment on October 11, 2019. On February 10, 2020, the OAG released modifications to the proposed regulations based on the earlier comments it received. After publishing the last set of proposed regulations on February 10, 2020, the agency received approximately 100 responses. On March 11, the OAG issued a second set of proposed modifications.
Notably, the latest modifications have removed guidance on the definition of “personal information.” Specifically, the proposed regulations strike section 999.302, which purported to provide “guidance regarding the interpretation of CCPA definitions” through an example of when IP addresses may not qualify as “personal information.” This means that information such as internet activity will need to be disclosed in privacy policies and could be subject to consumer rights requests. The current regulations likewise remove the previous version’s suggested images for an “opt-out button or logo” found in section 999.306(f).
With regard to the right to access, the second set of modifications adds a requirement that a business must inform the consumer with sufficient particularity that, it has collected a consumer’s Social Security number, driver’s license number or other government issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics. For example, a business shall respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
Additionally, pertaining to the right to delete, the second set of modifications removes the requirement for businesses who sell personal information to ask consumers, who have not already opted out of the sale of their personal information, if they would like to opt out. The second set of modifications adds a requirement that a business that sells personal information and denies a consumers request to delete information must ask consumers, who have not already opted out of the sale of their personal information, if they would like to opt out.
A redline showing all changes against both the initial draft regulation (published October 11, 2019) and the first modified draft (published February 10, 2020) is available here. A new public comment period for the new modifications is now open. Comments for the new modifications must be sent by mail or e-mail by 5 p.m. on March 27, 2020