On Friday, February 7, California Attorney General Becerra released proposed modifications to the draft regulations of the California Consumer Privacy Act (CCPA). The proposed modifications were made in response to public comments on the originally proposed regulations and also to address amendments to the CCPA that were signed into law by Governor Gavin Newsom on October 11, 2019, the same day the originally proposed regulations were released.
Among other things, the draft updates change the originally proposed regulations to:
- Recognize that, in some cases, an IP address may not be considered “personal information.”
- Explicitly incorporate California’s electronic signature law to recognize the validity of electronic signatures in cases where signatures are required under the CCPA.
- Recognize the Web Content Accessibility Guidelines 2.1 of June 5, 2018, published by the World Wide Consortium, as the generally recognized industry standard for website accessibility. The original regulations required online privacy notices to be accessible to consumers with disabilities but did not reference a specific standard.
- Require just-in-time privacy notices before collecting information from mobile devices that would be used in way that would not be reasonably expected by the consumer.
- Loosen the requirements for businesses that want to sell personal information that they did not collect directly from consumers, eliminating potentially difficult notice and opt-out requirements. So long as a business registers as a data broker in accordance with California’s broker registration law, and includes a link to its own privacy policy with instructions on how a consumer can submit an opt-out request, the business can sell the information.
- Propose the design of an “opt-out” button that may be used in addition to the “Do Not Sell My Personal Information” link.
- Eliminate the need to provide certain personal information maintained by a business in response to requests to know, including, for example, information that is not maintained in searchable format and information that is maintained solely for legal or other compliance purposes.
- Expand permitted uses of personal information by service providers. In addition to using personal information to perform the contracted services and to detect security incidents and fraudulent or other illegal activities, so long as they comply with the CCPA’s requirements, the revised proposals permit service providers to:
- Disclose personal information to their own service providers.
- Use the personal information internally to build or improve their services; comply with applicable laws; comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons; cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate applicable law; and exercise or defend legal claims.
The California AG is required to have regulations in place by the date so his office can begin enforcing the CCPA: July 1, 2020. Written comments on the proposed modifications are due February 24. No public hearings have been announced.