The California Attorney General (AG) recently published a second set of modified proposed California Consumer Privacy Act (CCPA) regulations. Comments on the second set of modified proposed regulations must be submitted by or before 5:00 PM on March 27, 2020.
The AG released the first set of modified proposed regulations on February 10, 2020. The second set of modified proposed regulations reflect the public comments that the AG received in response to the first set of modified proposed regulations.
Notices to Consumers
Changes to the first set of modified proposed regulations regarding the required notices to consumers include, in part, the following:
- A business does not need to provide a notice at collection to the consumer if the business does not collect personal information (PI) directly from the consumer and does not sell the consumer’s PI.
- The new proposed regulations no longer provide a model opt-out button or logo.
Business Practices for Handling Consumer Requests and Non-Discrimination
Changes to the first set of modified proposed regulations regarding how businesses must handle consumers’ requests and the CCPA’s non-discrimination provisions include, in part, the following:
- The new proposed regulations provide that a service provider must not retain, use, or disclose PI obtained in the course of providing services except, in part, to process or maintain PI on behalf of the business that provided the PI, or that directed the service provider to collect the PI, and in compliance with the written contract for services required by the CCPA.
- Although a business is prohibited from disclosing certain specified PI in response to a request to know (e.g., a consumer’s Social Security number, government-issued identification number, financial account number, or unique biometric data generated from measurements), the business must still describe to the consumer, with sufficient particularity, the type of information that it has collected.
- The new proposed regulations clarify that a price or service difference that is the direct result of compliance with state law is not considered discriminatory.
Additionally, the new proposed regulations amend certain definitions and remove guidance included in the first set of modified proposed regulations regarding the interpretation of “personal information,” as that term is defined in the CCPA.