Logo
Media Centre

California Attorney General Releases Third Draft of CCPA Regulations

Ariel Yosefi

12 March 2020

12/03/2020
Technology & Regulation in the Spotlight

The Attorney General of California (“AG“) has released a third draft of CCPA proposed regulations for public consultation. The new proposed regulations include a series of technical and material modifications to the previous draft, released just a month ago (see our related update), and are available for written comments until 27 March 2020.

One of the interesting changes made, is the deletion of the guidance regarding the interpretation of personal information under the CCPA, which excluded IP, not linked to a particular consumer, from being considered as personal information. The new draft does not offer any new guidance as a replacement regarding this issue. Additionally, the AG has chosen to remove all references to the opt-out button that were set out in the last draft regulations, since the button came under public scrutiny. Commentators raised concerns that the icon looked deceptively as though it was an actual toggle switch, and when combined with its red color, could be misrepresented as being in off state.

The AG also changed the exemption allowing service providers to process personal information in order to perform the services specified in a written contract with the business that provided the personal information. The new modified exemption allows service providers to process personal information, not only on behalf of the business that provided the personal information, but also on behalf of the business that directed the service provider to collect the personal information, provided that it is in compliance with the written contract. In addition, the internal use of the service provider exemption now requires that the personal data will not be used to build or modify consumer profiles that are intended for providing services to other businesses.

In terms of disclosures: according to the new draft regulations, in addition to data brokers, unregistered businesses that do not collect personal information directly from a consumer, will not be required to provide a notice of collection if they do not sell the personal information which was collected. The new draft also restored the obligations to identify the categories of sources from which personal information is collected, and in addition, to identify the business and commercial purposes for collecting and selling personal information that was removed from the second draft. The new draft only requires a general disclosure, without the need to specify each category of personal data. In addition, the requirement to disclose metrics when buying, receiving, selling or sharing personal information of more than 10 million consumer in a calendar year, shall only apply to businesses who know or should reasonably have known, that they meet the threshold.

In terms of user rights: according to the new draft, if a business that sells personal information rejects a deletion request, then it must proactively ask the consumer if he wishes to opt out of the sale of his personal information.

Lastly, the AG amended the definition of “financial incentive” under the CCPA. According to the new definition, financial incentive is a program, benefit or other offering, including payments to consumers, that is related to the collection, retention or sale of personal information.

Earlier last year, we published our CCPA Compliance Playbook in order to assist in preparing for the upcoming regulatory change.

The changes presented in the draft regulations may require further adjustments to internal and external privacy policies and procedures. Please feel free to contact us if you have any questions regarding the effect and implications of the CCPA, and how the new proposed regulations may impact your compliance efforts.

****************************************

Feel free to contact us with any further question or comments regarding the update and subjects detailed above.

Kind regards,

Ariel Yosefi, Partner

Head of Technology & eCommerce Regulation

Herzog Fox & Neeman

 

Related Practice Areas

Related Lawyers

More news

Nebraska is the 17th US State to Adopt Comprehensive Data Protection Legislation
Maryland is the 16th US State to Pass Comprehensive Consumer Privacy Legislation
Kentucky is the 15th US State to Adopt Comprehensive Data Protection Legislation
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.

    Search by
    Search by +

    Search