Client Alert

California Attorney General Issues 2nd Set of Modified Draft CCPA Regulations

12 Mar 2020

On Wednesday, March 11, 2020, the California Attorney General’s office published a 2nd set of modifications to the draft regulations under the California Consumer Privacy Act (“CCPA”), available here. These still are not the Attorney General’s final CCPA regulations but rather further modified draft regulations that are subject to a new public comment period. The deadline to submit written comments on the 2nd set of modified CCPA draft regulations is March 27, 2020, at 5:00 pm (PST).

The Attorney General’s office also issued a redlined version of the modified regulations showing how this latest version differs from the original and 1st modified set of draft regulations.

Many of the revisions were minor edits and corrections. Below, we provide a high-level overview of key revisions in the 2nd set of modified draft regulations.

1. Definitions

The 2nd set of modified draft regulations revises certain key definitions, particularly the definitions of “personal information” and “financial incentives.”

  • Personal Information. The 2nd set of modified draft regulations removes guidance that was added by the 1st set that had stated that whether information is considered “personal information” depends on whether a business maintains the information in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. Consequently, the illustrative example allowing that IP addresses may not be considered personal information in certain cases was also removed.
  • Financial Incentives. The definition of “financial incentive” has been updated and broadened to mean a program, benefit or other offering, including payments to consumers related to the collection, retention, or sale of personal information. Previously, a financial incentive had been defined as compensation for the disclosure, deletion or sale of personal information. Similar updates are carried throughout the regulations wherever financial incentives are addressed.

2. Notices

The modified draft regulations make some discrete changes to requirements for CCPA notices.

  • Do Not Sell Button. The 2nd set of modified draft regulations removes the subsection about the Opt Out Button and Logo, including the design for the “Do Not Sell My Personal Information” button. This section has not been replaced by updated guidance.
  • Privacy Policy. If a business has actual knowledge that it sells the personal information of minors under age 16, then, under the 2nd set of modified draft regulations, a business’s privacy policy must include a description of the processes required for minors (or their parent or guardian if under age 13) to opt in to the sale of personal information.
  • Notice at Collection. The 2nd set of modified draft regulations also provides that a business that does not collect personal information directly from a consumer does not need to provide notice at collection if it does not sell the consumer’s personal information.
  • Employment-Related Notices. The 2nd set of modified draft regulations updates previous guidance regarding employment-related notices, stating that such notices are not required to provide a link to the business’s privacy policy.

3. Service Providers

The 2nd set of modified draft regulations modifies the restrictions on a service provider’s internal use of personal information obtained in the course of providing services. Specifically, a service provider may use such personal information to build or improve the quality of its services; however, such use cannot include “building or modifying household or consumer profiles to use in providing services to another business.” This seems to at least partially reinsert the previously removed prohibition on service providers using the personal information collected from one client to provide a service to another client.

4. Requests to Know

The 2nd set of modified draft regulations clarifies that, in response to a request to know specific pieces of personal information collected, although a business must not provide certain types of sensitive personal information such as a consumer’s government-issued identification numbers, financial account, medical or health insurance number, unique biometric data or account passwords, businesses must, in response to such a request, inform the consumer “with sufficient particularity” that it has collected this type of information.

The 2nd set of modified CCPA draft regulations reflects the Attorney General’s efforts to respond to public input on the 1st set of modified draft regulations and to consider additional input before finalizing the regulations. As noted above, companies have until March 27, 2020, at 5:00 pm (PST) to submit comments on the 2nd set of modified draft regulations to the Attorney General’s office.

For updates and other resources on CCPA, please visit Morrison & Foerster’s CCPA Resource Center.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.