On Wednesday, March 11, 2020, the California Attorney General’s office published a 2nd set of modifications to the draft regulations under the California Consumer Privacy Act (“CCPA”), available here. These still are not the Attorney General’s final CCPA regulations but rather further modified draft regulations that are subject to a new public comment period. The deadline to submit written comments on the 2nd set of modified CCPA draft regulations is March 27, 2020, at 5:00 pm (PST).
The Attorney General’s office also issued a redlined version of the modified regulations showing how this latest version differs from the original and 1st modified set of draft regulations.
Many of the revisions were minor edits and corrections. Below, we provide a high-level overview of key revisions in the 2nd set of modified draft regulations.
The 2nd set of modified draft regulations revises certain key definitions, particularly the definitions of “personal information” and “financial incentives.”
The modified draft regulations make some discrete changes to requirements for CCPA notices.
The 2nd set of modified draft regulations modifies the restrictions on a service provider’s internal use of personal information obtained in the course of providing services. Specifically, a service provider may use such personal information to build or improve the quality of its services; however, such use cannot include “building or modifying household or consumer profiles to use in providing services to another business.” This seems to at least partially reinsert the previously removed prohibition on service providers using the personal information collected from one client to provide a service to another client.
The 2nd set of modified draft regulations clarifies that, in response to a request to know specific pieces of personal information collected, although a business must not provide certain types of sensitive personal information such as a consumer’s government-issued identification numbers, financial account, medical or health insurance number, unique biometric data or account passwords, businesses must, in response to such a request, inform the consumer “with sufficient particularity” that it has collected this type of information.
The 2nd set of modified CCPA draft regulations reflects the Attorney General’s efforts to respond to public input on the 1st set of modified draft regulations and to consider additional input before finalizing the regulations. As noted above, companies have until March 27, 2020, at 5:00 pm (PST) to submit comments on the 2nd set of modified draft regulations to the Attorney General’s office.
For updates and other resources on CCPA, please visit Morrison & Foerster’s CCPA Resource Center.