INSIGHT: Proposed Changes to CCPA Regulations Create Moving Target for Businesses

Feb. 14, 2020, 9:01 AM

The impact of the proposed modifications by the California Office of the Attorney General to the proposed regulations for implementing the groundbreaking California Consumer Privacy Act (CCPA) will vary depending on how a business collects, uses and discloses personal information, and how far along a business is in its CCPA compliance efforts.

The modifications amend CCPA proposed regulations published Oct. 10, 2019, and were released in response to nearly 1,700 pages of comments the attorney general received regarding the proposed regulations to the CCPA statute. The modifications generally do not introduce major changes to the regulations, and include some adjustments that accommodate concerns expressed by the business community.

The summary below does not include all of the proposed changes to the regulations, but highlights some of the notable changes to the proposed regulations as set forth in the modifications. These highlights are representative of the tone and scope of the California attorney general’s approach to this update.

The modifications to the proposed regulations are not final. The period to submit written comments ends Feb. 25, 5:00 p.m. Pacific.

Scope of Personal Information

The modifications clarify that whether information is “personal information” depends on whether the business maintains the information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”

To help understand this guidance, the modifications provide the following example: “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”

This clarification will be of interest to online advertisers and certain businesses that qualify for CCPA exemptions and are potentially subject to the CCPA based upon personal information collected through a public-facing website.

Notice at Collection Requirements

The modifications revise the requirements that businesses could not use personal information for “any purpose other than disclosed in the notice at collection.” The modifications state that so long as such purposes are not materially different from those disclosed in the notice at collection, the business does not need to notify and obtain consent from the consumer.

Mobile Application Notices

The modifications add new language to address mobile applications. When a business collects personal information through a mobile application, it may provide a link to the notice (and opt-out requirements) on the mobile application’s download page and within the application, such as through the application’s settings menu.

Unexpected Collection on Mobile Device; Just-in-Time Requirements

The modifications address notice requirements for when a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, citing the example of a flashlight application that also collects geolocation information.

A business must provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection. The practice of “just-in-time” privacy notices within an app has previously been endorsed by the Federal Trade Commission and the California Attorney General.

Employment Notices

The modifications clarify that a business collecting employment-related information is not required to include a “Do Not Sell My Personal Information” link in its employee and job applicant privacy notices (at least until Jan. 1, 2021 when the employment exceptions are scheduled to sunset).

Affirmative Authorization

The modifications add a requirement that a business cannot not sell the personal information it collected during the time the business did not have a notice of right to opt-out notice posted unless it obtains the affirmative authorization of the consumer.

Opt-Out Button

The modifications introduce the opt-out button and state that its use is optional.

Not Required to Search

The modifications add language that when a business responds to a request to know that the business is not required to search for personal information if the business: (a) does not maintain personal information in a searchable or reasonably accessible format, (b) maintains the personal information only for legal or compliance purposes, (c) does not sell the information or use it for a commercial purpose, and (d) describes to the consumer the categories of records not searched because it satisfies the three conditions above.

Non-Verified Request to Delete

The modifications delete the language that required that a non-verified deletion request should be treated as a request to opt-out of sale, and replaced the language with the requirement that the business ask the consumer if they would like to opt out of the sale of their personal information.

Service Providers

While the modifications provide that a service provider must not retain, use or disclose personal information in the course of providing services, exceptions are created, including for internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.

A service provider cannot sell data on behalf of a business when a consumer has opted out of the sale of their personal information with the business. The modifications revise a service provider’s obligation to respond to a consumer’s right to know or delete such that a service provider may either fulfill the request on behalf of the business or inform the consumer that it cannot act on the request because it was sent to a service provider. A service provider is no longer required to provide the consumer with the contact information for the business.


The definition of “households” is revised under the modifications to mean those who reside at the same address, share a common device or the same service provided by a business, and are identified by the business as sharing the same group account or unique identifier.

To respond to a household rights request, where a consumer has a password-protected account, the business may process requests to know and delete relating to household information through the business’s existing business practices.

Consumers with Disabilities

The regulations previously provided that notices (and other rights) must be accessible to consumers with disabilities, and the modifications clarify that notices provided online must follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Reece Hirsch is a partner in the San Francisco office of Morgan Lewis and co-head of the firm’s Privacy & Cybersecurity practice.

Lauren Groebe is an associate in the Morgan Lewis Chicago office.

To read more articles log in. To learn more about a subscription click here.