On March 11, 2020 the California Attorney General released a second set of modifications made to the proposed California Consumer Privacy Act (CCPA) regulations. The Attorney General released its initial modifications to the proposed regulations on February 11, 2020. The following changes were made to the initial modifications released on February 11th:

Definitions and Guidance

  • Added “related to collection and retention” to the definitions for “financial incentive” and “price or service difference” and removed “related to the disclosure and deletion” from the definitions.
  • Removed the section “Guidance Regarding the Interpretation of CCPA Definitions,” which explained whether information is “personal information” depends on if a business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”

Notice of Collection

  • Added that a business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.
  • Modified the subsection that the notice at collection of employment-related information is not required to provide a link to the business’s privacy policy. Previously, a link or paper copy of the employer’s privacy policies could be provided.

Notice of Right to Opt-Out of Sale of Personal Information

  • Removed the opt-out button or logo that could have been used in addition to a posting of the notice of right to opt-out and that linked to a webpage or other online location of the businesses privacy policy.

Privacy Policy

  • Added a subsection that the privacy policy must:
    • Identify the categories of sources from which the personal information is collected, which must be described in a manner that provides consumers a meaningful understanding of the information being collected.
    • Identify the business or commercial purpose for collecting or selling personal information, which must be described in a manner that provides consumers a meaningful understanding of why the information is collected or sold.
    • If the business has actual knowledge that it sells the personal information of minors under 16 years of age, provide a description of the business’ processes for minors under the age of 13 years old and minors 13 to 16 years old.

Responding to Requests to Know and Requests to Delete

  • Modified the subsection that, although a business must not disclose a consumer’s personal information, such as social security number, financial account number, or biometric data, a business must inform the consumer with sufficient particularity that it has collected that type of information without disclosing the actual data.
  • Removed the requirement that if a business sells personal information and the consumer has not already made a request to opt-out, the business must ask the consumer if they would like to opt-out of the sale of their personal information and either the contents of, or a link to, the notice of right to opt-out.
  • Added a subsection that if a business denies a consumer’s request to delete sells personal information and the consumer has not already made a request to opt-out, the business must ask the consumer if he/she would like to opt-out of the sale of their personal information and must include either the contents of, or a link to, the notice of right to opt-out in accordance with the notice of right to opt-out of sale of personal information requirements.

Record-keeping

  • Clarified that information maintained for record-keeping purposes must not be shared with any third party except as necessary to comply with a legal obligation.

Other minor and nonsubstantive changes were also made for clarification purposes. Comments to these proposed regulations may be submitted until March 27, 2020.

Link: https://www.oag.ca.gov/privacy/ccpa

For more information on these proposed regulations and the changes Compliance Systems will be making, visit our Community Lounge Regulatory and Industry Announcements page.

Tags: ,,,