CA Attorney General Issues New Draft of CCPA Regulations

Written by: Richard Sheinis, Esq.

On February 7, 2020 the California Attorney General published a “redline” version of the CCPA Regulations. These regulations are open for public comment until February 24, 2020. In the meantime, here are a few of the more important redline changes in the latest draft:

1. The definition of household is clarified to mean people who reside at the same address, share a common device or the same service provided by a business, and are identified by the business as sharing a group account or unique identifier. Previously, the only definition of “household” was that it means persons occupying a single dwelling.
2. A business entity acting as an authorized agent to file a personal information request on behalf of a consumer, must be registered with the Secretary of State to conduct business in California. The previous definition of “authorized agent” simply stated that the business had to registered with the Secretary of State, leaving open the possibility that they could be registered with the Secretary of State in a state other than California.
3. Notices, such as a privacy policy, provided on a website must be reasonably accessible to consumers with disabilities. The Attorney General has added that accessibility shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines (“WCAG”), version 2.1.
4. The AG has clarified that a “slider” may be used for a consumer to opt out of their personal information being sold. When the opt out button or slider is used it shall appear to the left of the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link.
5. A business that operates exclusively online shall only be required to provide an email address for submitting requests to know. All other businesses are still required to provide two or more designated methods for submitting such requests including, at a minimum, a toll-free telephone number.
6. Confirming receipt of a request to know or request to delete only needs to be done within ten (10) business days of receipt of the request. Previously, the confirmation had to be provided within ten (10) calendar days of receipt of the request.
7. The AG clarified when personal information needs to be deleted from a backup system in response to a request to delete. Personal information in a backup system only has to be deleted when the backup system is accessed or used for a sale, disclosure, or commercial purpose related to that personal information.

These are a few of the main revisions of the Attorney General’s CCPA Regulations. We will keep you updated as we move toward the final regulations.