Here we go again. On March 11, 2020, the California Attorney General (AG) published a second set of modifications to its Regulations under the California Consumer Privacy Act. Unlike the AG’s modifications from just last month, the substantive changes this time are not quite so numerous. There are, however, a few provisions worth noting.
As a general matter, the most significant changes this time around consist of undoing some of the additions made in the first set of modifications. There is also some new language in the Regulations that provides further guidance for businesses that do not directly collect personal information as well as businesses working to draft CCPA-compliant privacy policies.
Deletion of Guidance on IP Addresses
As we noted previously, the first set of modified Regulations included helpful guidance on the interpretation of the term “personal information,” stating that the AG did not consider that term to include IP addresses if a business does not already have a way to link up an IP address with a particular user or household. This guidance has now been removed from the Regulations. Unfortunately, this may cause more confusion than if the explanatory example had not been provided in the first place. For instance, there is an argument that the removal of this language means the AG has decided to treat even un-linkable IP addresses as personal information. On the other hand, it seems just as likely that, although the AG decided not to include the specific example in the Regulations, its interpretation of the term “personal information” has not changed.
Deletion of the Do Not Sell Button Example
Presumably in response to comments stating that the proposed design of the “Do Not Sell My Info” button was likely to cause confusion among consumers, the AG has deleted the image of the example button from the Regulations along with all of the text describing its use. A good summary of the potential confusion stemming from the original design can be found here. Because Section 1798.185(4)(C) of the CCPA specifically requires the AG to establish rules and procedures “[f]or the development and use of a recognizable and uniform opt-out logo or button by all businesses,” we expect there will be some guidance on this included in the next set of draft Regulations.
Guidance on Notices for Businesses that Do Not Directly Collect PI
There is now a provision in the Regulations expressly stating that “[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information,” § 999.305(d). This rule should be helpful for companies that are strictly engaged in B2B sales, though they will likely want to closely review their policies and practices (and in particular their websites) to make sure they fall within the exception.
Clarified Language on How to Describe the Right to Know in Privacy Policies
The new Regulations contain a rephrased requirement that privacy policies “[i]dentify the categories of sources from which the personal information is collected” and “[i]dentify the business or commercial purpose for collecting or selling personal information.” §§ 999.308(c)(1)(e)–(f). These changes are not new from a substantive standpoint, but are easier to read than the language in prior drafts.
What comes next?
There is a public comment period on the second set of modified Regulations under which written comments may be submitted through March 27, 2020. The AG received around 100 comments to the last set of modified Regulations, and issued the second set about one month later. If there is a similar volume of comments to the second set, we would expect to see another set of revisions in the next few weeks. Once the Regulations are final, the AG will submit them to the CA Office of Administrative Law, which has 30 working days to approve the record before filing the final Regulations with the Secretary of State.