COOKIES. CONSENT. COMPLIANCE
secure privacy badge logo
May 18, 2020

Revised CCPA Proposed Regulations 2020: The Key Changes

California’s Attorney General published the revisions to CCPA’s proposed regulations on February 7, 2020.

These modifications to the proposed regulations provide both clarifications and restrictions that should facilitate compliance with CCPA

The key changes include;

  • Restricting the scope of ‘Personal Information’
  • Clarification on rules governing the collection of employment-related data
  • Clarity regarding the notices regulated companies must give consumers
  • Specific requirements concerning the use of the opt-out button
  • The obligation of restricted companies to implement ‘reasonable security procedures and practices’ in keeping records
  • Clarification regarding the requirement to respond to requests to know
  • The need for businesses to make the opt-out process simple

Restricting the Scope of Personal Information

According to the CCPA, Personal Information broadly comprises of data that can be reasonably connected with a consumer,  a consumer’s household or his/her devices. 

The CCPA reinforced this broad conception by incorporating IP addresses in its definition of Personal Information. Consequently, CCPA protections are applicable to persons that live in the same address and use an electronic device with the same IP address.

The revised CCPA regulations introduce a reasonable restriction on the scope of this provision. Essentially, the definition of a household is limited to a person or group of individuals who are identified by a company as sharing the same group account or unique identifier.

The revised regulations also limit the scope of using a consumer’s IP address to describe Personal Information. In this context, an IP address will not be regarded as Personal Information if the regulated business does not link the IP address to any specific consumer or household.

Clarification on the Rules Governing the Collection of Employment-Related Data

The revised CCPA regulations take into account the effect of AB 25 that delayed the obligation of companies to meet specific employment-linked provisions until January 1, 2021.

Primarily, the revised regulations make it clear that regulated businesses are not obliged to provide employees with the ‘Do Not Sell My Personal Information’ web link that is meant for consumers. 

Instead, the CCPA will be directly applicable to employees meaning that companies can give them a paper copy or a web link to privacy policies for job applicants, members of staff, or contractors.

Clarity Regarding the Notices Regulated Companies Must Give Consumers

To ease the process of complying with the CCPA’s notice requirements, the revised regulations definitively outline the four consumer notice obligations for businesses. The notices are;

  • A privacy policy
  • Collection of personal information
  • Sale of personal information
  • Financial incentive program

This revision is vital since the CCPA initially identified various notices that regulated enterprises must extend to users in various code sections.

Specific Requirements Regarding the Use of the Opt-Out Button

Opting out from the sale of personal information is one of the crucial consumer rights under the CCPA. 

Initially, the CCPA allowed businesses to use either an opt-out button or logo alongside the notice of the right to opt-out. 

However, the revised regulations clearly define how an opt-out button should appear. Below is the image of the correct opt-out button;

text

Furthermore, the Attorney General’s revised regulations state that this button ‘ shall be approximately the same size as other buttons on the business’ website and labeled as shown below;

text

Another crucial requirement regarding the opt-out button in the CCPA’s revised regulations is the obligation of businesses to refrain from selling Personal Information gathered without either providing an opt-out notice to consumers or receiving affirmative opt-in from the user.

The Obligation of Regulated Companies to Implement ‘Reasonable Security Procedures and Practices’ in Keeping Records

Regulated companies are required to maintain consumer requests for information and their subsequent responses to those requests for two years. 

California Attorney General’s revised CCPA regulations now oblige businesses to implement reasonable security processes and practices connected to the maintenance of these databases.

Clarification Regarding the Requirement to Respond to Requests to Know and Deletion

Under the CCPA, consumers have the right to know about the gathering, processing, sharing, and sale of personal information by regulated enterprises. 

For this reason, businesses are required to respond to consumer requests concerning such information. 

However, the revised CCPA regulations make it clear that companies do not need to perform a search for a specific consumer’s Personal Information if the data in question is;

  • Not maintained in a searchable or reasonably accessible format
  • Kept for legal compliance reasons
  • Not sold or otherwise utilized for any commercial purpose

Businesses that are subject to the CCPA must outline the highlighted points in their responses to consumers and explain that these conditions made it unnecessary to perform a search for the requested personal information.

It is important to note that for businesses that operate exclusively online, they are required to provide an email address only to facilitate this process.

Another area covered by the revised CCPA proposed regulations is connected to the consumers’ right to delete. In this case, the new proposals state that If the business sells personal information and the consumer has not already made a request to opt-out, the business shall ask the consumer if they would like to opt-out of the sale of their personal information.  To facilitate this process, businesses are required to include either the contents of, or a link to, the notice of right to opt-out.’

Additionally, businesses are obliged to create CCPA compliant mechanisms to verify that an individual that makes an access or deletion request for consumers under the age of 13 is a parent or a guardian.

The Need for Businesses to Make the Opt-out Process Simple

According to California’s cookie law, businesses need to inform users that they sell their information to third-parties, in addition to alerting them that they can limit the sale of their data through exercising their right to opt-out. 

The Attorney General’s revised CCPA regulations require the opt-out process to be simple for consumers to navigate. Furthermore, businesses should notify users about their right to opt-out in a clear and straightforward way devoid of technical or legal language.

Essentially, it is important to note that the California Attorney General’s revisions to the CCPA’S proposed regulations are not limited to the seven highlighted above. 

Granted that the regulations will ease streamline the CCPA, offer clarity, as well as precision in the enforcement of California’s cookie law, businesses need to review, understand, and be ready to meet the requirements of these regulations once they are finalized. 

Schedule a call with us today and get expert guidance on our solution and how we can support your CCPA compliance journey.

Additional Resources;

Learn more about CCPA compliance with our comprehensive guide on how to become CCPA compliant.

Download our CCPA eBook,

image

GDPR Compliance Automation: Complete Guide & Tool Comparison

Your privacy team is drowning in manual GDPR workflows. Data subject access requests pile up for weeks. Data mapping takes months instead of minutes. Your spreadsheet-based consent records can't scale to millions of users. Meanwhile, European regulators issued €1.2 billion in GDPR fines last year alone, and your current compliance approach can't keep pace with enforcement intensity or business growth. GDPR compliance automation transforms this reality by applying intelligent technology to streamline, accelerate, and enhance the accuracy of data protection activities. Organizations implementing comprehensive automation report 85-97% reduction in compliance workloads while improving accuracy and reducing regulatory risk by up to 75%. This guide explains what GDPR compliance can be automated, which processes require human judgment, how to select automation platforms, and what ROI you can expect from intelligent privacy technology investments.

    image

    IAB TCF Compliance Tool: Choose and Implement the Right Solution

    Your Consent Management Platform just failed its IAB validation check. Three weeks before your planned launch, the CMP Validator flagged seventeen compliance issues across your consent banner implementation. Your legal team is escalating concerns about GDPR violations, your ad ops team worries about revenue impact, and nobody knows exactly what needs fixing or how long remediation will take.

    • Legal & News
    • Data Protection
    • GDPR
    • CCPA
    image

    What is ad_user_data in Google Consent Mode v2 — and Why It Matters for Your Ads

    Your Google Ads conversion tracking just stopped working in Europe. Campaign performance dropped 30% overnight. Google Tag Assistant shows consent signal errors. You're seeing warnings about missing Consent Mode v2 implementation, but you're not sure what ad_user_data means or why Google suddenly requires it.