Revised CCPA Proposed Regulations 2020: The Key Changes
California’s Attorney General published the revisions to CCPA’s proposed regulations on February 7, 2020.
These modifications to the proposed regulations provide both clarifications and restrictions that should facilitate compliance with CCPA.
The key changes include;
- Restricting the scope of ‘Personal Information’
- Clarification on rules governing the collection of employment-related data
- Clarity regarding the notices regulated companies must give consumers
- Specific requirements concerning the use of the opt-out button
- The obligation of restricted companies to implement ‘reasonable security procedures and practices’ in keeping records
- Clarification regarding the requirement to respond to requests to know
- The need for businesses to make the opt-out process simple
Restricting the Scope of Personal Information
According to the CCPA, Personal Information broadly comprises of data that can be reasonably connected with a consumer, a consumer’s household or his/her devices.
The CCPA reinforced this broad conception by incorporating IP addresses in its definition of Personal Information. Consequently, CCPA protections are applicable to persons that live in the same address and use an electronic device with the same IP address.
The revised CCPA regulations introduce a reasonable restriction on the scope of this provision. Essentially, the definition of a household is limited to a person or group of individuals who are identified by a company as sharing the same group account or unique identifier.
The revised regulations also limit the scope of using a consumer’s IP address to describe Personal Information. In this context, an IP address will not be regarded as Personal Information if the regulated business does not link the IP address to any specific consumer or household.
Clarification on the Rules Governing the Collection of Employment-Related Data
The revised CCPA regulations take into account the effect of AB 25 that delayed the obligation of companies to meet specific employment-linked provisions until January 1, 2021.
Primarily, the revised regulations make it clear that regulated businesses are not obliged to provide employees with the ‘Do Not Sell My Personal Information’ web link that is meant for consumers.
Instead, the CCPA will be directly applicable to employees meaning that companies can give them a paper copy or a web link to privacy policies for job applicants, members of staff, or contractors.
Clarity Regarding the Notices Regulated Companies Must Give Consumers
To ease the process of complying with the CCPA’s notice requirements, the revised regulations definitively outline the four consumer notice obligations for businesses. The notices are;
- Collection of personal information
- Sale of personal information
- Financial incentive program
This revision is vital since the CCPA initially identified various notices that regulated enterprises must extend to users in various code sections.
Specific Requirements Regarding the Use of the Opt-Out Button
Opting out from the sale of personal information is one of the crucial consumer rights under the CCPA.
Initially, the CCPA allowed businesses to use either an opt-out button or logo alongside the notice of the right to opt-out.
However, the revised regulations clearly define how an opt-out button should appear. Below is the image of the correct opt-out button;
Furthermore, the Attorney General’s revised regulations state that this button ‘ shall be approximately the same size as other buttons on the business’ website and labeled as shown below;
Another crucial requirement regarding the opt-out button in the CCPA’s revised regulations is the obligation of businesses to refrain from selling Personal Information gathered without either providing an opt-out notice to consumers or receiving affirmative opt-in from the user.
The Obligation of Regulated Companies to Implement ‘Reasonable Security Procedures and Practices’ in Keeping Records
Regulated companies are required to maintain consumer requests for information and their subsequent responses to those requests for two years.
California Attorney General’s revised CCPA regulations now oblige businesses to implement reasonable security processes and practices connected to the maintenance of these databases.
Clarification Regarding the Requirement to Respond to Requests to Know and Deletion
Under the CCPA, consumers have the right to know about the gathering, processing, sharing, and sale of personal information by regulated enterprises.
For this reason, businesses are required to respond to consumer requests concerning such information.
However, the revised CCPA regulations make it clear that companies do not need to perform a search for a specific consumer’s Personal Information if the data in question is;
- Not maintained in a searchable or reasonably accessible format
- Kept for legal compliance reasons
- Not sold or otherwise utilized for any commercial purpose
Businesses that are subject to the CCPA must outline the highlighted points in their responses to consumers and explain that these conditions made it unnecessary to perform a search for the requested personal information.
It is important to note that for businesses that operate exclusively online, they are required to provide an email address only to facilitate this process.
Another area covered by the revised CCPA proposed regulations is connected to the consumers’ right to delete. In this case, the new proposals state that If the business sells personal information and the consumer has not already made a request to opt-out, the business shall ask the consumer if they would like to opt-out of the sale of their personal information. To facilitate this process, businesses are required to include either the contents of, or a link to, the notice of right to opt-out.’
Additionally, businesses are obliged to create CCPA compliant mechanisms to verify that an individual that makes an access or deletion request for consumers under the age of 13 is a parent or a guardian.
The Need for Businesses to Make the Opt-out Process Simple
According to California’s cookie law, businesses need to inform users that they sell their information to third-parties, in addition to alerting them that they can limit the sale of their data through exercising their right to opt-out.
The Attorney General’s revised CCPA regulations require the opt-out process to be simple for consumers to navigate. Furthermore, businesses should notify users about their right to opt-out in a clear and straightforward way devoid of technical or legal language.
Essentially, it is important to note that the California Attorney General’s revisions to the CCPA’S proposed regulations are not limited to the seven highlighted above.
Granted that the regulations will ease streamline the CCPA, offer clarity, as well as precision in the enforcement of California’s cookie law, businesses need to review, understand, and be ready to meet the requirements of these regulations once they are finalized.
Schedule a call with us today and get expert guidance on our solution and how we can support your CCPA compliance journey.
Alternatively, sign up for a free trial of our CCPA compliance solution.
Learn more about CCPA compliance with our comprehensive guide on how to become CCPA compliant.
Download our CCPA eBook,
Want to try
Get your free cookie banner up and running today!
The Ultimate Guide to GDPR Data Breach Responses
If you think that data breaches only happen to someone else, think again. Data breaches have happened to all types of businesses - from small ecommerce stores to large corporations such as Microsoft and it could happen to you as well. Read about GDPR Data Breach Responses here.
What Is a Data Protection Officer and Do You Need One?
When a business operator realizes they need to comply with the GDPR or any other data protection law, one of the first questions to pop up in their head is - Do I need a DPO? Learn all about DPOs here.
- Data Protection
How to implement an Online Data Protection Strategy
When a company operates online within the European Union, or when its website visitors come from the EU, the company must comply with the General Data Protection Regulation (GDPR). The GDPR was created to protect citizens' personal data and restrict abuses.
- Data Protection