TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Analyzing the second set of modifications to draft CCPA regulations Related reading: Calif. DoJ releases second set of modifications to proposed CCPA regulations



On March 11, the California Department of Justice issued a second set of modifications to the proposed California Consumer Privacy Act regulations. There are noteworthy changes, including deletion of some of the previous modifications, such as the guidance provided regarding the interpretation of “personal information” and the opt-out button.

Whether this iterative rule making process will impact the attorney general’s approach to CCPA enforcement or businesses’ interpretation of the CCPA and these regulations once they are finalized is an open question. Regardless, understanding what changed and what the proposed regulations now include will help businesses implement CCPA requirements today.


The modifications revise the term “financial incentive” to mean “a program, benefit, or other offering, including payments to consumers, related to the collection, retention, or sale of personal information.” The definition previously described the term as “including payments to consumers as compensation, for the disclosure, deletion, or sale” of personal information. The new “related to the collection, retention, or sale” language also is included in the “price or service difference” definition and in the Notice of Financial Incentive regulation.

Guidance on the interpretation of “personal information”

The February modifications added guidance illustrating how “personal information” could be interpreted in the context of a business collecting IP addresses on its website that are not linked to a particular consumer or household. The March modifications delete this provision in its entirety, leaving open the question of how businesses should approach this issue under the CCPA.

Notice of right to opt-out

The March modifications delete the optional opt-out button or logo. This change does not impact the other sections of this regulation or the statutory requirements for notifying consumers specified in the CCPA. 

The modifications also delete the obligation that user-enabled privacy controls require consumers to affirmatively select their choice to opt-out and not be designed with any preselected settings.

Notice at collection of personal information

The March modifications add language stating a business that does not collect personal information directly from a consumer does not need to provide a notice at collection if it does not sell the consumer’s personal information.

Also, a business collecting employment-related information is not required to provide a link to its privacy policy in its notice at collection. 

Privacy policy

Per the March modifications, privacy policies must identify the categories of sources from which personal information is collected and identify the business or commercial purposes for collecting or selling the information.

A business with “actual knowledge” that sells personal information of minors under 16 must include in its privacy policy the processes outlined in the regulations about opting-in to such sales.

Responding to requests to know and delete

While a business is prohibited from disclosing certain personal information in response to a request to know, including a consumer’s Social Security number, driver’s license number and other specialized personal information, the March modifications add language requiring a business to disclose it has collected this particular type of data.

If a business denies a consumer’s request to delete and it sells personal information, the business must ask the consumer if they would like to opt-out if the consumer has not already made a request to do so.

Service providers

The March modifications clarify that service providers also can collect personal information “about a consumer” on behalf of another business. 

The modifications include language allowing service providers to process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect it, and in compliance with the written contract for services.

Next steps

The California attorney general’s CCPA website includes detailed information regarding the rule making process, including the comments received on the previous proposed modifications. Written comments on the March proposed modifications will be accepted through March 27.

The attorney general’s office will review and respond to comments and we can expect either another set of revisions or a final proposed set of regulations sometime later this spring.

Photo by David Pennington on Unsplash

Credits: 1

Submit for CPEs


If you want to comment on this post, you need to login.