News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Important commentary from Calif. OAG in proposed CCPA regulations package Related reading: CCPA Litigation Overview

rss_feed

On June 1, California’s Office of the Attorney General submitted the final proposed regulations package for the California Consumer Privacy Act to the Office of Administrative Law for review. Included in this package is the Final Statement of Reasons, explaining the modifications from the initially proposed text of the regulations, as well as a summary of all the comments received during the rulemaking process and the OAG’s responses, attached as appendices A, C, and E to the FSOR.

For businesses or practitioners dealing with compliance issues, the OAG commentary is an important resource to consider.

The OAG’s responses address why certain modifications were made (or not) to the proposed regulations, confirm and clarify how it is interpreting certain CCPA provisions, and flag topics the OAG is still considering. They also appear to provide some insight regarding the OAG’s enforcement focus. There is substantial granularity, as the comments and responses are organized by the specific sections and subsections of each regulation. Together, Appendices A, C, and E total almost 500 pages. Reviewing a few of the regulatory provisions illustrates how this commentary may help inform compliance decisions.

The importance of notices, privacy policies and the “do not sell” link

Not surprisingly, the need to comply with the CCPA’s notice obligations are a focus of the OAG’s comments. The OAG repeatedly emphasizes the distinction between a business’ statutory obligation to provide different notices to consumers and simply having a privacy policy. For example, in Response 105/Appendix A, the OAG stated “[n]othing in (the CCPA) Section 1798.130 indicates that the online privacy policy constitutes notice at collection.” While a business may, at its discretion, include information regarding the notices in its privacy policy, “this does not absolve the business from complying with its statutory requirements to separately provide a notice at collection, notice of right to opt-out, and notice of financial incentive.” 

The responses similarly stress the requirements regarding the right to opt-out. Response 267/Appendix A reiterates the CCPA requires a business selling consumers’ personal information to provide notice of the right to opt-out and “a clear and conspicuous link” titled “Do Not Sell My Personal Information” on its homepage, separate obligations from what must be disclosed in a privacy policy. Making sure businesses are providing the required “do not sell” link is expected to be a focus for the attorney general’s office based upon its July 1 news release and the comments by Supervising Deputy Attorney General Stacey Schesser of California’s Department of Justice during an IAPP Keynote session regarding CCPA enforcement. 

The OAG rejected the suggestion of certain circumstances, such as an applicable exemption, that might limit a business’ obligation to provide information to consumers. In Response 264/Appendix A, the OAG emphasized the CCPA “requires a business to disclose certain information in the required notices and privacy policy.” It strongly stated, “CCPA-mandated disclosures are required even if the business is not required to comply with the consumers’ exercise of their rights.” In Response 311/Appendix A, the OAG disagreed with comments taking the position a business that does not sell personal information does not need to include an explanation of the right to opt out in its privacy policy. It noted the CCPA requires that “the privacy policy include a description of consumers’ rights, even when a business does not have to comply with the consumer’s request.”

No blanket exemption for trade secrets and intellectual property

Several of the comments raise the issue of the CCPA potentially requiring disclosure of proprietary and/or trade secret information. While CCPA Section 1798.185(a)(3) discusses the attorney general adopting regulations regarding “any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights ...,” there is no such exemption in the final proposed regulations.

For businesses concerned about this issue, the OAG’s responses to these comments are instructive. 

Responses 323 and 901 in Appendix A address comments seeking an exemption from the CCPA for proprietary information, intellectual property or trade secrets. In a lengthy commentary, the OAG rejected these requests. It determined “the comments fail to show how an exemption for protection of intellectual property rights is necessary” as they “fail to explain how a consumer’s personal information collected by the business could be subject to the business’s copyright, trademark, or patent rights, or how a business could possibly patent, trademark or copyright a consumer’s personal information” (Response 901/Appendix A).

The OAG’s responses also noted that even if a consumer’s personal information could potentially be considered a trade secret, “neither federal nor state law provides absolute protection for trade secrets.” Importantly, the OAG concluded, “a blanket exemption from disclosure for any information a business deems could be a trade secret or another form of intellectual property would be overbroad and defeat the Legislature’s purpose of providing consumers with the right to know information businesses collect from them.”

There also were comments specifically challenging the obligation in the Notice of Financial Incentive, Section 999.307(b)(5), requiring businesses to provide a “good-faith estimate of the value of the consumer’s data” on the grounds disclosing the “description of the method the business used to calculate the value of the consumer’s data” as required by the regulation involves proprietary information. The OAG similarly rejected this position, finding the comments did not adequately demonstrate the information was a “trade secret,” referencing the definition in California’s Uniform Trade Secrets Act, Section 3426.1 (Response 247/Appendix A and Response 25/Appendix E).  

The OAG again reiterated the protection of trade secrets is not absolute and allowing a broad exemption in this context “would be overbroad and defeat the Legislature’s purpose of protecting consumers’ privacy and prevent discrimination against consumers who exercise their privacy rights.”

Disclosing consumer request metrics is 'necessary' to assess compliance

The OAG commentary explains its position regarding the mandatory disclosures for businesses handling a large amount of consumer data. Section 999.317(g) of the proposed final regulations requires a business “that knows or reasonably should know” it buys, receives, sells or shares the personal information of 10 million or more consumers in a calendar year to compile and disclose specific information regarding consumer requests. The OAG disagreed with a comment requesting this provision be eliminated because it exceeded the scope of its authority, stating in Appendix A/Response 652, “the regulation is necessary” and “the value of public disclosure outweighs the burden.” In the FSOR, the OAG explained “the compilation and reporting metrics are reasonably necessary to measure compliance with the CCPA,” noting the benefit of assessing whether response times are complying with the required 45-day timeframe, understanding whether requests “are systemically being denied,” and having transparency regarding the number of requests being received. 

In both the FSOR and other Appendix A comments, the OAG also noted the public disclosure of this information will allow “academics, consumer advocates, business groups, and others to research and analyze this data.”

The OAG increased the reporting threshold from 4 million to 10 million to lessen the burden on small businesses, as explained in the FSOR. Ten million consumers represent approximately 25% of California’s population. In response to comments expressing concern over the difficulty of following this reporting requirement, the OAG makes clear compliance is expected, stating “[b]usinesses that are managing the personal information of roughly 25 percent of California’s population shall make good faith efforts to develop systems that would track their compliance with the CCPA and these regulations” (Appendix A/Comment 658).

There may be additional regulations

Rulemaking for the CCPA was an involved process, with multiple rounds of revisions to the initial proposed regulations. The OAG responses suggest it may not be over, as it continues to look at particular issues raised by the comments. In many of its answers, the OAG stated it “has prioritized the drafting of regulations that operationalize and assist in the immediate implementation of the law. Further analysis is required to determine whether a regulation is necessary on this issue.” 

Areas in which the OAG indicated it may be considering further regulation include:

Definitions

The first modified regulations proposed in February 2020 included a new provision, Section 999.302 Guidance Regarding the Interpretation of CCPA Definitions. It offered further guidance regarding whether the information is “personal information” and included a specific example of a business collecting IP addresses. The second set of modifications issued in March 2020 deleted this provision. However, in Response 9/Appendix E, the OAG stated “[f]urther analysis is required on this issue.” The OAG’s responses also indicate it may take a closer look at whether certain definitions, including “business,” “business purpose” and “sale” require regulation.

The opt-out button

CCPA Section 1798.185(a)(4)(C) refers to the attorney general adopting regulations related to “the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.” The first modified regulations included an opt-out button in Section 999.306(f) that was deleted in the second set of modifications. In Response 84/Appendix C, the OAG stated it deleted the proposed regulation “to further develop and evaluate” a uniform opt-out logo or button.

Templates/samples

Many of the comments asked the attorney general to provide models, sample language or templates for businesses to use. The OAG’s responses suggest it is considering these requests. 

Conclusion

The OAG’s responses contain useful information regarding its rationale for the modifications to the regulations and its decision not to accept certain comments.

There are still unanswered questions, as identified here and in this piece for the IAPP’s Privacy Tracker by Husch Blackwell's David Stauss, CIPP/US, CIPT, FIP, and Malia Rogers, which analyzed the OAG’s comments with respect to cookies and tracking technologies. Additional regulations appear to be a real possibility and if the California Privacy Rights Act ballot initiative passes in November, this will further impact CCPA compliance and the regulatory framework.

The IAPP will continue to monitor and report on this changing landscape.

Photo via Good Free Photos

CCPA Genius

The Westin Research Center released a new interactive tool to help IAPP members navigate the California Consumer Privacy Act. The “CCPA Genius” maps requirements in the law to specific CCPA provisions, the proposed regulations, expert analysis and guidance regarding compliance, the California Privacy Rights Act ballot initiative, and other resources.

Access Here

California Privacy Law, 3rd Edition

Author: Lothar Determann, Partner, Baker McKenzie

In the pages of “California Privacy Law,” businesses, attorneys, privacy officers and other professionals will gain practical guidance and essential, in-depth information regarding each California and U.S. privacy law — scope, compliance duties and enforcement.

Print version | Digital version


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Cathy Cosgrove Nonmember Contributor
Tags
U.S.
Enforcement
Privacy Law
Privacy Operations Management
Westin Research Center
Comments

If you want to comment on this post, you need to login.

Related Stories
CCPA Litigation Overview
Published: October 2020Click To View (PDF) The IAPP developed a chart illustrating the differences among the CCPA cases being filed. The "CCPA Litigation Overview" includes the alleged conduct the plaintiff(s) claim violated the CCPA, whether a CCPA count is specifically included in the complaint...
Read More queue Save This
Introducing the 'CCPA Genius'
The Westin Research Center released a new interactive tool to help IAPP members navigate the California Consumer Privacy Act. The “CCPA Genius” maps requirements in the law to specific CCPA provisions, the proposed regulations, expert analysis and guidance regarding compliance, the California Privac...
Read More queue Save This
CCPA Genius

The Westin Research Center released a new interactive tool to help IAPP members navigate the California Consumer Privacy Act. The “CCPA Genius” maps requirements in the law to specific CCPA provisions, the proposed regulations, expert analysis and guidance regarding compliance, the California Privacy Rights Act ballot initiative, and other resources.

Access Here

California Privacy Law, 3rd Edition

Author: Lothar Determann, Partner, Baker McKenzie

In the pages of “California Privacy Law,” businesses, attorneys, privacy officers and other professionals will gain practical guidance and essential, in-depth information regarding each California and U.S. privacy law — scope, compliance duties and enforcement.

Print version | Digital version

Related Stories
Tags
U.S.
Enforcement
Privacy Law
Privacy Operations Management
Westin Research Center
Recent Comments