Final CCPA Regulations Submitted

News ¦ June 4th, 2020, 10:00 pm

Datawallet takes a look at some of the key provisions of the modified final regulations.

On June 1, 2020, the Office of the California Attorney General submitted the final proposed regulations package under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). This means the rulemaking process for the CCPA is coming to an end. The OAL now has 30 working days, plus an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic, to review the package for procedural compliance with the Administrative Procedure Act.

However, the CCPA, which came into effect on January 1, 2020, will still be enforced starting July 1, 2020. 

The final regulations are mostly identical to the second iteration of the modified proposed regulations, which the AG released in March. Along with the final regulations, the AG’s office published a Final Statement of Reasons that explain all the changes that were implemented between the first draft and the final regulations. The AG further issued Appendices that address all the public comments received during the rulemaking process. 

Below we take a look at some of the key provisions that were either changed, or reverted back to previous, more privacy-focused wording. A comprehensive overview can also be found in table-form at the bottom of this post.

Key changes in the final regulations:

  • The clause which was introduced with the modified regulations in §999.302 with the aim of clarifying the term ‘personal information’ more clearly, was removed in the final regulations. The clause provided an example revolving around IP addresses and stated that  ‘If a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.’ Many had commented that this clause actually made things more confusing and conflicted with the CCPA bill text. The AG has decided to fully remove it in the final regulations. 

  • The requirements of what should be included in the privacy policy were extended in §999.308 (c). The final regulations state that the businesses should not only include a summary of the rights of the consumer, instructions on how to submit a verified consumer request, a description of the verification process, and list the categories of information that the business has collected about consumers in the past 12 months. They should now also include a list of categories of sources from which the data is collected, and the business or commercial purpose for collecting or selling the information. Everything should be described in a way that gives consumers meaningful understanding. Businesses should also include information about the opt-in and out processes for minors, in case the business has actual knowledge that it sells the information of minors under 16. 

  • §999.313: The final regulations further clarify how a business should respond, if a consumer requests specific pieces of information that a business may never provide (such as SSN, driver’s license number or other government-issued identification number, financial account number, etc.). In this case the business should not provide the actual piece of information, but it should tell the consumer that it has collected this type of information.

  • §999.313 (d) (1): The modified regulations stated that if a business was unable to verify the identity of a consumer, when handling a deletion-request, they should ask the consumer whether the consumer would like to opt-out of the sale of their data instead. In the final regulations this was amended, so that businesses should ask consumers this whenever a deletion request is denied (irrespective of whether this denial is due to the inability to verify or due to another reason, such as an exception). 

  • §999.315: In the modified regulations the AG already provided some much-needed clarification on the use of user-enabled privacy controls (such as browser plugins or settings), by stating that these privacy controls should have been developed in accordance with these regulations. The modified regulations stated that the privacy control should require that the consumer affirmatively select their choice to opt-out and shall not be designed with any pre-selected settings. This last clause was removed in the final regulations, because consumers already actively choose to use privacy-protective services or settings, and are therefore already affirmatively exercising their right to opt-out by using that service alone. The AG clarified in his responses to the comments that businesses have discretion to treat a “do not track” signal as a useful proxy for communicating a consumer’s privacy choices to businesses and third parties. However, this is not required. 

  • The AG provided businesses with a design for the opt-out of sale icon in the modified regulations (999.306 (f)). Many commented on this, stating that the icon looked too much like a functional toggle, as opposed to merely a button or logo, which would be confusing to consumers. Even though the OAG states that they do not agree with all the reasons provided in the comments, they removed the image for now, and will further develop and evaluate a uniform opt-out logo or button. 

Key provisions that remain unchanged:

  • Signatures (for example: as needed on the parent / guardian consent form, or as needed under the statement under risk of perjury, that the data subject is who they say they are, can still be e-signatures). Both the modified and the final regulations refer to the Uniform Electronic Transactions Act.

  • Both the modified and final regulations state that, when making sure that notices are accessible to all consumers, businesses should refer to generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium.

  • The CCPA text, the modified and final regulations make it clear that if a business wants to use historically collected data for a purpose materially different than those disclosed in the notice at collection, it must notify the consumer of this new use and obtain explicit consent. 

  • No important changes were made in §999.323: the identity verification process. This means that businesses will need to follow the rules dictated in the regulations about how to identify requesting consumers (re-authentication for PW protected accounts, matching 2 or 3 data points for requests to know / delete). Many businesses were seemingly holding off on implementing these processes until the regulations were finalized to avoid having to make changes. Now it is clear that they will need to implement these processes as stipulated.

Datawallet’s mission is to enable every organization to become compliant with the CCPA, GDPR and other privacy regulations in the easiest way possible and to empower their consumers to be in charge of their data. Datawallet Consumer First Compliance is an easy-to-install, comprehensive, and flexible platform to manage a businesses’ every data privacy  compliance needs.

Try our Datawallet CCPA Essentials for free today (no credit card required).

Or contact us via to inquire about our Consent Management Platform (CMP) and custom solutions.

For a full screen version of this table, click here.

Get the Data Digest in your inbox