CCPA - Updated Draft Regulations

The California Consumer Privacy Act (CCPA) went live on January 1, 2020, and enforcement begins in less than five months.  In quick succession, the California Attorney General (AG) has issued the second and third versions of draft CCPA regulations, following two periods of public comment on earlier iterations of the draft regulations.  Version 2.0 contained major revisions to the draft regulations, whereas the changes in Version 3.0 are comparatively minor.  This blog post summarizes the revisions reflected in Versions 2.0 and 3.0, focusing on four highly impacted areas: (1) definitions of key terms, (2) notices to consumers, (3) requests to know and delete, and (4) service providers.


Personal Information - The AG provides guidance regarding the definition of “personal information.”  In essence, the proposed regulations clarify that what a business collects and what it does or is capable of doing with that information can influence whether the information constitutes personal information for CCPA purposes.  By way of illustration, the proposed regulations clarify that IP addresses of visitors to a website may not constitute personal information if the business collects them but does not (and could not reasonably) link them with a particular consumer or household.

Household -The AG has also clarified that “household” has three requirements: people who (1) reside at the same address; (2) share a common device or service; and (3) are identified (by the business) as sharing the same group account or unique identifier.  This clarification is important because the CCPA provides that “personal information” means information that relates to a particular consumer or household but does not define the term “household.”

Notices to Consumers

Notice Carve-Out - Version 3 of the draft regulations provides that businesses that do not collect personal information directly from consumers do not need to provide a notice to the customer if the business does not sell the personal information.

Unexpected Uses - A key component of the CCPA is notice to consumers.  Covered businesses must notify consumers of what information is collected and the business purpose for such collection.  The updated draft regulations introduce the concept of a “just-in-time notice” for unexpected uses of personal information collected from a consumer’s mobile device.  For example, per the regulations, a business offering a flashlight application that collects geolocation information must provide a just-in-time notice (i.e. through a pop-up window when the customer opens the app) summarizing the categories of personal information collected and linking to the full privacy notice.

Materiality Requirement for New Uses - Under the CCPA, covered businesses must disclose the personal information collected and the purpose for collecting that information.  The updated draft regulations clarify that a business must disclose new purposes that are “materially different” than those disclosed at the point of collection.  Version 1.0 of the draft regulations did not include the materiality threshold for new notices.

The Short-Lived Opt-Out Button - Version 2.0 of the regulations included an option and design for a button used to toggle a consumer’s right to opt-out of the sale of information.  Version 3.0 removes reference to the button.

Privacy Policies - Version 3.0 of the regulations places three additional requirements on privacy policies (that is, public-facing privacy notices).

  • First, privacy policies must identify the categories of sources from which personal information is collected in sufficient detail that consumers can understand those categories. 

  • Second, privacy policies must identify the commercial purpose for collecting or selling personal information. 

  • Third, if a business has actual knowledge that it sells personal information of children under 16, it must include a description of the processes for opting into the sale of personal information. 

Requests to Know and Delete

Methods for Submitting Requests to Know - The updated draft regulations clarify that a business may provide an email address only for submitting requests to know (rather than multiple methods for submitting requests, including a required toll-free number) if the business operates exclusively online and has a direct relationship with a consumer from whom it collects personal information.  Covered businesses that do not meet these criteria must provide two or more designated methods for submitting requests to know, including a toll-free number.

Exemption from Obligation to Search for Information - In response to a consumer’s request to know, businesses do not need to search for personal information, if four conditions are met: (1) the business does not maintain the personal information in a searchable/reasonably accessible format; (2) the personal information is maintained solely for legal or compliance purposes; (3) the business does not sell or use the personal information for any commercial purpose; and (4) the business describes to the consumer the categories of records that may contain personal information that it did not search. 

This could be a key carve-out and make responding to requests to know far less onerous than if the law were to require a search of all systems that, for instance, stored data in unstructured and unsearchable formats. 

Clarification on responding to requests involving sensitive information - Version 3.0 builds on guidance issued in the two prior versions of the regulations to not disclose certain sensitive information in response to a request to know (i.e. SSN, driver’s license number, etc.).  Version 3.0 clarifies that a business must disclose details concerning the type of information collected.  It includes the following illustration: “For example, a business shall respond that it collects ‘unique biometric data including a fingerprint scan’ without disclosing the actual fingerprint scan data.”

Service Providers

Using Personal Information - The updated draft regulations set forth permissible ways in which a service provider may retain, use, or disclose personal information.  Most significantly, service providers may retain, use, or disclose such information (1) to retain and employ other service providers; and (2) for internal use to build or improve the quality of services (as long as that does not involve building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source). 

This is a significant clarification because it provides guidance about how service providers may retain their status while using the personal information collected for their own internal purposes. 

Service Providers and Responding to Requests - The updated draft regulations clarify that service providers who receive requests (to know or delete) must either act on the business’ behalf or inform the consumer they cannot process the request because they are a service provider.

About the Author

Adam Adler

Adam Adler is a Senior Associate at Schellman & Company. Prior to joining Schellman, Adam was a data privacy consultant focusing on privacy program development for existing and emerging privacy laws, including the GDPR and CCPA. An attorney by training, Adam leverages his legal education and background to understand the legal and practical implications of emerging laws.

More Content by Adam Adler
Previous Article
Schellman listed as one of the first PCI Software Security Framework Assessors
Schellman listed as one of the first PCI Software Security Framework Assessors

Schellman & Company has become one of the first firms in the industry to offer PCI Software Security Framew...

Next Article
What Scoring is Required to Obtain HITRUST Certification?
What Scoring is Required to Obtain HITRUST Certification?

Oftentimes, organizations that are just starting their HITRUST journey will ask what they need to score in ...


First Name
Error - something went wrong!