866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

California Consumer Privacy Act's Updated Draft Regulations Blog Feature
Adam Adler

By: Adam Adler

Print/Save as PDF

California Consumer Privacy Act's Updated Draft Regulations

News | Privacy Assessments

The California Consumer Privacy Act (CCPA) went live on January 1, 2020, and enforcement begins in less than five months.  In quick succession, the California Attorney General (AG) has issued the second and third versions of draft CCPA regulations, following two periods of public comment on earlier iterations of the draft regulations.  Version 2.0 contained major revisions to the draft regulations, whereas the changes in Version 3.0 are comparatively minor.  This blog post summarizes the revisions reflected in Versions 2.0 and 3.0, focusing on four highly impacted areas: (1) definitions of key terms, (2) notices to consumers, (3) requests to know and delete, and (4) service providers.

Definitions

Personal Information - The AG provides guidance regarding the definition of “personal information.”  In essence, the proposed regulations clarify that what a business collects and what it does or is capable of doing with that information can influence whether the information constitutes personal information for CCPA purposes.  By way of illustration, the proposed regulations clarify that IP addresses of visitors to a website may not constitute personal information if the business collects them but does not (and could not reasonably) link them with a particular consumer or household.

Household -The AG has also clarified that “household” has three requirements: people who (1) reside at the same address; (2) share a common device or service; and (3) are identified (by the business) as sharing the same group account or unique identifier.  This clarification is important because the CCPA provides that “personal information” means information that relates to a particular consumer or household but does not define the term “household.”

Notices to Consumers

Notice Carve-Out - Version 3 of the draft regulations provides that businesses that do not collect personal information directly from consumers do not need to provide a notice to the customer if the business does not sell the personal information.

Unexpected Uses - A key component of the CCPA is notice to consumers.  Covered businesses must notify consumers of what information is collected and the business purpose for such collection.  The updated draft regulations introduce the concept of a “just-in-time notice” for unexpected uses of personal information collected from a consumer’s mobile device.  For example, per the regulations, a business offering a flashlight application that collects geolocation information must provide a just-in-time notice (i.e. through a pop-up window when the customer opens the app) summarizing the categories of personal information collected and linking to the full privacy notice.

Materiality Requirement for New Uses - Under the CCPA, covered businesses must disclose the personal information collected and the purpose for collecting that information.  The updated draft regulations clarify that a business must disclose new purposes that are “materially different” than those disclosed at the point of collection.  Version 1.0 of the draft regulations did not include the materiality threshold for new notices.

The Short-Lived Opt-Out Button - Version 2.0 of the regulations included an option and design for a button used to toggle a consumer’s right to opt-out of the sale of information.  Version 3.0 removes reference to the button.

Privacy Policies - Version 3.0 of the regulations places three additional requirements on privacy policies (that is, public-facing privacy notices).

  • First, privacy policies must identify the categories of sources from which personal information is collected in sufficient detail that consumers can understand those categories. 

  • Second, privacy policies must identify the commercial purpose for collecting or selling personal information. 

  • Third, if a business has actual knowledge that it sells personal information of children under 16, it must include a description of the processes for opting into the sale of personal information. 

Requests to Know and Delete

Methods for Submitting Requests to Know - The updated draft regulations clarify that a business may provide an email address only for submitting requests to know (rather than multiple methods for submitting requests, including a required toll-free number) if the business operates exclusively online and has a direct relationship with a consumer from whom it collects personal information.  Covered businesses that do not meet these criteria must provide two or more designated methods for submitting requests to know, including a toll-free number.

Exemption from Obligation to Search for Information - In response to a consumer’s request to know, businesses do not need to search for personal information, if four conditions are met: (1) the business does not maintain the personal information in a searchable/reasonably accessible format; (2) the personal information is maintained solely for legal or compliance purposes; (3) the business does not sell or use the personal information for any commercial purpose; and (4) the business describes to the consumer the categories of records that may contain personal information that it did not search. 

This could be a key carve-out and make responding to requests to know far less onerous than if the law were to require a search of all systems that, for instance, stored data in unstructured and unsearchable formats. 

Clarification on responding to requests involving sensitive information - Version 3.0 builds on guidance issued in the two prior versions of the regulations to not disclose certain sensitive information in response to a request to know (i.e. SSN, driver’s license number, etc.).  Version 3.0 clarifies that a business must disclose details concerning the type of information collected.  It includes the following illustration: “For example, a business shall respond that it collects ‘unique biometric data including a fingerprint scan’ without disclosing the actual fingerprint scan data.”

Service Providers

Using Personal Information - The updated draft regulations set forth permissible ways in which a service provider may retain, use, or disclose personal information.  Most significantly, service providers may retain, use, or disclose such information (1) to retain and employ other service providers; and (2) for internal use to build or improve the quality of services (as long as that does not involve building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source). 

This is a significant clarification because it provides guidance about how service providers may retain their status while using the personal information collected for their own internal purposes. 

Service Providers and Responding to Requests - The updated draft regulations clarify that service providers who receive requests (to know or delete) must either act on the business’ behalf or inform the consumer they cannot process the request because they are a service provider.

About Adam Adler

Adam Adler is a Senior Manager of Privacy & Security Compliance at Schellman. Prior to joining Schellman, Adam was a data privacy consultant focusing on privacy program development for existing and emerging privacy laws, including the GDPR and CCPA. An attorney by training, Adam leverages his legal background to educate clients about the practical implications of emerging laws.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.