Those privacy professionals following the California Consumer Privacy Act (also known as the CCPA) have been eagerly awaiting final regulations from the California Attorney General (CA AG). Unfortunately, we will have to wait a little longer. On February 10, 2020, the CA AG published the Revised Proposed Regulations. This means that the California public will have another opportunity to submit their comments on the CCPA regulations before the CA AG makes additional revisions. The deadline to submit written comments is February 25, 2020. From there, the CA AG has until July 1, 2020 to finalize the regulations.
The Revised Proposed Regulations made several changes to the Initial Proposed Regulations that were published on October 11, 2019. One helpful clarification is the reminder in Section 999.302(a) that each of the examples of personal information listed in the statute still “depends on whether the business maintains information in a manner that ‘identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.’” The text of the regulation continues to give an example that “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’” This is a helpful reminder to many who were worried about the broad applicability of the CCPA after seeing IP addresses listed as one example of “personal information” under the statute. Other helpful clarifications include additional examples of discriminatory practices under the CCPA. These examples should help businesses adjust their loyalty programs to comply with the CCPA’s prohibition against discrimination. In addition to editing grammatical errors, other changes in the Revised Proposed Regulations impact privacy policies, mobile apps, notices to applicants and employees, loyalty programs, service providers, and handling and responding to consumer requests. The International Association of Privacy Professionals (IAPP) recently published this article summarizing some of these changes.
The CCPA requires businesses to update their privacy disclosures; respond to consumer requests for data access, deletion, or to opt-out of data sales; ensure their loyalty programs do not discriminate against consumers; update their vendor agreements; train their staff; and implement reasonable security practices. Feel free to contact the KMK Law Cybersecurity & Privacy Team for more information on how the CCPA and other various data privacy laws may be affecting your business.
 California Consumer Privacy Act Revised Proposed Regulations § 999.302(a),
 California Consumer Privacy Act Revised Proposed Regulations § 999.336(d)(2),(3),(4).
 Elaine Critides, Jim Halpert, Lael Bellamy, CIPP/US, & Tracy Shapiro, CCPA proposed modified regs 2.0 issued in Calif., Privacy Tracker: IAPP (Feb. 11, 2020), https://iapp.org/news/a/ccpa-proposed-modified-regs-2-0-issued-in-california/.
 Cal Civ Code Div. 3, Pt. 4, Tit. 1.81.5.
KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.
© 2023 Keating Muething & Klekamp PLL. All Rights Reserved
- Cybersecurity and Privacy Law
- Privacy Laws
- California Consumer Privacy Act
- Cybersecurity Regulation
- Cyber Insurance
- Data Breach
- General Data Protection Regulation
- Class Action Litigation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- GDPR Compliance: What is Privacy Shield 2.0?
- Connecticut's Data Privacy Law
- The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)
- The Utah Consumer Privacy Act
- The Colorado Privacy Act
- The Virginia Consumer Data Protection Act
- State Data Privacy Law Series
- TransUnion LLC v. Ramirez and the Impact on Class Action Litigation
- 2023: The Year of the CPRA and CDPA - Virginia Joins California in Passing Comprehensive Privacy Legislation
- Cybersecurity Remains a Top Concern