Those privacy professionals following the California Consumer Privacy Act (also known as the CCPA) have been eagerly awaiting final regulations from the California Attorney General (CA AG). Unfortunately, we will have to wait a little longer. On February 10, 2020, the CA AG published the Revised Proposed Regulations. This means that the California public will have another opportunity to submit their comments on the CCPA regulations before the CA AG makes additional revisions. The deadline to submit written comments is February 25, 2020. From there, the CA AG has until July 1, 2020 to finalize the regulations.
The Revised Proposed Regulations made several changes to the Initial Proposed Regulations that were published on October 11, 2019. One helpful clarification is the reminder in Section 999.302(a) that each of the examples of personal information listed in the statute still “depends on whether the business maintains information in a manner that ‘identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.’” The text of the regulation continues to give an example that “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’” This is a helpful reminder to many who were worried about the broad applicability of the CCPA after seeing IP addresses listed as one example of “personal information” under the statute. Other helpful clarifications include additional examples of discriminatory practices under the CCPA. These examples should help businesses adjust their loyalty programs to comply with the CCPA’s prohibition against discrimination. In addition to editing grammatical errors, other changes in the Revised Proposed Regulations impact privacy policies, mobile apps, notices to applicants and employees, loyalty programs, service providers, and handling and responding to consumer requests. The International Association of Privacy Professionals (IAPP) recently published this article summarizing some of these changes.
The CCPA requires businesses to update their privacy disclosures; respond to consumer requests for data access, deletion, or to opt-out of data sales; ensure their loyalty programs do not discriminate against consumers; update their vendor agreements; train their staff; and implement reasonable security practices. Feel free to contact the KMK Law Cybersecurity & Privacy Team for more information on how the CCPA and other various data privacy laws may be affecting your business.
 California Consumer Privacy Act Revised Proposed Regulations § 999.302(a),
 California Consumer Privacy Act Revised Proposed Regulations § 999.336(d)(2),(3),(4).
 Elaine Critides, Jim Halpert, Lael Bellamy, CIPP/US, & Tracy Shapiro, CCPA proposed modified regs 2.0 issued in Calif., Privacy Tracker: IAPP (Feb. 11, 2020), https://iapp.org/news/a/ccpa-proposed-modified-regs-2-0-issued-in-california/.
 Cal Civ Code Div. 3, Pt. 4, Tit. 1.81.5.
KMK Legal Alerts and Blog Posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. Please consult with counsel of your choice regarding any specific questions you may have.
© 2020 Keating Muething & Klekamp PLL. All Rights Reserved
- Cybersecurity and Privacy Law
- Cybersecurity Regulation
- California Consumer Privacy Act
- Cyber Insurance
- Privacy Laws
- General Data Protection Regulation
- Data Breach
- Class Action Litigation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- Revisions to Proposed CCPA Regulations Released
- Happy New Year from the CCPA
- Can’t We All Get Along in the Cyber Sandbox?
- California's New Privacy Law is Coming - Are You Ready?
- Gearing up for National Cybersecurity Awareness Month: KMK Hosts Third Annual Cybersecurity & Privacy Seminar
- Ohio Data Protection Act - Safe Harbor for Businesses in Ohio
- Ohio’s Data Protection Act: What You Need to Know
- September 2018 Was a Busy Month for Data Privacy
- GDPR - 90 Days Later
- GDPR: What We're Learned So Far and What to Expect