California Attorney General Releases Third Draft of CCPA Regulations

On March 11, California Attorney General (AG) Xavier Becerra released a third version of draft regulations implementing the California Consumer Privacy Act (CCPA). The third draft contains relatively minor changes from the second draft, which was released in February, suggesting that the AG is close to finalizing the regulations, and that enforcement is likely to begin on schedule on July 1, 2020.

Among the changes effected by the new draft: 

• Removes the optional use of a button on businesses' websites to be used by consumers to opt-out of the sale of their personal information.
• Clarifies, as required by the statutory language of the CCPA itself, that a business' privacy policy must "identify the categories of sources from which the personal information is collected" and "identify the business or commercial purpose for collecting or selling personal information."
• Notes a business shall not disclose, in response to a request to know, sensitive types of personal information.^[1] A business must, however, "inform the consumer with sufficient particularity that it has collected the type of information."
• States that a business' "notice at collection of employment-related information is not required to provide a link to the business' privacy policy[]" through January 1, 2021. States that "a service provider shall not retain, use, or disclose of personal information obtained in the course of providing services except…to process or maintain information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA[.]" Previously, the regulations simply stated that a service provider was permitted to "perform services specified in the written contract with the business that provided the personal information[.]"
• Also states that "a service provider shall not retain, use, or disclose of personal information obtained in the course of providing services except…[f]or internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, to use in providing services to another business, or correcting or augmenting data acquired from another source[.]"
• Removes the restriction on using pre-selected options in privacy controls used to permit a consumer to opt-out of the sale of their personal information. 

The Attorney General's third draft of the regulations will undergo another round of notice and comment. Businesses that want to submit comments must do so by 5:00 p.m. PDT on March 27, 2020. While substantial changes to the regulations are unlikely, businesses should continue to monitor developments from the Attorney General on the implementation and enforcement of the CCPA. The Attorney General’s regulations will likely be finalized this Spring, in advance of the July 1, 2020 enforcement date.

[1] Specifically, a business shall not, in response to a right to know request, disclose a consumer's Social Security number, driver's license number or other government issued identification number, financial account number, any health insurance or medical information number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics.