Attorney General Xavier Becerra Releases Modified CCPA Regulations

On February 10, 2020, the California Attorney General's office released its latest version of the regulations implementing California's new data privacy law, the California Consumer Privacy Act (CCPA). These regulations modify the initial draft of CCPA regulations released by the Attorney General on October 10, 2019. The modified regulations are not final, and focus on implementing some of the public feedback received by the Attorney General following the publication of the initial draft last year. After further feedback, the Attorney General's office is expected to release final regulations in the next few months.

The CCPA is the strictest privacy law in the nation. It imposes significant obligations on companies with respect to the personal information of California residents. The law took effect on January 1, 2020, with enforcement delayed until July 1, 2020.

Some of the major changes to the proposed regulations include:

Notice Requirement for Changes in Use: Setting a more lenient standard that notice is now required only if the new use of the consumer's information is "materially different" from the purpose originally disclosed. Narrowing the Scope of "Personal Information": Providing further guidance that data is not "personal information" covered by the CCPA simply because it falls within one of the categories enumerated in the statute; in any event the data must still be reasonably associated or reasonably linked to a person. The regulations provide a clarifying example that an IP address is not "personal information" when a business collects it from its own website visitors, but does not link it to any particular customer or household and could not reasonably link it with a particular customer or household. Clarifying the Definition of "Household": The definition of "household" is now limited to a person or group of people who (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier. The amended proposed regulations also provide new requirements that businesses must meet before responding to requests to access and requests to delete originating from a household that does not have a password-protected account with that business, including that all members of the household must jointly make the request, that the business verify the identity of each member of the household and that the business...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT