News & Resources

Publications & Media

California AG Updates the Proposed CCPA Regulations: Only a Few More of the Puzzle Pieces Fit

Data Privacy & Security Alert Linda Emery, Heather Buchta, Elizabeth Wamboldt

The California Attorney General ("AG") recently issued an updated draft of the proposed regulations to the California Consumer Privacy Act (the “CCPA”) which can be found here.

While the revised draft includes some helpful clarifications, questions still abound. The key changes proposed by the California AG include:

Definition of Personal Information. The AG clarified several definitions, the most important of which is the definition of “personal information.” Whether information is considered “personal information” hinges on whether “the business maintains information in a manner that ‘identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household’.” In other words, an IP address is not considered personal information if the business does not link the IP address to any particular consumer or household, or could not reasonably link such information (§999.302).

Overview of Required Notices. The AG’s office provided an overview of the required notices a business must provide pursuant to the CCPA. These clarifications include that: (a) every business subject to the CCPA must provide a privacy policy; (b) any business that collects personal information must provide “notice at collection”; (c) any business that sells personal information must provide notice of the "right to opt-out"; and (d) any business that offers financial incentives must provide notice of such incentives (§ 999.304). This clarifies that the AG is looking for additional notices at the point of collection in addition to the general privacy notice.

Notice at Collection. In the updated proposed regulations, the AG indicates that a “notice at collection” is required on all webpages where personal information is collected (§999.305(a)). With regard to mobile apps, one option is to provide a link to the notice on the mobile app’s download page and through the mobile app’s settings menu (§ 999.305(a)(3)(b)). Further, if a mobile app collects personal information for a purpose that the consumer would not reasonably expect, a just-in-time notice is required (§ 999.305(a)(4)). Finally, when a business collects personal information over the telephone or in person, the “notice at collection” may be provided orally.

Employee Data. Most of the CCPA does not apply to employee or applicant personal information until January 1, 2021, with notable exceptions. One exception is that employers must comply with certain aspects of the "notice at collection." The updated proposed regulations clarify that (a) the "notice at collection" does not need to include the "do not sell my personal information" button or link, and (b) a separate employee or applicant privacy policy may be referenced in the "notice at collection" instead of the business' general privacy policy (§ 999.305(e)).

Do Not Sell My Personal Information. The updated proposed regulations now provide these pictures of a “do not sell my personal information” button (§ 999.306(f)):

The updated proposed regulations also provide an option for a business to obtain affirmative authorization from a consumer to sell personal information in the event the business did not have a notice of the "right to opt-out" posted (§ 999.306(e)).

Clarified Timeframes. The AG's office clarified the timeframes for responses to consumer requests, most importantly by addressing calendar days versus business days.

Methods for Data Subject Requests. The methods for submitting and responding to “requests to know” and “requests to delete” were clarified. For example, a business operating exclusively online is only required to provide an email address for submitting “requests to know” (§ 999.312(a)). Further, a business may confirm receipt of “requests to know” or “requests to delete” in the same method in which the requests were received. Therefore, confirmation can be provided verbally during a phone call if the consumer makes a request over the phone (§ 999.313(a)).

Service Providers. Service providers have express obligations pursuant to the updated proposed regulations. For example, if a service provider receives a “request to know” or a “request to delete” from a consumer, it shall either (a) act on behalf of the business in responding to the request; or (b) inform the consumer that the request cannot be acted upon because the request has been sent to a services provider (§ 999.314(e)).

Although it remains to be seen what additional changes will occur when the CCPA regulations are finalized, businesses should act now to prepare for the finalized regulations. We anticipate the final regulations will be issued prior to the July 1, 2020 enforcement date, but it is unclear how quickly the regulations will be finalized or how many additional iterations we may see prior to that date.

To learn more about how the CCPA and the proposed regulations may affect your business, please contact your Quarles & Brady attorney or

We have updated our Privacy Policy. Please click here to view our new policy.