Significant updates in the latest set of revisions include the following:
- The revisions published on February 10 contained guidance regarding the interpretation of “personal information.” An example accompanying that guidance recognized that, in some instances, an IP address collected from a website visitor may not be considered personal information if the IP address cannot be reasonably linked to a particular consumer or household. This guidance has now been deleted.
- The updated regulations clarify that a business that doesn’t collect personal information directly from a consumer does not need to provide notice at the point of collection if it does not sell that personal information. Among those benefiting from this provision are likely to be service providers who are also considered “businesses” for CCPA purposes and therefore have their own direct CCPA obligations.
- Businesses must disclose meaningful information about the “categories of sources” from which they collect personal information as well as the business or commercial purpose for which they collect or sell it in their privacy policies.
- In response to a request to know, a business must disclose information about the types of biometric data collected but is prohibited from disclosing the “unique biometric data” itself. Under the prior proposed regulations, a business is also prohibited from disclosing SSNs, driver’s license numbers and other government-issued identification numbers, financial account numbers, health insurance or medical identification numbers, account passwords, security questions or answers to security questions in response to a request to know.
- The February 10 draft updates required a business that could not verify a consumer who has made a request to delete his or her information to offer the unverified consumer the right to opt-out of the sale of his or her personal information. In the latest update, this requirement has been modified to apply in cases where a business that sells information denies a consumer’s request to delete.
- Service providers would now be permitted to process personal information on behalf of businesses “in compliance with the written contract for services.” This revision expands prior language which limited service providers to performing the “services specified in the written contract.”
The latest revisions were made in response to about 100 comments received on the last round of modifications published on February 10. Written comments are being accepted by mail or email through 5 p.m. on March 27, 2020. More information about submitting comments is available here.
California’s attorney general is required to finalize the CCPA’s regulations by July 1, 2020.