The California Consumer Privacy Act (CCPA) Revised Draft Regulations Provide Additional Guidance and Raise Questions for Businesses

Some of the changes/clarifications in the revised CCPA draft regulations include:

  • Clarification that the collection of IP addresses without linking the IP addresses to any particular consumers is not, in and of itself, the collection of “personal information”
  • Specific reference to the method by which a privacy notice needs to be accessible to consumers with disabilities
  • A provision relating to the collection of personal information from a mobile device and a requirement that the collection of certain personal information will require a “just-in-time” notice prior to the collection of such information
  • A requirement that data brokers who do not collect information directly from consumers provide a link to the California Attorney General through which consumers can visit the data broker’s website and submit an opt-out request
  • Clarification that a business that does not collect personal information directly from a consumer does not need to provide notice at time of collection if the business does not sell the consumer’s information
  • More disclosure requirements for businesses that sell personal information of minors under 16 years of age
  • Examples of customer loyalty programs and how a business can still run such a program and be in compliance with the CCPA, which prohibits discrimination against a consumer who exercises his/her rights under the CCPA
  • Additional specific guidance regarding required provisions for service provider agreements

Many of the changes to the revised draft regulations include suggested methods by which businesses must verify consumers who submit consumer requests to know or to delete under the CCPA. Before a business provides a consumer with a copy of that consumer’s personal information, the CCPA requires the business to verify that the consumer is actually who he/she claims to be. For a business that operates a website with password-protected accounts, the verification of consumers may be relatively simple as a business can use the same verification methods a business currently employs for verification (i.e., entry of a password, sending a code to a mobile device, having a verification question for a consumer to answer).

When a consumer does not have a password-protected account with a business, however, verification can be much trickier, and the current draft regulations describe several methods through which a business can verify a consumer making a consumer request. Depending on the nature of the information a consumer is seeking, or the nature of the information a consumer is asking to delete, verification of the consumer can be cumbersome and time consuming, requiring such things as confirming three data points of verification and providing a notarized statement under penalty of perjury.

Takeaway:  The revised draft regulations, and the CCPA in general, makes clear that businesses must take the privacy of individuals seriously, and it may take some effort to make sure a business is in compliance with the law.  A business must continue to evaluate its data collection and sharing practices in light of evolving compliance obligations.

Add a comment

Type the following characters: hotel, tango, mike, three, whisky, mike

* Indicates a required field.


Recent Posts



Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.