On February 7, 2020, the California Attorney General’s Office (OAG) issued proposed changes to the California Consumer Privacy Act Regulations (Modified Regulations), which were originally issued on October 11, 2019. Organizations have until February 24 to submit written comments on the proposed changes to the regulations implementing the CCPA.

Key Changes

Some of the major changes in the Modified Regulations include:

  • Accessibility Standard. For notices and privacy policies provided online, businesses must follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium.
  • Opt-Out Button. The Modified Regulations include an opt-out button that businesses can use on their websites to alert consumers of their right to opt out of sales of their personal information.
  • Service Provider Data Use. The Modified Regulations clarify that service providers may use personal information internally to build or improve the quality of their services, so long as the use does not include building or modifying household or consumer profiles.
  • Valuation of Personal Information. Under the Modified Regulations, if a business cannot calculate an estimate of the value of a consumer’s data to show the rationale for its financial incentive program or price difference, the business cannot offer the financial incentive or price difference.
  • Recordkeeping. In a supplemental update released February 10, the OAG increased from four million to 10 million the threshold number of consumers whose personal information a business must buy or sell for commercial purposes in order to be required to annually publicly disclose metrics of the numbers of consumer requests received, complied with in whole or in part, or denied.
  • Mobile. The Modified Regulations are more explicit in their reference to mobile applications, including in relation to “Do Not Sell My Personal Info” opt-out links and just-in-time notices.
  • Personal Information Clarification. Using IP address as an example, the Modified Regulations clarify that some reasonable linkage, whether direct or indirect, to a particular consumer or household is necessary in order for information to be characterized as “personal information” (PI).

Click here to read the full GT Alert, “OAG Proposes Significant Changes to CCPA Regulations.”

Print:
EmailTweetLikeLinkedIn
Photo of Kate Black Kate Black

Kate Black’s practice focuses on data privacy, information protection, and commercial transactions in consumer technology, digital health, life sciences, and genetics. Kate provides companies with comprehensive, practical strategies for meeting their regulatory obligations while building and maintaining public trust and advancing innovative and

Kate Black’s practice focuses on data privacy, information protection, and commercial transactions in consumer technology, digital health, life sciences, and genetics. Kate provides companies with comprehensive, practical strategies for meeting their regulatory obligations while building and maintaining public trust and advancing innovative and emerging models of health care research and delivery. She’s managed every aspect of global privacy programs, including supervising privacy assessments, providing product strategy and counseling, managing complex vendor and partner agreements, and overseeing security policy audits for leading health technology companies. She regularly advises on proposed regulatory and legislative changes that will impact the health technology environment and has been a featured speaker and frequent lecturer on data privacy and cybersecurity, data analytics, digital health, mobile medical applications, and privacy issues related to genetic and health research.

Prior to joining the firm, Kate served as 23andMe’s first Global Privacy Officer in Mountain View, CA and worked in the Office of Policy and Planning in the Office of the National Coordinator for Health IT in the U.S. Department of Health and Human Services in Washington, D.C.

Photo of Gretchen A. Ramos Gretchen A. Ramos

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact…

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of other projects—and little time—on their hands.

Gretchen’s clients come from diverse industries, including technology (SaaS), health care and life sciences, consumer products, manufacturing, academic institutions, and non-profits. She provides clients with practical business advice on compliance with state and federal U.S. laws, GDPR, APEC, and other global privacy laws in relation to their external and internal privacy and security procedures, product and app development, and advertising practices. Gretchen also regularly drafts and negotiates contracts concerning data-related vendors, assists clients in assessing privacy risks in corporate transactions, and provides guidance on and conducts privacy and security assessments. She has managed dozens of data breaches, and helps clients prepare for and immediately respond to security incidents and breaches.