On February 7, 2020, the California Attorney General’s Office (OAG) issued proposed changes to the California Consumer Privacy Act Regulations (Modified Regulations), which were originally issued on October 11, 2019. Organizations have until February 24 to submit written comments on the proposed changes to the regulations implementing the CCPA.
Some of the major changes in the Modified Regulations include:
- Accessibility Standard. For notices and privacy policies provided online, businesses must follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium.
- Opt-Out Button. The Modified Regulations include an opt-out button that businesses can use on their websites to alert consumers of their right to opt out of sales of their personal information.
- Service Provider Data Use. The Modified Regulations clarify that service providers may use personal information internally to build or improve the quality of their services, so long as the use does not include building or modifying household or consumer profiles.
- Valuation of Personal Information. Under the Modified Regulations, if a business cannot calculate an estimate of the value of a consumer’s data to show the rationale for its financial incentive program or price difference, the business cannot offer the financial incentive or price difference.
- Recordkeeping. In a supplemental update released February 10, the OAG increased from four million to 10 million the threshold number of consumers whose personal information a business must buy or sell for commercial purposes in order to be required to annually publicly disclose metrics of the numbers of consumer requests received, complied with in whole or in part, or denied.
- Mobile. The Modified Regulations are more explicit in their reference to mobile applications, including in relation to “Do Not Sell My Personal Info” opt-out links and just-in-time notices.
- Personal Information Clarification. Using IP address as an example, the Modified Regulations clarify that some reasonable linkage, whether direct or indirect, to a particular consumer or household is necessary in order for information to be characterized as “personal information” (PI).