The California Attorney General has released both clean and redlined versions of proposed modifications to the draft implementing regulations for the California Consumer Privacy Act (“CCPA”). Below is a high-level overview of some key changes:

  1. Service Providers. The modified draft restricts a service provider from processing the personal information it receives from a business except in the following five circumstances: (1) performing services in the contract with the business that provided the personal information, (2) engaging a different service provider as a subcontractor, (3) using the data internally to build or improve the quality of its services (to the extent that use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source); (4) detecting data security incidents or protecting against fraudulent or illegal activity; or (5) processing in accordance with certain exemptions to the CCPA. The draft also eliminates the requirement that service providers that receive requests to exercise rights directly from consumers instruct those consumers to submit their requests to the business, instead permitting (without requiring) service providers to respond directly.
  2. Obligations around “selling” data. The modified draft fills a placeholder contained in the last draft for an example “do not sell” button (image of the two options in which the button may appear below).


    The new draft also eliminates the controversial requirement (which wasn’t in the statute) for a business  to pass through opt-out-of-sale requests to all parties to which the business sold a consumer’s personal information in the 90 days before the consumer exercised his or her right. However, the modified draft also contains a new requirement that businesses comply with a consumer’s opt-out request within 15 business days. Furthermore, if the business sells personal information to a third party after the consumer submitted his or her request, but before the business complied with it, the modified draft regulations require the business to notify those third parties of the consumer’s exercise of the opt-out right and direct those third parties not to sell the personal information. The modified draft regulations also allow businesses that do not collect information directly from consumers to include a link to a privacy policy with instructions on how to submit an opt-out request in their registration under the state’s new data broker law. Finally, the modified draft clarifies that any privacy control developed to submit opt-out-of-sale requests must clearly communicate the user’s intent to opt out of sales and shall not be designed with any pre-selected settings.  (Importantly, the draft regulations focus on user-enabled privacy settings that control the “sale” of personal information, which are, by definition, distinct from “do not track” settings that control the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party websites or online services.)
  3. Access and Deletion Rights. The modified draft regulations make permissive the previous iteration’s requirement that deletion requests be submitted through a two-step process. They also clarify additional circumstances when a business need not search for information in response to a request to know. The new version incorporates the statutory amendment for when a toll-free telephone number is not necessary and explains that authorized agents must be registered to conduct business in California.
  4. Mobile. The modified draft regulations also explicitly address mobile technology. For example, if a business provides an application that collects personal information from a consumer’s device in an unexpected manner, the application has to provide just-in-time notice.
  5. Household. The modified draft regulations also change the requirements around household information. They permit businesses to respond to access and deletion requests related to household information from non-account holding consumers, only if all consumers of the household jointly request access, the business individually verifies them, and the business verifies that each member making the request is a current member of the household. If there’s a child younger than 13 in the household, a business must obtain verifiable parental consent under the regulations before complying with a request.
  6. Notice. The modified draft regulations specify that online notices must follow generally recognized industry standards to be accessible to consumers with disabilities. They also now more clearly emphasize that businesses have flexibility in the specific formatting of their notices. The new version requires more explicit notices in the employment context.
  7. Scope of Personal Information. The modified draft regulations explain that whether information is “personal information” depends on whether it is maintained in a manner in which it is reasonably capable of being associated with a particular consumer. The modified draft regulations then explicitly note that if a business collects an IP address but does not link the IP address to a consumer or household, then that IP address is not “personal information” under the statute.
  8. Minors. The modified draft regulations clarify that a business has to develop documented procedures to collect consent for the sale of minors’ personal information only if the business sells that personal information.
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.