Still at the Drawing Board: Unpacking the Third Draft of the California AG’s CCPA Regulations

About a month ago, the California Department of Justice published a second draft of its CCPA regulations, which we broke down in a two-part series that you can find here and here. Last Wednesday the Department unexpectedly released a third draft of the proposed regulations.

This latest draft includes various changes to the language of the regulations, many of which, thankfully, should not impact organizations’ compliance efforts. But some of the changes are significant. This post examines three that could impact how organizations approach compliance in the months that remain before the CCPA’s July 1 enforcement date.

Relief for Businesses that Indirectly “Collect” Personal Information

First, some good news. The revised regulations provide much-needed relief for businesses that indirectly collect—but do not sell—personal information. The CCPA generally requires a business to provide consumers with a privacy notice “at or before the point of collection” of personal information. “Collect” is defined broadly under the CCPA to include the receipt of a consumer’s personal information from a third party.

The problem, of course, is that businesses that obtain personal information from a third party, instead of from a consumer directly, often don’t have a good way to comply with the CCPA’s notice-at-collection requirements. The original draft regulations therefore excepted these businesses from the notice-at-collection requirement and imposed additional notice requirements on any subsequent sales of consumers’ personal information. But the Department’s second draft took the exception away from most businesses, limiting its application to registered data brokers, as we lamented in our last post on this topic.

Fortunately, the Department appears to have seen the error of its ways. In this latest draft, “[a] business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information.” The exception for data brokers remains in place.

Although the revised approach is a much-welcomed change, it does raise some interesting questions. Is there any way that a non-data-broker that takes advantage of the exception can later decide to sell the consumer’s personal information? The first draft of the regulations contemplated this scenario and provided a framework for facilitating sales that no longer exists. Are businesses that cannot rely on the new exception because they sell indirectly-collected personal information automatically data brokers? The revised regulatory text seems to assume that is the case.

Death of the Opt-Out Button

Another welcome development: The much-derided red opt-out button got the axe. In the second draft, the Department proposed the button as a standard mechanism that could be used by businesses in addition to posting a notice of the right to opt-out. Although well-meaning, the opt-out button generated significant criticism. It was confusing and created usability issues—so it had to go.

The Scope of “Personal Information”: What the Department Giveth, the Department Taketh Away

Now for some bad news: The helpful narrowing of the definition of “personal information” that appeared in the second draft of the proposed regulations has disappeared.

As we explained in our previous post, the CCPA’s definition of personal information can be read very broadly, with unfortunate consequences for many small- and medium-sized businesses. For example, the inclusion of IP addresses as an example of personal information could cause any operator of a website that does business in California and collects IP addresses from an average of 137 daily unique California visitors to qualify as a “business” under the law.

The second draft of the regulations offered some relief for these businesses by clarifying that information, including IP addresses, only qualifies as “personal information” under CCPA if the organization maintains the information in a manner that is reasonably associated, or could potentially be linked with a consumer or household. The Department removed this language from the third draft. The change suggests that the Department concluded it does not have the authority to interpret the statute in this manner.

This unfortunate development may require numerous small- and medium-sized business to implement the burdensome requirements of the CCPA when they may not have otherwise been covered by the law.

Looking Ahead

This latest draft of the proposed regulations is open for public comment until March 27 at 5 p.m. Following the comment period, the Department could choose to finalize the rules for approval by California’s Office of Administrative Law, or it could release yet another revised draft, which would be subject to another 15-day public comment period. We would not be surprised to see the Department make technical corrections to the regulations, but it is also possible that more substantive revisions are coming. The Department has, after all, failed to provide any meaningful regulatory guidance on the types of activities that qualify as a sale under the law, among other things.

So here we are: About three months past the effective date of the CCPA, about three months from the enforcement date, and the Department is still trying to find a way to implement a half-baked regulatory framework foisted upon it (and all of us) by the California State Assembly. Keep watching this space. And remember, we’re here to help. If you need help evaluating the impact of the latest draft regulations on your organization, or you are just behind and need to jump-start your CCPA compliance efforts, there is no time like the present.