CCPA Compliance Update: Three Key Revisions to Regulations

California Attorney General Xavier Becerra somewhat unexpectedly proposed revisions to the CCPA regulations last week, including several substantive modifications to what was previously thought of as potentially final regulations (see our prior alert describing five changes companies should address now). While many businesses are currently consumed with managing the effects of the coronavirus pandemic, we have yet to hear of any postponement of the July 1 compliance deadline. With that in mind, here are three key revisions made by the latest regulations:

1. Regulation § 999.312(a) previously provided that IP addresses would not be considered “personal information” for purposes of the CCPA, so long as a business does not link collected IP addresses with an individual consumer or household. However, the most recent revisions deleted this section. This means that the definition of “personal information” has reverted to its broad formulation, which explicitly includes IP addresses. Businesses using website analytics providers or ad tech platforms (or otherwise sharing IP addresses or other device identifiers of their web visitors with third parties) now need to consider whether they need to disclose that they are “selling” web visitors’ personal information and provide a Do Not Sell opt-out. In evaluating this issue, a business should investigate whether each platform that it uses (a) provides functionality to limit collection or to anonymize IP addresses or identifiers, or (b) is otherwise prevented via a written contract from retaining, using or disclosing collected IP addresses and identifiers for any purpose other than providing services to the business (in this latter case that the platform would qualify as a service provider under the CCPA).
2. The latest revisions have also reinserted a version of the privacy policy disclosure requirements related to the source and commercial purpose for the collection of personal information that does not require disclosure for each category of personal information collected. Privacy policies must now generally (1) identify the categories of sources from which personal information is collected, and (2) identify the business or commercial purpose for collecting or selling personal information. This additional information will add to the length of privacy policies but represents a compromise from the more comprehensive disclosure requirements in the initial version of the regulations.
3. Finally, the CCPA charged the AG to develop a recognizable and uniform logo or button that could be used in connection with a notice of the right to opt-out of the sale of personal information. The AG had proposed a logo in the prior version of the regulations, but the March 11 revisions deleted reference to this proposed logo. Until the AG puts forth a new logo, website opt-outs should be facilitated via a link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.”

With the comment period for the revised regulations set to close on March 27, 2020, it is unlikely that a finalized version of the regulations will be posted by the California Secretary of State by the CCPA’s enforcement deadline of July 1. Practically speaking, this means that as of July 1, the AG will have the authority to enforce the provisions of the CCPA, but will likely not yet have enacted regulations to guide enforcement. Regardless, businesses need to continue to make the steps now to ensure compliance by July 1.