On February 7, 2020, California Attorney General Xavier Becerra released a revised set of proposed regulations for the California Consumer Privacy Act of 2018 ("CCPA"), and released an additional amendment on February 10, 2020.1 These proposed regulations provide further details and clarifications on the steps businesses must take to comply with the CCPA. This is not the end of the road for the development of the regulations, however, as the Attorney General will at least consider additional comments, which must be submitted by February 25, 2020, before the regulations are finalized.2
The CCPA3 took effect January 1, 2020, and aims to give California consumers increased visibility into and control over how companies use and share their personal information. It applies to all entities doing business in California and collecting California consumers' personal information if they meet certain thresholds. The Attorney General's power to enforce the law is delayed until July 1, 2020. More information can be found in our prior client alerts on the topic, including a summary of the statute ( here), amendments from October 2018 ( here), additional proposed amendments ( here), the Attorney General's draft regulations ( here), the final amendments signed in October 2019 ( here), and a summary of CCPA developments heading into 2020 ( here).
The revised version of the proposed regulations adjusts some of the requirements imposed on businesses by the initial proposed regulations, clarifies certain definitional ambiguities, and includes additional proposed provisions relating to service providers' handling of personal information.
Below, we briefly summarize a number of the key changes in the revised proposed regulations. The list is not exhaustive, and we encourage you to contact us with any questions. As the public comment period is an important opportunity for companies to provide feedback to shape the proposed regulations, please feel free to contact any of the Gibson Dunn attorneys listed below if you are interested in submitting comments in advance of the February 25, 2020 deadline.
Key Definitions Clarified
"Personal information": Version 2.0 of the proposed regulations ("Version 2.0") adds guidance for interpreting the definition of "personal information" under the CCPA, alleviating some concern regarding exactly how broadly "personal information" would be applied. Specifically, whether information constitutes "personal information" depends on "whether the business maintains [the] information in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."4 The revised regulations clarify that IP addresseswhich have been a particular focus for companies collecting statistical and analytical information on the usage of their websitesthat are not tied to any identifiable consumers or households, and that cannot be reasonably linked to any identifiable consumer or household, do not constitute "personal information" under the CCPA in those instances.5 "Categories": Version 2.0 clarifies that businesses must describe "categories of sources"6 and "categories of third parties"7 to consumers in notices at collection, privacy policies, and in response to verified requests to know with "enough particularity to provide consumers with a meaningful understanding of the type" of source or third party. Notices At Collection Must Be Readily Accessible
The revised regulations...