Key Changes in the AG’s Updated Proposed CCPA Regulations

Published On February 9, 2020 | By Ken Dreifach, Jon Frankel, Anna Hsia, Zach Lerner, Melissa Maalouf, Kandi Parsons, Marci Rozen, Mason Weisz and Marc Zwillinger | Data Security, FTC & State AG, General, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

This post was updated on 2/11/2020 to reflect revisions made by the California Attorney General on 2/10/2020.

The California Attorney General released an update to its proposed California Consumer Privacy Act Regulations, and companies have until 5 pm PT on February 24 to submit comments on this updated draft. Key changes include: 


  1. Clarifying that to qualify as personal information (“PI”), information must be maintained in a manner such that it could be reasonably linked to a particular consumer or household. For example, IP addresses are not necessarily PI if a business cannot reasonably link them to a particular consumer or household. Therefore, a company that collects only IP addresses that are not tied to any other PI would not qualify as a “business” under the CCPA, or a business that cannot reasonably link IP addresses to a consumer would not need to process access or deletion requests for such data. 999.302(a).

Notice Requirements

  1. Confirming that the notice at collection is different than the privacy policy and must be given at or before collection of PI from a consumer but clarifying that this notice can be provided via a link on the business’s introductory page and any page on which PI is collected. 999.305(a)(3).
  2. Clarifying that for mobile apps, the link to the privacy policy, link to the DNS opt-out page, and the notice at collection should be in the settings menu (in addition to the download page as previously proposed). 999.306(b) and 308(b). 
  3. Adding a new requirement for “Just-in-Time” notices on mobile for any unexpected use of data. 999.305(a)(4). 
  4. Removing the requirement that the purpose of uses of PI and the categories of sources have to be listed separately for each category of information collected. This may remove the practical need to include charts in the privacy policy or in response to access requests.  However, it is still the case that for each category of PI collected, businesses must disclose (both in privacy policy and in response to access requests) the categories of third parties to which the information was disclosed or sold. 999.308(c).
  5. Clarifying that the requirement to obtain explicit consent from consumer if using PI for a previously undisclosed purpose applies only to previously-collected PI (which effectively codifies the FTC’s expectation that businesses obtain consent for material retroactive changes). 999.305(a)(5).
  6. Removing the requirement for data resellers to ensure that a “notice at collection” or “direct notice” was provided to consumers, provided they register as data brokers and, in that registration, include a link to their privacy policy containing opt-out instructions. 999.305(d).  

Do Not Sell 

  1. Clarifying that businesses do not need to offer employees or job applicants a “Do Not Sell” link but requiring that businesses present employees and applicants with a notice at collection, which can be a link to an employee-specific privacy policy. 999.305(e).
  2. Adding a new section that clarifies that businesses may not sell data collected while a Do Not Sell link was not posted, but that consumers whose data was collected during that time period are no longer deemed to have opted out, and therefore need not be counted for the reporting requirements. However, businesses must obtain affirmative authorization from those consumers to sell such data at a later time. 999.306(e).
  3. Providing a new Do Not Sell icon that can be used in addition to, but not instead of, a Do Not Sell link. 999.306(f).
  4. Clarifying that to be enforceable, a browser or other automated sale opt-out signal must be user-enabled and not set on by default.  999.315(d). Where that is the case, the signal cannot be ignored even if it conflicts with a user’s choice for that business, but rather the conflict has to be presented to the consumer to decide how to proceed. 999.315(d)(2).
  5. Replacing the 90-day lookback (i.e., the requirement to transmit a Do-Not-Sell request to parties to which a business sold PI in the 90 days prior to receipt of a Do-Not-Sell request), with a lookback only for all sales that occurred between the submission of a Do-Not-Sell request and the honoring of that request. 999.315(f).
  6. Noting that agents who submit access, deletion or opt-out requests must present something “signed by the consumer” giving them this authority. 999.315(g) and 999.326(a)(1).

Submission and Verification of Consumer Requests

  1. Clarifying that the verification process need only be described “in general” in the privacy policy. 999.308(c)(1).
  2. Incorporating an amendment to the statute whereby businesses that operate exclusively online and have a direct relationship with a consumer can satisfy the law by offering an email address for submitting access requests. However, such businesses must still provide two designated methods for deletion requests. 999.312(a).
  3. Explaining that a two-step process for submitting deletion requests is allowed, but no longer required. 999.312(d).
  4. Removing the requirement that businesses must treat an unverifiable request to delete as a request to opt out of sales but noting that in such situations businesses do have to ask consumers if they want to opt out of sales and point them to where they can go to opt out. 999.313(b).
  5. Clarifying when consumer requests pertaining to “households” must be honored – namely, when the household (and not an individual consumer living within a household) has a password-protected account with a business. Absent a password-protected household account, a business can only process a household access or deletion request if every member of the household submits a request, is independently verified by the business, and is able to show that they are currently members of that household. 999.318(a).

Responding to Requests 

  1. Clarifying that the right to request access relates to personal information (“PI”) that the business has “collected” about the consumer – not information that the business merely “has” about the consumer. 999.300(g).
  2. Creating new exceptions for access requests that eliminate the need to provide PI that is kept solely for legal or compliance purposes and is not reasonably accessible or searchable and not sold or used for commercial purposes. 999.313(c)(3).
  3. Clarifying that a service provider can disclose information to other service providers and use information it has to improve its services and for the standard legal and compliance uses specified in 1798.145 (a)(1) – (a)(4) of the statute.  However, these permissible uses do not include “building or modifying household or consumer profiles” or “cleaning or augmenting data obtained from another source.” 999.314(c). 
  4. Requiring service providers to respond to access or deletion requests they receive directly from consumers by either acting upon the request or informing the consumer that they cannot act on the request because they are acting as a service provider. 999.314(e).


  1. Clarifying that refusing to delete information that is necessary to participate in a loyalty program that provides discounts is not discriminatory if that information is needed for the program but is discriminatory if the information is NOT needed to operate the program.   
  2. Providing additional guidance on ways a company can calculate the “value” of a consumer’s data, to justify price or service differentials related to CCPA data rights. 999.336 and 999.337. 


  1. Raising the threshold for recordkeeping and transparency requirements to 10,000,00 consumers, up from the 4,000,000 level (per calendar year).

Notably, the verification examples provided still do not help specify what needs to be collected to verify at a “reasonably high” degree of certainty.

Visit this page for more details on the AG’s CCPA rulemaking process, including background documents. After considering comments on the modified Regulations, the AG has the option to make further changes or finalize this modified version.  Once a final version of the regulations are released, they cannot take effect for at least one month, and enforcement cannot begin until July 1.

About The Authors

Ken counsels clients on complex issues involving information privacy and data law, online liability, consumer regulatory and gaming law, including regulatory response, and adherence to self-regulatory guidelines for online advertising. Ken has had more than twenty years of experience in high-profile regulatory, in-house and private practice roles, including as Chief of the New York Attorney General’s Internet Bureau. He is one of the nation’s leading authorities on the relationship between emerging advertising technologies and online privacy.

Jon Frankel has been advising clients on privacy, data security, e-commerce, intellectual property and litigation matters for more than 15 years. Jon provides practical advice to mitigate privacy and data security risks and helps clients navigate a myriad of complex data collection, use and sharing cases. Jon advises on health and children’s privacy; email, SMS and telemarketing; mobile applications; user generated content; contests, promotions, and sweepstakes, online gaming; and requests from law enforcement. Prior to joining ZwillGen, Jon was a partner in the Washington, D.C. office of Bingham McCutchen, LLP, where he co-chaired the Privacy and Security Group.

Anna Hsia maintains a diverse practice litigating complex business disputes and counseling clients on privacy issues. With broad litigation experience in unfair competition, false advertising, class actions, and other complex litigation, Anna guides clients through disputes in federal and state courts. As a Certified Information Privacy Professional, Anna has assisted clients with product development and compliance with privacy regulations such as the TCPA, HIPAA, COPPA, state-specific privacy regulations, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act.

Zach Lerner’s practice focuses on a variety of legal matters impacting Internet-based companies. He helps companies in a wide range of industries, including education technology, financial technology, and fantasy sports/skill and chance gaming, with issues related to privacy, data diligence, e-commerce, copyright enforcement, advertising, and regulatory compliance. In addition, he has a deep knowledge of the practical considerations for implementing blockchain and smart contract technology.

Melissa Maalouf’s practice focuses on advising a broad range of clients, from start-ups to established companies, on both U.S. and international data privacy and security issues. Melissa assists clients in drafting appropriate website disclosures, implementing legally-compliant e-commerce flows, responding to FTC Section 5 and state AG enforcement actions, analyzing advertising claims, and children’s online privacy and safety issues. She also regularly helps clients obtain certification under the EU-US Safe Harbor and navigate compliance with divergent international privacy laws.

Kandi counsels clients on privacy and data security issues, online and general advertising, and marketing practices, including COPPA compliance, student privacy, and the Internet of Things. Kandi advises companies on collecting, protecting, and using consumer data and helps them develop and implement comprehensive privacy and security programs. Drawing on her tenure at the FTC, Kandi assists clients in responding to FTC and state AG enforcement actions. Prior to joining ZwillGen, Kandi spent eight years in the FTC’s Division of Privacy and Identity Protection. While at the FTC, Kandi served on detail for six months to the United States Senate, Committee on Commerce, Science, and Transportation.

Marci counsels companies on a wide variety of issues involving privacy, cybersecurity, and information law. She routinely helps companies evaluate and develop corporate privacy and information security programs, and provides advice on matters involving cross-border data transfers, insider threat prevention and detection, cloud computing, and electronic surveillance. Marci also assist clients in responding to data breaches, including issuing breach notifications required under state and federal breach notification laws, advising on remediation efforts, and handling litigation and enforcement actions arising from data security incidents.

Mason helps clients navigate a constantly shifting web of domestic and international laws regulating data collection, marketing, data sharing, computer crime, data security, electronic surveillance, online content, children’s privacy, financial privacy, information management, and other areas of privacy and Internet law. A former web designer, he has extensive experience with issues relating to digital media, new technology and e-commerce.

Marc is the founder and managing member of ZwillGen PLLC and has been regularly providing advice and counsel on issues related to the increasingly complex laws governing Internet practices, including issues related to Electronic Communications Privacy Act (“ECPA”), the Wiretap and Communication Acts, privacy, CAN-SPAM, FISA, spyware, adware, Internet gambling and adult-oriented content. He also helps Internet Service Providers and other clients comply with their compliance obligations pertaining to the discovery and disclosure of customer and subscriber information.