On March 11, California Attorney General (AG) Xavier Becerra released a third version of draft regulations implementing the California Consumer Privacy Act (CCPA). The third draft contains relatively minor changes from the second draft, which was released in February, suggesting that the AG is close to finalizing the regulations, and that enforcement is likely to begin on schedule on July 1, 2020.
Among the changes effected by the new draft:
- Removes the optional use of a button on businesses’ websites to be used by consumers to opt-out of the sale of their personal information.
- Notes a business shall not disclose, in response to a request to know, sensitive types of personal information. A business must, however, “inform the consumer with sufficient particularity that it has collected the type of information.”
- Also states that “a service provider shall not retain, use, or disclose personal information obtained in the course of providing services except…[f]or internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles, to use in providing services to another business, or correcting or augmenting data acquired from another source[.]”
- Removes the restriction on using pre-selected options in privacy controls used to permit a consumer to opt-out of the sale of their personal information.
The Attorney General’s third draft of the regulations will undergo another round of notice and comment. Businesses that want to submit comments must do so by 5:00 p.m. PDT on March 27, 2020. While substantial changes to the regulations are unlikely, businesses should continue to monitor developments from the Attorney General on the implementation and enforcement of the CCPA. The Attorney General’s regulations will likely be finalized this Spring, in advance of the July 1, 2020 enforcement date.
 Specifically, a business shall not, in response to a right to know request, disclose a consumer’s Social Security number, driver’s license number or other government issued identification number, financial account number, any health insurance or medical information number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics.