California AG proposes another draft of modifications to California Consumer Privacy ActMarch 25, 2020
It’s round three. Will this multi-color coded version go for the win?
The California Attorney General (AG) has proposed yet another round of modifications to earlier proposed regulations under Chapter 20 of the California Consumer Privacy Act of 2018 (CCPA), which are generally regarded as minimal and technical, with a few noteworthy exceptions.
The new draft of the proposed revisions came in reaction to the roughly 100 comments the AG’s office received regarding the second draft of the proposed regulations submitted to the AG’s office between February 7, 2020, and February 25, 2020. The first set of modifications was issued on February 10, 2020.
The AG’s original proposed regulations were issued last October, with additional modifications to the proposed rules issued in February. The deadline for comments on the new round of draft modifications to the proposed CCPA regulations is Friday, March 27, at 5:00 PM PDT.
According to legal analysts and observers, the latest proposed modifications to the state’s CCPA law suggests final rules could go into effect before, but at least by the July 1, 2020 deadline required under the CCPA.
“Organizations currently working toward CCPA compliance should expect the AG to commence investigative activity as soon as the rulemaking process concludes,” observed Glenn A. Brown, of counsel to Squire Patton Boggs (US) LLP, in The National Law Review last week, noting that “it is unclear why the elimination of the section addressing the format of an ‘opt-out button or logo … was erased, given that the CCPA explicitly requires the AG to ‘establish rules and procedures’ for the ‘development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information’ on or before July 1, 2020.”
Similarly, Brown noted that “elimination of the [privacy controls] provision introduced in the prior round of modifications for privacy controls to ‘require that the consumer affirmatively select their choice to opt-out’ and that they not be designed with any pre-selected settings’” may “suggest that the AG expects business to honor privacy controls regardless of whether the pre-selected settings are privacy-protective or not.”
Finally, Brown said, “The new language also resolves an inconsistency between the description of financial incentives in the statute and the definition of the term in the previous version of the proposed regulations.”
Writing in Covington & Burling’s Inside Privacy, Libbie Canter, Lindsey Tonsager, and Alexandra Scott pointed out that “the February draft restated the statutory standard that whether the information is ‘personal information’ depends on whether it is maintained in a manner that is ‘… reasonably capable of being associated or could be reasonably linked …with a particular consumer or household.’”
“It then gave an example that IP…