The new draft AG CCPA regulations: Revisiting the ugh-ly bits
Last week, Attorney General Xavier Becerra released the second draft of his California Consumer Privacy Act Regulations. When Becerra released the first draft in October 2019, I wrote a post called the “The California AG's CCPA regs: The good, the ugh and the ugh-ly,” calling out pieces of the regulations that I felt were particularly good or bad.
Upon this first revision, let’s take a look at the “ugh” and “ugh-ly” bits from that post, and see where they stand now.
90-day look-back for DNS requests: Gratefully, this provision has been rolled back. In lieu of having to look back 90 days and inform all the third parties you sold personal information (PI) to that they shouldn’t sell it further, the new draft requires businesses to notify third parties of do-not-sell requests and direct them not to further resell the information. Businesses must do this between the receipt of the request and complying with the request, which has a 15-day deadline.
New requirements for in-person requests: The original regs required businesses that have brick-and-mortar operations to have three methods for consumers to submit DSR requests, as opposed to the two required in CCPA. The new version rolls that back, saying a business that interacts with consumers in-person “shall consider providing an in-person method” (emphasis added) and removes the previous caveat of “even if it requires a business to offer three methods.”
Browser DNT settings are now DNS requests: This requirement lives on unmodified, so businesses that fall under CCPA and don’t currently respond to browser do-not-track settings would need to put a system in place to do that. However, it’s important to note that the removal of the 90-day lookback for DNS does make compliance with the overall process significantly easier.
The document itself: While the regulations are still pretty painful to read, a lot of the language has been cleaned up and some of the ambiguities were clarified. Overall, it’s an improvement upon the last.
Rules for “service providers”: This is a good example of the clarified language I mentioned above. What was once a fairly ambiguous statement saying, essentially, “don’t use data collected to provide services to one organization for services provided to another organization” has been significantly revised and refined — though still open to some interpretation. The provision now outlines the ways service providers can use PI provided them by a business. The regs outline the following appropriate uses:
To provide the services in the contract with the business,
Employing sub-contractors that also meet the service provider requirements,
Improving services as long as that doesn’t mean profiling or augmenting data from another source,
Detecting data security incidents.
The biggest UGH-ly: In my post on the original AG regs, I wrote, “The ugliest thing about this, however, is definitely that we’re not going to see the final version of these regulations until three weeks before CCPA goes into effect — at the earliest.” Silly me. Here we are in February, more than a month past CCPA’s effective date, and we’ve just gotten a second draft. Now we are at the beginning of a 15-day comment period — deadline Feb. 24, 5 pm PST — and counting. So when will we see final regulations? The deadline’s July 1, beyond that I won’t predict.
In sum, many of the ugly bits were addressed and improved upon. And overall, this draft represents an improvement over the first. However, the changes highlighted above are by no means all the changes made in this draft, so stay tuned for more information on this latest version soon. Spoiler alert: We have a button! (Kind of.)