CCPA Regulations One Step Closer
The California Attorney General, complying with the terms of the California Consumer Privacy Act (“CCPA”), has released a new draft version of implementing regulations for that Act.
The new draft, which is the third version of the draft regulations, is open for public comment through March 27. The regulations are likely to be final later this year.
The new draft regulations make several minor changes and a few that will be important if enacted as drafted:
- A business that does not collect personal information directly from consumers does not need a CCPA-compliant privacy notice at collection if it also does not sell consumer personal information. This could help many B2B companies in a service provider role.
- CCPA privacy policies must identify the sources of the information they collect, by category. This may require a data mapping exercise for many companies that make only general reference to collection methods.
- CCPA privacy policies must identify the business purpose for collecting regulated information. This is likely to require more specificity in privacy policies than is the norm.
- For sensitive information such as biometric or financial details, the business must disclose to a requesting consumer that it has collected such material (but it may not include a copy of the material in its response to the consumer request).
- If a business that sells consumer information denies a consumer request to delete (under permitted circumstances), it must offer the consumer a right to opt out of sale of the consumer’s information.
- Service providers are given slightly more leeway for processing activities in support of the relationship with a covered business. This may be helpful to B2B providers.