Proposed CCPA Regulations Zig-Zag On Logo, Personal Information

Remember a few weeks ago when we said to be on the lookout for a new “Do Not Sell My Information” button that looked like this?

Never mind.

The latest version of the proposed California Consumer Privacy Act (CCPA) regulations, released for comment on March 11, 2020, has struck the prior version’s proposed opt-out button.  But it hasn’t replaced it with a new one.  The latest version of the regulations thus only creates more uncertainty as to how the “Do Not Sell My Information” provisions of the CCPA are to be implemented.  With enforcement scheduled to begin July 1, 2020, time is growing short for clarity on the regulations.

The latest revision has also undone the significant provision added in the prior version that IP addresses not linked to a particular identifiable consumer are not considered “personal information.”  Without that clarification, one is left to wonder whether that suggests that IP addresses unlinked to a particular consumer are nevertheless personal information.

The new version of the proposed regulations does provide some minor further clarification on the content of privacy policies, requiring that both the source and business or commercial purpose for information collected or sold be described in a “manner that provides consumers a meaningful understanding of the information being collected” and why the information is collected or sold.

Other minor modifications have been made to regulations addressing the sale of data of minors; responses to requests to delete; requirements of “service providers;” opt-out control functions; and how data can be valued.

The text of the revised regulations can be found here.

A further comment period is open until March 27, 2020.