Thought Leadership

A Third Round on the CCPA Carousel

Client Updates

The California Office of the Attorney General ("Attorney General") is rapidly releasing updates to the Proposed Regulations. The first set of updates to the Proposed Regulations were released on February 7, 2020 ("First Modified Proposed Regulations"), and after a 15-day public comment period and the receipt of about 100 comments, the Attorney General released a second set of updates on March 11, 2020 ("Second Modified Proposed Regulations"). There are fewer changes in this round, and most of them consist of minor clarifications. This may indicate that the final regulations, expected in July 2020, will not deviate significantly from the current set of proposed regulations.

The following is a summary of the few key changes in the Second Modified Proposed Regulations:

Collection of Personal Information: The First Modified Proposed Regulations contained a provision for businesses that do not collect personal information directly from consumers but were data brokers engaging in the sale of personal information. Such businesses were not required to provide a notice to the consumer at the time of collection if the businesses registered as a data broker with the Attorney General. The Second Modified Proposed Regulations clarifies that any registered data broker otherwise complying with relevant requirements need not provide a "Notice at Collection." A separate provision was added, though, stating that a business neither collecting information directly from consumers nor selling a consumer's personal information also does not need to provide a "Notice at Collection" to consumers. Finally, the Second Modified Proposed Regulations further clarifies that business collecting only employment-related personal information that provide a "Notice at Collection" is not required to contain a link to the business's privacy policy.

Privacy Policy: The Second Modified Proposed Regulations add to the required disclosures contained in a business's privacy policy. Two requirements that were previously deleted have been added back in: identification of the categories of sources from which a business collects personal information, and identification of the business or commercial purpose for collecting or selling personal information.

Additionally, a business with actual knowledge that it sells personal information from minors under 16 must include in its privacy policy a description of the processes for opting in to that sale.

Sale of Personal Information Graphic: The First Modified Proposed Regulations added a sample opt-out button graphic for businesses to use in conjunction with the required link, but the Attorney General deleted the proposed graphic from the Second Modified Proposed Regulations.

Unverifiable Consumer Requests: A hotly contested topic in the public comments, the Attorney General removed the requirement that a business treat an unverified consumer request to delete as a request to opt-out of the sale of personal information, and the First Modified Proposed Regulations instead required that businesses affirmatively ask the consumer if they would like to opt-out in the event a request is unverifiable. The Second Modified Proposed Regulations has kept this requirement, putting it into a separate provision requiring it to affirmatively ask if the consumer would like to opt-out if the consumer's request to delete is denied for any reason, not limiting it to denials based on verification.

Responding to a Request to Know: Businesses cannot disclose certain confidential information in response to a request to know (e.g., Social Security numbers, government-issued identification numbers, health insurance information, or account passwords). The Second Modified Proposed Regulations clarifies that, in responding to a request to know where the consumer asks for disclosure of specific pieces of information that the business holds on the consumer, the business must instead disclose the type of information held without disclosing the actual information. For example, the business may state that it collected and stores a fingerprint scan of the consumer, but not disclose the actual fingerprint data.

Although these regulations are still not final, the Second Modified Proposed Regulations highlight the key provisions that will likely remain untouched. Public comments for these updates close on March 27, 2020, giving the public another two-week period to reply.

For additional information, or support on your CCPA compliance initiatives, contact Cynthia J. Cole or Matthew Baker in the Baker Botts Privacy and Data Security Group.

Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit

Related Professionals