First thoughts on amended proposed CCPA regulations

Published on

On February 10, 2020, the California Attorney General issued an amended version of its proposed California Consumer Privacy Act (CCPA) regulations in a redlined format. Overall the redlined regulations are generally favorable to businesses operating in California in that they clarify requirements without imposing significant new requirements. Below are changes that are particularly notable.

Mobile applications

The amended regulations address how to make disclosures on mobile applications. This issue was left largely unaddressed in the original regulations, so businesses that offer mobile applications will no longer be left in the dark. Notably, these regulations allow for notices of collection to be provided by including links on the mobile application in specific ways. However, if the data collection through the mobile application is for a “purpose that the consumer would not reasonably expect,” the notice of collection must be provided through a pop-up when the consumer opens the app.

Offline collection

The amended regulations flesh out some of the acceptable methods for providing notices of collection offline, such as by phone or in a retail store. For example, for the first time the regulations explicitly state that notices may be given orally before information is collected over the phone. Further, the amended regulations address in-store data requests, stating that businesses “shall consider” providing some type of in-store method. Options described in the regulations including making a phone available where the consumer may call the company’s phone number and offering an in-store form.

Changes to notice of collection disclosures

The amended regulations soften the mandate regarding disclosing in the Notice of Collection the business purpose for the use of the data, changing from stating that information may not be used “for any purpose other than those disclosed” to “for purpose (sic) materially different than those disclosed.” Similarly, businesses need only seek explicit permission to use information for an undisclosed purpose if the new purpose is “materially different” than what had been previously disclosed. This change means that businesses will have more flexibility to disclose the business purpose for the use of consumer data, as they will not need to be as specific in order to make modest changes to their data use.