CCPA Update: AG Releases 3rd Draft

On Wednesday March 11, 2020, the California Attorney General released the third draft of proposed CCPA regulations (available here) for public comment. This draft contains a series of technical corrections as well as several important changes to the 2nd draft. It should be noted, the limited number of changes signals the rule-making process is nearing the end and enforcement will soon begin.

The following is a summary of key modifications the AG is proposing in the latest draft:

  • Service Providers – The AG revised the exemptions to the general rule that service providers may not retain, use, or disclose personal information obtained in the course of providing services.  First, the AG removed the exemption allowing service providers to perform the services specified in the written contract with the business that provided the personal information.  In its place, the AG added a new exemption: “to process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA.” This new exemption significantly narrows the ability of a service provider to use personal information to perform services generally, now requiring that the service provider limit the use of personal information “on behalf of the business that provided the personal information.” Second, the AG edited a clause that allowed a service provider to use personal information for internal purposes to build or improve the quality of its services. The AG clarified that the exemption does not allow a service provider to build or modify consumer profiles to use in providing services to another business; or correcting or augmenting data acquired from another source. These clarifications indicate that the AG seeks to limit a service provider from using personal information it obtains through providing a service to develop consumer profiles that it can resell.
  • Removal of Opt-Out Button – In the 2nd draft of the regulations, the AG proposed a standard opt-out button and logo, but the opt-out button came under scrutiny in comments submitted. The comments highlighted usability issues presented by the color and appearance of the AG’s proposed button. They noted the icon looked deceptively like an actual toggle switch, and when combined with its red color, could be misinterpreted as indicating an off-state. In this new version, the AG has removed all references to the opt-out button.
  • Exemption from Notice at Point of Collection – A business that does not collect personal information directly from a consumer is not required to provide a notice at the point of collection if that business will not sell the consumer’s personal information. It is important to keep the CCPA definition of sale in mind when considering this exemption.
  • Guidance on IP Addresses – The AG has removed guidance indicating that an IP address which does not link to a particular consumer or household would not be considered “personal information.” The new draft does not include any new guidance on this, however, leaving the prior guidance as the only interpretation issued by the AG on whether an IP address is “personal information.”
  • Privacy Policy Disclosures – The AG restored language from the first draft of the regulations requiring a business to identify the categories of sources from which personal information is collected and the purpose for collecting or selling the personal information, both in a manner that provides consumers a meaningful understanding of the information disclosed. The new language does not require these disclosures “for each” category of personal information.
  • Sensitive Data Disclosures – The AG proposes that even if a business withholds sensitive data in response to a request to know, the business must still provide a description of the information withheld. For example, a business should not provide an actual social security number, but should state that it holds the consumer’s social security number.
  • Denial of Deletion Request – When a business that sells personal information denies a deletion request, the business must ask the consumer if the consumer wants to opt-out of the sale of their personal information.
  • Definition of a Financial Incentive – The AG has now removed a confusing element of the definition of a financial incentive that had previously indicated a program, benefit, or other offering, including payments to consumers, would be considered a “financial incentive” where a company compensated the disclosure, deletion, or sale of personal information.  The AG clarified a financial incentive relates instead to the collection, retention, or sale of personal information.
  • Annual Privacy Policy Disclosures – The requirement to disclose metrics when a business buys, receives, sells, or shares personal information of more than 10 million consumers in a calendar year will now only apply to businesses that know or should reasonably know that they meet the threshold for such a disclosure.

The deadline to submit written comments to the proposed modifications is March 27, 2020. All written comments must be submitted to the Department no later than 5:00 p.m. on March 27, 2020 by email to, or by mail to the address listed below:

Lisa B. Kim, Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013

DPS Advisors will continue to review the draft regulations as we work with our clients to develop guidance on demonstrating compliance with the CCPA. Please contact us if you have any questions, we are happy to help.