The California Attorney General has published a third draft of the California Consumer Privacy Act regulations.

Key takeaways:

• Removes example indicating IP addresses may not be personal information in certain circumstances.
• Removes suggested opt out logo or button.
• Privacy notice must include categories of sources from which the personal information is collected and the purpose for which it was collected.
• When responding to access requests, indicate you have sensitive information (e.g. biometric information) but don’t provide copies of it.
• Service providers 1: May retain personal information to process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services.
• Service providers 2: May also retain personal information for internal use to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source.Read the full text of the draft.